Hackers can access private data by exploiting vulnerabilities, mostly in free mobile apps, according to research by security consultancy MWR InfoSecurity.
Code used by advertisers and third parties for tracking can be abused to access address books and text messages, and to take control of mobile devices, the study found.
While users may trust the app developer, the app code inserted by advertisers may introduce vulnerabilities attackers can exploit to access their devices via the app, the security firm warned.
Researchers found that ad networks inherit all the permissions and capabilities of the application that contains the network’s code.
This means that, if the app can access private data such as photos or emails, data is also accessible by the ad network.
If hackers are successful in penetrating the ad network’s security defences, they will also have access to the data, researchers said.
“Most mobile devices contain a security model that means app A can’t easily see the data of app B and also can’t use the same permissions. So if app A can see your SMS and app B can’t, app B can’t ask app A for your SMS,” said Robert Miller, senior security researcher at MWR.
“However, if app A and app B contain code from the same ad network, then the ad network can view your SMS, if it wishes. Ad networks actually contain this functionality and it’s referred to as ‘cross application’ data. If attackers insert themselves into the picture by taking advantage of these vulnerabilities in coding, it is highly likely for them to steal user data,” he said.
In a Channel 4 report, Miller demonstrated how to compromise Apple and Android devices by taking advantage of the code embedded within mobile advertisements.
He found that in doing so, advertisers could perform a list of unexpected actions, including:
Collect personal and sensitive data (and expose it to eavesdroppers)
Track device location via GPS
Access photos and other files stored in accessible locations such as the SD Card on Android devices
Read, write and delete files
Send/read email and/or SMS messages
Make phone calls
Turn on and use the camera and microphone
Update and install code and applications
Execute arbitrary commands
Miller said there are key differences in mobile data collection achieved via advertising compared with more traditional website ads.
He warned mobile users to be vigilant when granting mobile app permissions.
“Much more precise location data can be captured from a mobile device via its GPS and some apps require the ability to legitimately access a device owner’s contacts or directory information, as well as photos,” said Miller.
He said mobile users need to understand that free apps are supported by ad networks that trade in data.
“While users may not be paying for that nifty application in monetary terms, they will be paying with their information. And this means that user data is only as safe as the ad network.
“”What we demonstrated was that due to the vulnerable and privileged advertising code, the app itself was undermined,” said Miller.
He said while advertisers need to take more responsibility for security, mobile users should be doubling their vigilance about letting apps access their sensitive mobile data.
“Users should read the permissions that an app requests before installing it,” said Miller.
“Sadly, there is rarely a chance to pick and choose the permissions you are comfortable with, so if you don’t agree with any one of the permissions requested, don’t install the app,” he said.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK