Every day at Mojave Threat Labs, our research team analyzes thousands of mobile apps using more than 200 individual risk factors. One of the key risk factors that we track is private data or personally identifiable information (PII) that is collected and sent to remote web APIs. This may include the user’s name, phone number, email address, location, applications they have installed, phone call history, contact list, and much more. On average, corporate employees and mobile users have around 200 applications on their mobile devices, including all of the pre-installed apps like the address book and camera. Each application has an average of nine permissions that users agree to before using the app – things like permission to access your address book or your location in order to tell you about what’s nearby. With so many applications requesting access to private or sensitive information, it’s often difficult for users, let alone IT administrators, to fully understand who’s accessing their data, where it’s being sent, and how it will be used.
Why You Shouldn’t Blindly Trust Mobile Advertising Libraries
Some of the most significant risk factors affecting corporate employees and individual mobile users, such as data loss and PII collection, occur not by the application itself, but within mobile advertising libraries and other library components such as social media or analytic tools. These libraries are large packages of code written by a third party, which the developer includes in their mobile app to help them add standard functionality. In this case the developer may use the libraries to collect ad revenues, track user statistics, or integrate with social media APIs. There are thousands of such libraries available to mobile app developers, each with varying reputations, and developers will often include their code with little or no review. Although many of these libraries refrain from collecting PII and have sensible privacy policies, not all libraries are so reputable, and for most users it’s impossible to know which ad library is included in a particular app.
Unfortunately, when you give permission to an app to access your private or sensitive data, you’re also giving access to each of the included libraries and their author(s), whether you know it or not. This is like entrusting your house keys to your teenage child for the weekend, only to have them immediately make copies for their friends, unbeknownst to you. This indirection and lack of transparency leads to a lack of accountability for the apps’ included subcomponents and precludes IT administrators from making adequately informed risk decisions.
To show the prevalence of such third party libraries, Mojave Threat Labs analyzed more than 11 million URLs that our customers’ installed apps have connected to. We then further broke the URLs into categories based on whether they connected to ad networks, social media, and analytics APIs. When we analyzed all of the apps downloaded by our customers, we found that:
- Business users connect to at least as many data gathering libraries as consumer users, and in some cases more, leaving enterprises at risk for sensitive data loss;
- Some of the top ad libraries such as AdMob, AirPush and Flurry leak private information such as which mobile apps you have downloaded onto your phone, precise geo-location data including your zip code, your device ID number, web browsing history and more;
- 65% of applications downloaded by business users connect to an ad network;
- 40% of applications downloaded by business users connect to a social network API;
- At least 78% of all applications downloaded by business users connect to either an ad network, social media API, or analytics API.
Not surprisingly, the top domains in both categories belong to the top ad libraries (AdMob, Airpush, Flurry, MillenialMedia) as well as social media (Facebook, Twitter, LinkedIn, Google+). Not far behind in the top 50 are data sharing APIs like DropBox.
For example of the types of data collected by these libraries, we examined one of the top URLs in our database, Airpush. The type of data exposed included:
- Android ID
- Advertiser ID
- Device make and model
- Mobile web browser type and version
- IP address
- Airpush-generated ID
- Application name
- A list of mobile applications installed on your device (opt out option)
- “other technical data about your device”
In accordance with your permission, Airpush may also collect:
- precise geo-location
- browser history (opt out option)
- zip code
- device IDs (including IMEI, device serial number and MAC address)
- encrypted values of your email address (opt out option)
The bottom line is that you may trust the author of a particular app, but you may not even know the authors of the components (libraries) which are gathering the most information about you. In almost all cases, a user is bound by the library’s data policies simply by downloading and installing an app which includes it, without ever getting a chance to review the policy details.
Enterprise Risk vs. Consumer Risk: Enterprises Beware
Although it wasn’t a surprise that most applications connect to an ad network, it is notable that the breakdown between apps installed by business users and apps installed by individual (consumer) users were nearly the same. Some other interesting findings include:
- Apps installed by business users were at least 10% more likely to connect to social media APIs.
- Apps installed by business users (vs. consumers) were just as likely to include libraries which exposed them to PII, personal or corporate data loss risk.
The table below compares the top URLs from applications on business user devices (right) and consumer devices (left). The table shows that there’s not a huge distinction between business users and consumer users when it comes to the top ad libraries, social medial libraries and other libraries which affect data privacy – enterprises aren’t as safe as they may think. It is critically important that users and IT Administrators understand what data is being collected from their devices, where it is being sent, and how it is being used. Given that the majority of the sensitive data being collected occurs within these third party libraries such as ad networks, social media APIs, and analytics tools, it is therefore important to fully understand each of the libraries included in your mobile apps. Gone are the days when we can simply say “I trust this app with these permissions and data”. With the number of third-party libraries coming along for the ride we must now ask “for whom is the data, where will it be sent, how will it be used, and how will it be handled.”