Monday, 9 December 2013

Ad Network Hacks and Info-Sucking Flashlights

Image via Flickr user Tiago A. Pereira When we talk about ad networks, it's important to remember that they are not inherently evil. Without them, free and $0.99 apps might not exist at all, and there would be decidedly less excitement about developing for mobile platforms. After all, everyone needs to make money.
The trouble is that users don't always have control over how much of their information is sent to ad networks, or whether those networks use proper security techniques to keep their information secure. We'll look at both of those problems today.
Brightest Flashlight Free
Flashlight apps are the ones people used to point to when making tired arguments about how mobile devices were just a passing fad. It turns out the real sin of flashlight apps wasn't that they were useless (they are), but that they sucked your information out of your phone.
But consent was at the center of the FTC's case against the developers of Brightest Flashlight Free. While the app gave users the ability to accept or reject a EULA which included transmitting location data, the FTC pointed out that it didn't matter. Even before users could make their choice, the app was already collecting and transmitting user data to third parties. Developers Goldenshores Technologies are now in danger of receiving a hefty $16,000 fine.
When Lookout started their crusade against adware earlier this year, the idea of user consent was key. The trouble is that most of the time, apps don't give users any indication that their data is being harvested. Some security applications, like Lookout, now include app reputation services and can provide alerts about apps that request an inordinate amount of access. Ultimately, though, it's up to the users to decide if they're willing to part with their information in exchange for apps.
Applovin Exploit
In late November, Bitdefender demonstrated another reason to be wary of ad networks when they demonstrated how to pull user information from an ad-serving framework called Applovin. While it was just a proof-of-concept, the security company showed how your data can be intercepted when ad networks don't use proper security techniques.
Bitdefender told SecurityWatch that their experiment hinged on the fact that Applovin (aka Vulna) did not encrypt its data while in transit, nor did it require authentication to access the data. Bitdefender used a man-in-the-middle attack to intercept the data, and noted that their attack could have been stopped if Applovin had used HTTPS.
"We cannot say if the Google Play application review process will prevent the creation of other SDKs or individual apps that present such functionality in the future," Catalin Cosoi, Chief Security Strategist for Bitdefender told SecurityWatch. "Google should definitely give some attention to the issue, as otherwise a malicious programmer might publish a perfectly legitimate app with such a backdoor function and turn it into a data-stealing Trojan later."
Thankfully, the latest version of Applovin does not include these vulnerabilities, which appear to be presented only in versions 2.0.74 through 5.0.3. Unfortunately, users will have a hard time knowing if developers are making use of Applovin, not to mention what version is involved. Bitdefender notes that their Clueful app should detect the vulnerability.

No comments:

Post a Comment