Apps, ads and what they get from your phone

Advertising technology inside some of the world’s most successful mobile phone apps makes them vulnerable to hacking, potentially opening up a user’s phone to criminals.
Tech security experts working with Channel 4 News have discovered it is possible to use the adverts to effectively hijack a mobile phone.

“This could allow an attacker or a malicious advertiser access to the owner’s photos, contacts book and location. The attacker could even install their own apps on the phone,” said Rob Miller, security researcher for MWR InfoSecurity.

As part of the Data Baby series of reports into how personal information is used online, Channel 4 News worked with MWR InfoSecurity to test how vulnerable advertiser-funded apps were to hacking.

Millions of free apps currently rely on ads for income. When a phone owner installs an app, they grant it permissions (for example, allowing it to access the phone’s location, its microphone, etc). But the companies whose ads appear in the apps also get the same permissions, meaning personal information could potentially be sent to any advertiser whose ad is shown.

Working with students at the Sylvia Young Theatre School in London, MWR InfoSecurity’s experts were able to show how, while playing their favourite phone games, the children’s information was being sent to dozens of companies around the world. A previous investigation by Channel 4 News found the average phone contacts as many as 315 different servers a day thanks to the apps constantly running inside.

Personal information

But the tech security experts were able to go even further, using the advertising window to break into parts of the phone they should never have been able to reach.

In order to display the advertiser’s message, the app’s code creates a window on the screen. Each time the window appears the code requests a new advert from one of several ad networks. With the right combination of phone, app and ad network, MWR InfoSecurity’s staff were able to go way beyond the permissions the app had been granted, allowing access to swathes of sensitive personal information.

“While the students were using the apps, we were basically able to take control of some of their phones. For one of the students we managed to get access to every picture on his mobile device,” said Mr Miller. “We didn’t pull the photos up, but we could see they were there, and that’s not something the app’s permissions should have allowed us to do.”

The company has informed the relevant phone manufacturers and advertising companies, but it fears the vulnerability may take time to fix, leaving phone owners exposed.

“To solve the problem, the fix would have to be rolled out through phone updates, and the app builders and ad networks would also have to take steps,” said Mr Miller.

In the meantime, the company issued the following advice to phone owners:

1. Read the terms and conditions
It’s easy to ignore and skip past the details when a mobile app requests permissions before it gets installed. But remember that the permissions that you grant it are automatically granted to the ads running within the app. If you’re not comfortable permitting the app to access certain information, it may be best to find an alternative.
2. Be careful when you use free Wi-Fi
Public Wi-Fi hotspots are getting a bad reputation for being a common place for thieves to steal private information as it is transmitted. Unfortunately there is not easy way for users to tell whether their apps are sending their information in a safe and protected manner or not. If you do not trust the Wi-Fi, it may be better for you to use your 3G connection instead.
3. Only download apps from trusted sources
Most phones can be modified to allow users to install apps from 3rd party sources (through changing of settings or jail breaking the device). The risk is that by using third party app stores, users can not have any guarantees about the content of these apps. Many times it has been found that malware is distributed in this manner, pretending to be free versions of paid for apps.
4. Update you device whenever prompted
Device and application developers alike are working hard to constantly improve the security of your device and your data. Whenever they bring out a new versions it is important that you download and install the update as soon as you can to limit the window that your device is vulnerable.

Follow @geoffwhite247 on Twitter