Article

Ad Network Research

The overwhelming majority of mobile device users resist paying for applications. Therefore developers are particularly interested in experimenting with monetisation through serving advertisements.

It’s not a bad idea either: mobile advertising revenue (for the US) was $31 billion in 2011 and $36 billion in 2012 (source: Interactive Advertising Bureau). Often developers can make far more money using adverts to monetise their applications than by charging a small fee for the software they have developed.

A study by Cambridge University found that:

  • 73% of apps in the Android marketplace were free, and of those, 80% relied on advertising as their main business model
  • Only 20% of paid apps are downloaded more than 100 times
  • A mere 0.2% of paid apps are downloaded more than 10,000 times
  • On the flip-side, 20% of free apps get 10,000 or more downloads!

The future of app monetisation clearly lies in the ad-supported model. So where’s the catch? Isn’t this win/win? Are we really getting something for nothing? Based on the research conducted byMWR, you’re actually paying for these ‘free’ applications.

“If You’re Not Paying, You’re The Product”

You may be handing over your address book, giving away the contents of your SMSs, allowing someone to read your e-mails, or in some cases giving away full control of your device. In the very worst cases, all of these things and more! We’ve seen ad networks that:

  • Collect personal and sensitive data (and expose it to eavesdroppers)
  • Track your location via GPS
  • Can access photos and other files stored in accessible locations (such as the SD Card on Android devices)
  • Read, write and delete files on your device
  • Send e-mail and/or SMS messages
  • Read e-mail and/or SMS messages
  • Make phone calls
  • Turn on and use the camera
  • Turn on and use the microphone
  • Dynamically update their code
  • Execute arbitrary commands
  • Install code/applications

All of these behaviours are either implemented ‘features’ that are being used and abused, or can be achieved by exploiting resident vulnerabilities in the ad networks Software Development Kit (SDK).

These vulnerabilities and ‘features’ are often available on all of the major platforms, iOS, Android, Windows Phone and Blackberry. However, they are not all exploitable to the same degree due to platform idiosyncrasies, security architectures (such as sandboxing) and platform specific exploitation mitigations.

The way that mobile advertising networks are ‘supposed’ to work is as follows. An advertiser pays a fee for their advert to be shown (in reality it’s actually a very complex pricing model based on a plethora of options, but we’ll try and keep things simple). The advertising network makes available a Software Development Kit (SDK). The SDK is ‘plugged’ into a mobile application by a developer looking to monetise their application. Then when someone downloads and uses the application, the code in the ad network SDK is triggered. The user of the application will see an advert of some kind, and, if the user interacts with the advert in some way, such as watching a video, clicking on a link to view and possibly install another application, or purchase an advertised product, etc., then these interactions are recorded and transmitted to the ad network so that the developer of the application can receive the appropriate payment and the advertiser pays the agreed fee.

So basically, a developer ‘plugs’ in the SDK to their application, gives the application away for free and earns money for every advert shown. What could go wrong? The economics and the associated ecosystem of the advertising world, let alone the mobile advertising world, is a complex beast far beyond the scope of this blog post; so we’ll attempt to simplify it somewhat.

Advertisers steal your data to be able to target you with more attractive ads

Advertising networks want to maximise their profits, therefore they are always looking for the most advantageous way to achieve this. Advertising networks gather metrics so that they can tailor campaigns and target specific audiences. Advertisers pay a lot of money for accurate metrics and/or successful delivery of targeted advertisements. Your data and meta-data (data about you and your data) are very valuable. They can be sold to 3rd parties and used to deliver more targeted adverts that will increase the likelihood of your interacting with them. Advertising networks are always looking for ingenious ways to profit from the data they collect. In addition to this, advertisers want to deliver the most captivating and ‘feature’ rich adverts. To this end, they look to leverage the mobile devices’ ‘native’ capabilities to do so.

This in itself is not groundbreaking news. The phenomenon of advertising networks stealing your data and leaking sensitive information has been widely reported for some time. Below are just a few links to media articles that have documented this:

So we all know that ad networks are collecting our data, transmitting it insecurely, tracking our movements, profiling us, listening to us and selling on our data to unknown third parties.

It’s worth stating this again: “If You’re Not Paying, You’re The Product”. Those who are already aware of the actions of the advertising networks and have read the articles listed above or similar will probably also be aware (that in some cases at least), the advertising networks have been forced to protect this data from eavesdroppers and to ensure that it is made anonymous to an adequate degree. Those who have been named and shamed have done this adequately. A lot have not.

There are hundreds of ad networks out there, as well as a diverse and expansive eco system; it’s impossible to keep tabs on all of them. Application developers choose the ad network to embed in their application based on how much they can potentially earn. Every search for ad networks will present you with several articles comparing which ad networks provide the highest returns, not which ones leak the least amount of data or perform the least suspicious activities.

MWR’s research expands on the exploration already conducted by journalists and reputable security companies. We were interested in looking deeper into how these advertising networks work and figuring out exactly what is going on under the hood, in an attempt to quantify the risk that ad networks pose to the security of mobile devices and/or the data stored and processed on them. Our research led to some very interesting and hard to digest findings.

Our findings make uncomfortable reading

During our research we have found that ad networks do a lot more than they advertise, and in fact often display very aggressive behaviours. In addition we have found many ad networks to be vulnerable to classes of threat that could allow attackers and/or malicious 3rd parties to abuse exposed functionality to perform nefarious actions. We have found a number of vulnerabilities in various networks that malicious attackers could exploit to do a number of things you really wouldn’t want. It should be noted that the advertising network(s) are also in a position to exploit the same weaknesses, as indeed could an advertiser who developed an advert and paid the advertising network to display it on their behalf.

In summary, there are a number of parties who can potentially do things they really shouldn’t be able to do to your mobile device and the data it contains via embedded mobile ad networks.

We will be releasing more technical details on each issue with examples of why these vulnerabilities exist, how they can be exploited and importantly, how to identify them for yourself, along with information on the work flow followed by the researchers investigating these libraries. However, within this post we intend to keep things high level.

Most of the exploitable issues identified are present because of how the ad networks and the advertisements interact with the mobile device, in particular how they access the devices’ ‘native’ features. The ad network SDKs require the application developer to display ad content within a WebKit webview. Webkit is an open source web browser engine that powers browsers such as Google Chrome and Apple Safari (the default iOS and Android browsers). An app will use a webview to load HTML content (just like loading a web site in your desktop web browser of choice) and the ad network SDK uses the browser instance to load and display an advert.

The ad network and the adverts themselves can load dynamic JavaScript code into the webview. This is where things begin to differ from how a website loaded into a browser on your desktop computer works. Websites use JavaScript all the time; however on a desktop computer a security barrier exists that prevents the JavaScript from turning on your webcam, or reading and writing files to your computer hard drive. It definitely can’t just start accessing your address book or reading your e-mails – that would be pretty scary. It can’t really do that on a mobile device either, not without someone deliberately punching a hole in this security barrier and allowing it do so. This is pretty much what ad networks are doing. They are opening a hole in the security barrier and allowing JavaScript to interact with the device via something known as a native bridge.

The ad network SDK is written in what is known as ‘managed’ code. For Android this is Java, iOS Objective-C, Windows Phone C#, etc., etc.. These are powerful languages that can do many things. The SDKs are closed source. This means that the developer embedding the code into their application doesn’t actually know what it does and can’t look at the source code to find out either. So they are blindly trusting that the code is not doing anything it shouldn’t. In turn, when you install the application from the developer, via the Apple App Store, Google Play Store or Windows Market Place, you are not only trusting that the developer of the application and the code you are installing is trustworthy, but you are also implicitly trusting the code developed by the ad network is also trustworthy.

Let’s be safe out there

Additionally, when you install an application, in order to do things such as read/send SMSs, take pictures with the camera, access contacts, etc., it needs to ask for permission to do so. When you install an application that can be used to send a picture taken with your camera to a social network of choice or offer to e-mail it to a friend, it seems a legitimate request to ask for the relevant permissions. However, when you grant these permissions, the ad network also inherits these permissions. Did you really want to give an anonymous 3rd party advertiser access to your photos, or the ability to upload them to your social network? What about the ability to read and send SMSs?

This isn’t to say that all the ad networks are doing this, or embedding the code that is capable of doing this. Some ad networks just contain vulnerabilities that can be exploited in such a way that this can be done. Of course there are ad networks that do include functionality that it is difficult to find any justification for, but we don’t want to cast aspersions on ALL ad networks.

We presented some of the technical details along with demonstrations of how these vulnerabilities can be exploited at the 44CON conference in London. We will also be presenting some of the findings of this research at ZACon in South Africa in November. We also intend to release technical details of the vulnerabilities as and when it is possible. Until then:

  • Uninstall all free applications, supported by advertising
  • Pay for your applications, and show the developers that there is a market for good software
  • Lobby ad networks to communicate over cryptographic channels, such as HTTPS (SSL/TLS)
  • If possible, audit the ad network libraries (as we have done)
  • Be very careful about the wireless networks you connect to, especially when using apps that support advertising

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.