Threat Research

VB 2013: Adkits on Android mobile phones

By Guillaume Lovet | October 14, 2013

The FortiGuard Labs had a wonderful time at VB2013 where we saw some amazing talks by some amazing people. you can click here for our recap

During our time there, our very own Axelle Apvrille spoke on research she conducted with her colleague Karine de Ponteves. The piece explores how pervasive mobile advertising kits have become in our personal lives. The slides are available here (soon!).

mikko tweet

How do these advertisers get such a detailed glimpse at our lives? Well, as slides 8, 11 and 12 say, they are retrieved either from the people themselves or from data on the phone. In the first case, the problem is that the information people provide is usually tied to a given context, and they do not expect that information to be provided in other contexts. For example, a social security app can legitimately ask for my birth date, but I do not necessarily want that information to be given to a game app.

In the second case, the problem is that data is often retrieved without explicit (or unambiguous) consent. Average end-users certainly do not expect the READ_PHONE_DATA permission to imply the app may retrieve their phone number. Finally, there actually is another source of information I haven't mentioned: developers. If a developer think his app targets a specific population, he/she may provide the information to the ad network. For example, a developer who creates an app for men may send that information to the ad network as GENDER=Male. Sure, it does not mean women cannot install it and then the information is wrong, but that's always the case, even when people provide information, adkits cannot be sure the information is always correct.

adkit slide8 adkit slide8 adkit slide8

The conclusion of our talk is that the current mobile ad model leans too much on the advertiser's side and not enough on people's side. We're losing too much privacy. Ad networks build user profile databases, based on data they collect from our phones. Isn't that - to some extent - comparable to what the NSA's PRISM program does?

"I know I might seem ... naive on this but I can't see any other option: I feel we would certainly be better off without targeted ads (or less targeted on our private lives)." -Axelle Apvrille

A researcher in the audience however made a point saying that targeted ads also ensures that when he's watching a football match on TV with his kids, they do not see shocking adult ads. While she entirely agreed, Axelle's position was that this was more the role of some parental control applications.

Is there sunshine somewhere? Perhaps. Google changed its developer policy a month ago, in particular, to enforce more ethical behavior for adkits. That's good news. I hope adkits won't be bypassing the policy. Axelle also mentioned there will be an IEEE session dedicated to the discussion around the problems caused by misbehaving and/or aggressive advertisement libraries in mobile apps on October 28-29 in Montreal.

"It's good to sit together and openly discuss the matter. I hope all of this will in the end get to more privacy to end-users. We all deserve it." -- the Crypto Girl

Join the Discussion