Think free apps for your smartphone are too good to be true? A new report is finding that they may come with a catch that exposes your phone to security issues.
Researchers at North Carolina State University reviewed apps in the Google Play market (formerly called the Android market) and found that ads included in the apps to help generate revenue could be posing security risks to your phone. According to the release about the research, apps sometimes incorporate "in-app ad libraries," permission for which was granted when the user downloaded the app, that can provide a backdoor for hackers into your phone. The report states that apps provided on Apple and other third-parties could be included in this as well.
According to the research lead by the university's assistant professor of computer science Xuxian Jiang, some of the 100,000 apps reviewed "made use of an unsafe mechanism to fetch and run code from the Internet." Information accessible through the ad libraries included GPS coordinates, call logs, user phone numbers and lists of other apps downloaded onto the device.
Jiang has more on the implications of this security issue:
These ad libraries pose security risks because they offer a way for third parties – including hackers – to bypass existing Android security efforts. Specifically, the app itself may be harmless, so it won't trigger any security concerns. But the app's ad library may download harmful or invasive code after installation.
"To limit exposure to these risks, we need to isolate ad libraries from apps and make sure they don't have the same permissions," Jiang says. "The current model of directly embedding ad libraries in mobile apps does make it convenient for app developers, but also fundamentally introduces privacy and security risks. The best solution would be for Google, Apple and other mobile platform providers to take the lead in providing effective ad-isolation mechanisms."
PC Mag points out that the free version of the popular smartphone game Angry Birds could be an example. PC Mag explains that the security issue comes in that granting permission cannot be "[distinguished] between actions performed by an ad library and those performed by its hosting app." The report says this finding "necessitates a change in the way existing ad libraries can be integrated into host apps."
In addition to potentially exposing some of your phone's private data, the security flaw could also allow for the launch of a "root exploit" attack on the phone, according to Jiang. This attack allows a piece of malware to take control of your phone.