Hackers can access private data by exploiting vulnerabilities, mostly in free mobile apps, according to research by security consultancy MWR InfoSecurity.
Code used by advertisers and third parties for tracking can be abused to access address books and text messages, and to take control of mobile devices, the study found.
While users may trust the app developer, the app code inserted by advertisers may introduce vulnerabilities attackers can exploit to access their devices via the app, the security firm warned.
Researchers found that ad networks inherit all the permissions and capabilities of the application that contains the network’s code.
This means that, if the app can access private data such as photos or emails, data is also accessible by the ad network.
If hackers are successful in penetrating the ad network's security defences, they will also have access to the data, researchers said.
“Most mobile devices contain a security model that means app A can’t easily see the data of app B and also can’t use the same permissions. So if app A can see your SMS and app B can’t, app B can’t ask app A for your SMS,” said Robert Miller, senior security researcher at MWR.
“However, if app A and app B contain code from the same ad network, then the ad network can view your SMS, if it wishes. Ad networks actually contain this functionality and it’s referred to as ‘cross application’ data. If attackers insert themselves into the picture by taking advantage of these vulnerabilities in coding, it is highly likely for them to steal user data," he said.
In a Channel 4 report, Miller demonstrated how to compromise Apple and Android devices by taking advantage of the code embedded within mobile advertisements.
He found that in doing so, advertisers could perform a list of unexpected actions, including:
- Collect personal and sensitive data (and expose it to eavesdroppers)
- Track device location via GPS
- Access photos and other files stored in accessible locations such as the SD Card on Android devices
- Read, write and delete files
- Send/read email and/or SMS messages
- Make phone calls
- Turn on and use the camera and microphone
- Update and install code and applications
- Execute arbitrary commands
More on mobile security
- Most mobile apps fail on privacy, warns ICO
- UK guidance on mobile app security low, research shows
- Recruitment firm secures mobile email with containers
- Mobile security: Is antimalware protection necessary?
- Six tips for avoiding mobile security problems with mobile apps
- Chinese mobile underground shows need for security, says report
Miller said there are key differences in mobile data collection achieved via advertising compared with more traditional website ads.
He warned mobile users to be vigilant when granting mobile app permissions.
“Much more precise location data can be captured from a mobile device via its GPS and some apps require the ability to legitimately access a device owner's contacts or directory information, as well as photos,” said Miller.
He said mobile users need to understand that free apps are supported by ad networks that trade in data.
“While users may not be paying for that nifty application in monetary terms, they will be paying with their information. And this means that user data is only as safe as the ad network.
“"What we demonstrated was that due to the vulnerable and privileged advertising code, the app itself was undermined," said Miller.
He said while advertisers need to take more responsibility for security, mobile users should be doubling their vigilance about letting apps access their sensitive mobile data.
“Users should read the permissions that an app requests before installing it,” said Miller.
"Sadly, there is rarely a chance to pick and choose the permissions you are comfortable with, so if you don’t agree with any one of the permissions requested, don’t install the app,” he said.