A new study highlights a major data-loss risk from ad libraries used in Android apps. The risk comes from these libraries accruing permissions from multiple apps and using them unethically to gain more access to sensitive information. The authors of the study call this practice intra-library collusion (ILC), and it will make you think twice before granting permissions to non-essential apps.
Apps Live off of Your Personal Information
Long before free apps and websites existed, artist Richard Serra made a startling assertion about television. He said that advertisers are the customer and viewers are the product.
The same is true of smartphone apps. When we download a free app, we are the product. Advertisers buy access to our personal information. That is what keeps the app developers in business.
We are comfortable with this arrangement because we get a valuable service from the app. A GPS app gets us where we need to go, so we consent to share some of our location data. App developers can then sell that information to advertisers to more accurately target ads.
Ad Libraries Help Target Ads But Need Permissions
The way that apps track revenue and determine which ads to display is through ad libraries. Ad libraries are packaged in the app in such a way that they receive the same permissions as the app itself. This means that if you give a map app permission to track your location, you also give the ad library permission to track your location.
The issue here is hard to spot. After all, what’s the difference between giving permission to the app or the library? The problem is that the same ad library may be used in other apps with different permissions. And for each app, the ad library can accrue more permissions and more access to your personal information.
Libraries Accrue Permissions and That Could Lead to Abuse
That is to say, an app used for GPS may ask for permission to track your location. A language-learning app may ask for permission to access your microphone. A third app may ask to access your contacts. If all three apps use the same ad library, that library now has access to your location, microphone, and contacts.
Ethically, the library should only use permissions in the app for which it was granted (e.g. the library should only access the microphone in the app that asked to use the microphone). In reality, there is nothing stopping the ad library from using all the permissions it has acquired in any of the apps it’s embedded in.
This accrual of permissions means that ad libraries can aggregate unprecedented amounts of sensitive information. The various tricks that these libraries use for legitimate purposes (like avoiding ad disablers) make it hard for experts (let alone users) to understand exactly what information is being collected and sold to advertisers.
To make matters even worse, third-party libraries are often the most insecure part of an application. That means that even if the developers of an ad library are ethical, they may accidentally lose data.
Steps to Prevent Data Loss Due to Intra-Library Collusion
The authors of the study have a pessimistic view of legal solutions for preventing intra-library collusion. Governments or app stores could attempt to limit ILC, but detecting the abuse would be difficult.
One proposed solution is privilege separation. This requires ad libraries to run as separate processes within different apps. So even if the same ad library received different permissions from different apps, the library can only use the permissions within the app it was granted from.
Unfortunately, the authors of the study do not provide advice for consumers. This problem is literally embedded in the apps we all use. Pressure on the advertising industry could one day lead to better self-regulation, but for now, consumers must protect their own information.
We recommend taking extra time to consider the information you are sharing with an app. Granting access to your microphone or your contacts puts a great deal of trust in the ad networks that partner with the app. Make sure the service that the app provides is worth the risk of personal data loss before saying yes to any permissions request.