Press Release

MWR InfoSecurity warns on hidden dangers of third party code in free apps

Channel 4 investigation reveals how ad networks put users at risk


Research from information security consultancy, MWR InfoSecurity, has shown the various ways hackers can abuse ad networks by exploiting vulnerabilities in free mobile apps. The company found that when people install and use free applications – more so than paid apps – they may be handing over their address books, the contents of their SMS, e-mail or in some cases, giving away full control of their devices. This is because of privileged code injected into the apps that advertisers and third parties use for tracking. So while the users may trust the app developer, the app code inserted by advertisers may introduce vulnerabilities attackers can exploit to access their devices via the app.

MWR showed that ad networks inherit all the permissions and capabilities of the application that contains the network’s code. If the app can see your photos, the ad network can. If you let the app read and send e-mail, the ad network can and so on. This means that if hackers are successful in penetrating the ad network’s security defences, they will have access to the same data as well.

Senior security researcher Robert Miller from MWR explained: “Most mobile devices contain a security model that means app A can’t easily see the data of app B and also can’t use the same permissions. So if app A can see your SMS and app B can’t, app B can’t ask app A for your SMS.

“However, if app A and app B contain code from the same ad network, then the ad network can view your SMS, if it wishes. Ad networks actually contain this functionality and it’s referred to as ‘cross application’ data. If attackers insert themselves into the picture by taking advantage of these vulnerabilities in coding, it is highly likely for them to steal user data."

In a Channel 4 report that recently aired, Miller demonstrated how to compromise Apple and Android devices by taking advantage of the code embedded within mobile advertisements. He found that in doing so, advertisers could perform a shopping list of unexpected actions, including:

• Collect personal and sensitive data (and expose it to eavesdroppers)
• Track your location via GPS
• Access photos and other files stored in accessible locations (such as the SD Card on Android devices)
• Read, write and delete files 
• Send / Read e-mail and/or SMS messages
• Make phone calls
• Turn on and use the camera / microphone
• Dynamically update and install code / applications
• Execute arbitrary commands

MWR highlighted that there are key differences in mobile data collection achieved via advertising when compared to more traditional website advertisements and warned users to be vigilant when granting mobile app permissions. “Much more precise location data can be captured from a mobile device via its GPS and some apps require the ability to legitimately access a device owner’s contacts or directory information, as well as photos,” said Miller.

“Consumers need to understand the eco-system of mobile applications. Free apps are supported by ad networks that trade in data. While users may not be paying for that nifty application in monetary terms, they will be paying with their information. And this means that user data is only as safe as the ad network.

“What we demonstrated was that due to the vulnerable and privileged advertising code, the app itself was undermined,” he continued. “Advertisers need to take more responsibility for security and in the meantime users should be doubling their vigilance against being overly blasé about letting apps access their sensitive mobile data.”

Miller suggested that users should read the permissions that an app requests before installing it. "Sadly, there is rarely a chance to pick and choose the permissions you are comfortable with, so if you don’t agree with any one of the permissions requested, don’t install the app,” he said.

This work forms part of a larger body of research and advocacy on mobile security. For more information please read our research on advertising networks. or visit our Mobile practice.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.