View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 5, 2015

Mobile apps leaking data through ad networks

‘Cross application’ data sharing makes user vulnerable, says MWR InfoSecurity.

By Jimmy Nicholls

Free mobile apps that use third-party advertising code are putting users in danger of being hacked, according to MWR InfoSecurity.

The firm found that ad networks were inheriting the permissions of free apps, granting them access to the address books, text messages and emails of potential victims if the network was compromised by hackers.

Robert Miller, a senior security researcher at MWR, said: "Most mobile devices contain a security model that means app A can’t easily see the data of app B and also can’t use the same permissions. So if app A can see your SMS and app B can’t, app B can’t ask app A for your SMS."

"However, if app A and app B contain code from the same ad network, then the ad network can view your SMS, if it wishes."

He added that hackers were "highly likely" to steal information if they took advantage of the "cross application" data vulnerability, and that the flaw could be used to track a person’s location using GPS, make phone calls and turn on the microphone or camera on a smartphone.

"Consumers need to understand the ecosystem of mobile applications. Free apps are supported by ad networks that trade in data," Miller added.

"While users may not be paying for that nifty application in monetary terms, they will be paying with their information. And this means that user data is only as safe as the ad network."

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

He added that advertisers should take more responsibility for security, while users should read permissions that apps request before downloading and installing them.

"Sadly, there is rarely a chance to pick and choose the permissions you are comfortable with, so if you don’t agree with any one of the permissions requested, don’t install the app," he said.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.