Vulnerabilities found in free mobile apps can expose users’ handsets to hacking, new research claims.
According to a research conducted by security consultancy MWR InfoSecurity, code used by advertisers and third parties for tracking can be compromised by hackers to access address books, text messages, emails and to take control of mobile devices.
The research found that ad networks inherit the permissions and capabilities of the free application that contains the network’s code. This means that ad network can access users’ private data such as photos or emails shared by the app. Researchers claim that in case hackers are successful in breaching the ad network’s security defences, they will also get access to the data.
“Most mobile devices contain a security model that means app A can’t easily see the data of app B and also can’t use the same permissions. So if app A can see your SMS and app B can’t, app B can’t ask app A for your SMS,” said Robert Miller, senior security researcher at MWR.
“However, if app A and app B contain code from the same ad network, then the ad network can view your SMS, if it wishes. Ad networks actually contain this functionality and it’s referred to as ‘cross application’ data. If attackers insert themselves into the picture by taking advantage of these vulnerabilities in coding, it is highly likely for them to steal user data,” Miller said.
Miller warned that it is important for mobile users to understand that free apps are supported by ad networks that trade in data.
“While users may not be paying for that nifty application in monetary terms, they will be paying with their information. And this means that user data is only as safe as the ad network.”
He said while advertisers should take more responsibility for security, mobile users should also need to be more vigilant about reading app permissions before downloading and installing them.
“Sadly, there is rarely a chance to pick and choose the permissions you are comfortable with, so if you don’t agree with any one of the permissions requested, don’t install the app,” Miller added.