Mobile ad libraries create major risk for enterprise data
by Ryan Smith - Lead Threat Engineer at Mojave Networks - Monday, 2 June 2014.
Every day at Mojave Threat Labs, our research team analyzes thousands of mobile apps using more than 200 individual risk factors. One of the key risk factors that we track is private data or personally identifiable information (PII) that is collected and sent to remote web APIs. This may include the userís name, phone number, email address, location, applications they have installed, phone call history, contact list, and much more.

On average, corporate employees and mobile users have around 200 applications on their mobile devices, including all of the pre-installed apps like the address book and camera. Each application has an average of nine permissions that users agree to before using the app Ė things like permission to access your address book or your location in order to tell you about whatís nearby.

With so many applications requesting access to private or sensitive information, itís often difficult for users, let alone IT administrators, to fully understand whoís accessing their data, where itís being sent, and how it will be used.

Why you shouldn't blindly trust mobile advertising libraries

Some of the most significant risk factors affecting corporate employees and individual mobile users, such as data loss and PII collection, occur not by the application itself, but within mobile advertising libraries and other library components such as social media or analytic tools. These libraries are large packages of code written by a third party, which the developer includes in their mobile app to help them add standard functionality.

In this case the developer may use the libraries to collect ad revenues, track user statistics, or integrate with social media APIs. There are thousands of such libraries available to mobile app developers, each with varying reputations, and developers will often include their code with little or no review.

Although many of these libraries refrain from collecting PII and have sensible privacy policies, not all libraries are so reputable, and for most users itís impossible to know which ad library is included in a particular app. Unfortunately, when you give permission to an app to access your private or sensitive data, youíre also giving access to each of the included libraries and their author(s), whether you know it or not.

This is like entrusting your house keys to your teenager for the weekend, only to have them immediately make copies for their friends, unbeknownst to you. This indirection and lack of transparency leads to a lack of accountability for the apps' included subcomponents and precludes IT administrators from making adequately informed risk decisions.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th