The hidden dangers of third party code in free apps

Research from MWR InfoSecurity has shown the various ways hackers can abuse ad networks by exploiting vulnerabilities in free mobile apps.

When people install and use free applications – more so than paid apps – they may be handing over their address books, the contents of their SMS, e-mail or in some cases, giving away full control of their devices. This is because of privileged code injected into the apps that advertisers and third parties use for tracking. So while the users may trust the app developer, the app code inserted by advertisers may introduce vulnerabilities attackers can exploit to access their devices via the app.

Ad networks inherit all the permissions and capabilities of the application that contains the network’s code. If the app can see your photos, the ad network can. If you let the app read and send e-mail, the ad network can and so on. This means that if hackers are successful in penetrating the ad network’s security defenses, they will have access to the same data as well.

Senior security researcher Robert Miller from MWR explained: “Most mobile devices contain a security model that means app A can’t easily see the data of app B and also can’t use the same permissions. So if app A can see your SMS and app B can’t, app B can’t ask app A for your SMS.

“However, if app A and app B contain code from the same ad network, then the ad network can view your SMS, if it wishes. Ad networks actually contain this functionality and it’s referred to as “cross application’ data. If attackers insert themselves into the picture by taking advantage of these vulnerabilities in coding, it is highly likely for them to steal user data.”

Criminals can compromise Apple and Android devices by taking advantage of the code embedded within mobile advertisements. In doing so, advertisers could perform a shopping list of unexpected actions, including:

  • Collect personal and sensitive data (and expose it to eavesdroppers
  • Track your location via GPS
  • Access photos and other files stored in accessible locations (such as the SD Card on Android devices)
  • Read, write and delete files
  • Send / Read e-mail and/or SMS messages
  • Make phone calls
  • Turn on and use the camera / microphone
  • Dynamically update and install code / applications
  • Execute arbitrary commands.

There are key differences in mobile data collection achieved via advertising when compared to more traditional website advertisements and warned users to be vigilant when granting mobile app permissions. “Much more precise location data can be captured from a mobile device via its GPS and some apps require the ability to legitimately access a device owner’s contacts or directory information, as well as photos,” said Miller.

“Consumers need to understand the eco-system of mobile applications. Free apps are supported by ad networks that trade in data. While users may not be paying for that nifty application in monetary terms, they will be paying with their information. And this means that user data is only as safe as the ad network.”

“What we demonstrated was that due to the vulnerable and privileged advertising code, the app itself was undermined,” he continued. “Advertisers need to take more responsibility for security and in the meantime users should be doubling their vigilance against being overly blasé about letting apps access their sensitive mobile data.”

Miller suggested users should read the permissions that an app requests before installing it. “Sadly, there is rarely a chance to pick and choose the permissions you are comfortable with, so if you don’t agree with any one of the permissions requested, don’t install the app,” he said.

Here’s a Channel 4 piece featuring MWR InfoSecurity:

Update (February 2016): Video removed, as it was using Adobe Flash.