Mobile ad libraries create major risk for enterprise data
by Ryan Smith - Lead Threat Engineer at Mojave Networks - Monday, 2 June 2014.
Every day at Mojave Threat Labs, our research team analyzes thousands of mobile apps using more than 200 individual risk factors. One of the key risk factors that we track is private data or personally identifiable information (PII) that is collected and sent to remote web APIs. This may include the user’s name, phone number, email address, location, applications they have installed, phone call history, contact list, and much more.

On average, corporate employees and mobile users have around 200 applications on their mobile devices, including all of the pre-installed apps like the address book and camera. Each application has an average of nine permissions that users agree to before using the app – things like permission to access your address book or your location in order to tell you about what’s nearby.

With so many applications requesting access to private or sensitive information, it’s often difficult for users, let alone IT administrators, to fully understand who’s accessing their data, where it’s being sent, and how it will be used.

Why you shouldn't blindly trust mobile advertising libraries

Some of the most significant risk factors affecting corporate employees and individual mobile users, such as data loss and PII collection, occur not by the application itself, but within mobile advertising libraries and other library components such as social media or analytic tools. These libraries are large packages of code written by a third party, which the developer includes in their mobile app to help them add standard functionality.

In this case the developer may use the libraries to collect ad revenues, track user statistics, or integrate with social media APIs. There are thousands of such libraries available to mobile app developers, each with varying reputations, and developers will often include their code with little or no review.

Although many of these libraries refrain from collecting PII and have sensible privacy policies, not all libraries are so reputable, and for most users it’s impossible to know which ad library is included in a particular app. Unfortunately, when you give permission to an app to access your private or sensitive data, you’re also giving access to each of the included libraries and their author(s), whether you know it or not.

This is like entrusting your house keys to your teenager for the weekend, only to have them immediately make copies for their friends, unbeknownst to you. This indirection and lack of transparency leads to a lack of accountability for the apps' included subcomponents and precludes IT administrators from making adequately informed risk decisions.


(IN)SECURE Magazine issue 45 released

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Learn about personal data bankruptcy and the cost of privacy, security and compliance, delivering digital security to a mobile world, and much more.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Mar 3rd