On average, corporate employees and mobile users have around 200 applications on their mobile devices, including all of the pre-installed apps like the address book and camera. Each application has an average of nine permissions that users agree to before using the app – things like permission to access your address book or your location in order to tell you about what’s nearby.
With so many applications requesting access to private or sensitive information, it’s often difficult for users, let alone IT administrators, to fully understand who’s accessing their data, where it’s being sent, and how it will be used.
Why you shouldn't blindly trust mobile advertising libraries
Some of the most significant risk factors affecting corporate employees and individual mobile users, such as data loss and PII collection, occur not by the application itself, but within mobile advertising libraries and other library components such as social media or analytic tools. These libraries are large packages of code written by a third party, which the developer includes in their mobile app to help them add standard functionality.
In this case the developer may use the libraries to collect ad revenues, track user statistics, or integrate with social media APIs. There are thousands of such libraries available to mobile app developers, each with varying reputations, and developers will often include their code with little or no review.
Although many of these libraries refrain from collecting PII and have sensible privacy policies, not all libraries are so reputable, and for most users it’s impossible to know which ad library is included in a particular app. Unfortunately, when you give permission to an app to access your private or sensitive data, you’re also giving access to each of the included libraries and their author(s), whether you know it or not.
This is like entrusting your house keys to your teenager for the weekend, only to have them immediately make copies for their friends, unbeknownst to you. This indirection and lack of transparency leads to a lack of accountability for the apps' included subcomponents and precludes IT administrators from making adequately informed risk decisions.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.