We need to start defining acceptable mobile advertising
By John Hawes November 8, 2013
- The behaviour of mobile advertising frameworks risks crossing privacy and security lines
- App stores seem unwilling to take action against the unscrupulous, so others are proposing standards
ADVERTISING supports a large chunk of the apps we use on our mobile devices. A raft of simple advertising frameworks are available that allow even the most basic app developer to make a few pennies by dropping adverts into their apps.
But without oversight, the behaviour of these frameworks risks crossing all manner of privacy and security lines, so perhaps it's time to pin down just what is acceptable from mobile advertising, and what we would consider inappropriate.
While many people are okay with paying for some apps, particularly professional tools and high-grade games, for most simple apps we expect there to be at least one free alternative to the more feature-rich paid items.
Advertising makes this massive free ecosystem possible. We have to accept this, and most people are happy to allow a reasonable level of advertising in return for not paying (at least directly) for their apps.
The mobile app space has developed at an incredible rate though, with limited controls imposed on how things work and what is permitted – at the moment, beyond some limited rules from the platform providers who manage the main app sources, pretty much anything goes.
This has allowed advertisers free rein to design their advertising as best suits them. Whatever can be done will be done soon, if it hasn't already been tried, with the only real check being feedback from users, who may or may not fight back against the most egregious and intrusive techniques by not using bad apps, or giving them bad reviews on the app stores.
In many cases this is not a sufficiently strong deterrent against bad behaviour though. App store operators seem unwilling to take action against aggressive advertisers, at least until they've already hit millions of devices for their valuable data.
Blurred and fuzzy
For the most part it's quite clear what advertising is doing. When we see periodic splash screens, or advert bars showing up on certain sections of the screen when an app is running, it's pretty obvious that those ads relate to the app we're using at the time.
Advertising can be much less clearly sourced though, with some ad frameworks changing homescreens or other settings, placing icons in prominent places or making other changes which are not clearly linked to the app they are supposed to be supporting.
The information gathered by in-app advertising is also less than transparent, despite efforts by platform makers to enforce clear requests for data and setting access.
Some advertising may try to read contact lists, messaging and call history, even device-specific data such as IMEI numbers to ensure they can keep tracking us even if apps are removed. [IMEI is the International Mobile Equipment Identity, a unique number given to every single mobile phone – ED].
Requests to access this data can be easily confused with the requirements of the underlying app, so users may be tricked into granting sensitive data access to people they do not intend to.
Advertising frameworks may also include updating systems so their functionality can change over time, and these updates may run alongside or even separately from the updates to the apps they are supposed to be part of.
There are also potential issues with data handling, with little insight available into how advertisers store and share the information they harvest from our phones and tablets.
When security solutions try to categorise mobile apps, in some cases it's quite clear which are malicious and which are innocuous. In many cases though, the line is blurred and hazy.
Apps may be mostly harmless in and of themselves, but the advertising they carry may be considered intrusive or aggressive. In these cases, there can be problems for security firms, as they face the possibility of legal action from app developers whose apps they flag as dangerous.
So it seems like some sort of system is required to make it clear to app and advertising framework developers just what they should be doing, and what actions will mark them out as bad actors, giving security apps licence to alert on them.
Need for concerted action
We've been here before in the PC world of course, with the blossoming adware/spyware boom of the mid-2000s.
In that case, a collective of security experts, privacy advocates, platform developers and others got together as the Anti-Spyware Coalition, and defined a set of rules on what was considered acceptable.
Now it's relatively straightforward for security firms to select what can be flagged as malicious and what can be labelled no more than ‘potentially unwanted.’ The coalition has more or less retired, with its work done.
In the mobile space, a radically different categorisation system is required, but perhaps a similar approach is needed to define a new set of rules.
At a recent meeting of the Anti-Malware Testing Standards Organisation (AMTSO) in Montreal, a session was devoted to this topic, in conjunction with the IEEE Standards Association and other experts in the area.
There remains much to be done, but it seems like the work will be taken forward, either under the auspices of AMTSO, the IEEE (Institute of Electrical and Electronics Engineers) or possibly even a standalone single-purpose body, to address the issue and start pinning down a standard.
SophosLabs Android guru and Naked Security contributor Vanja Svajcer presented a proposed categorisation system for mobile advertising and potentially unwanted apps at the recent VB (Virus Bulletin) conference in Berlin, which could be a good starting place for building such a standard.
The project received wide support from across the security industry, as well as from the testers, academics and IEEE members present at the meeting, so there are strong grounds to expect good progress soon.
Once advertisers know what they can get away with, hopefully we'll all be able to choose our apps based on their intrinsic quality, without worrying what nasty extras might be thrown in by advertising frameworks.
John Hawes is technical consultant and Test Team director at Virus Bulletin, running independent anti-malware testing there since 2006. He wrote this for the Sophos Naked Security blog here, and it is being reprinted on DNA with its kind permission.
Privacy concerns may limit mobile app adoption in Malaysia: GSMA
Mobile advertising growing, needs new approaches: Google
SMS ads should be reviewed: Digital agencies
Striking the smartphone iron while it’s hot