There is a saying “There are no free lunches”, but how well does it stand for Free mobile apps, Have you ever thought? Free mobile apps may not be as free as you think. Recent research by Georgia Institute of Technology.reveals that A lot of sensitive personal data can be leaked between Ad networks and App developers.
In the US where Android-based mobile accounts for more than 53 percent followed closely by Apple/iOS at approx 43 percent, this research was done with 200 Android mobile users used custom mobile apps. The findings of this research were pretty alarming as based on the ads in the apps, developers can identify users’ personal data like gender with almost 75 percent accuracy. Developers can find users age group income, political affiliation and marital status with more accuracy then we would expect.
Georgia Tech researchers reviewed the accuracy of personalized ads that were served to test subjects from the Google AdNetwork based upon their interests and demographic profiles; and secondly, examined how much a mobile app creator could uncover about users because of the personalized ads served to them. Researchers found that 73 percent of ad impressions for 92 percent of users are correctly aligned with their demographic profiles. Researchers also found that, based on ads shown, a mobile app developer could learn a user’s:
- Gender with 75 percent accuracy,
- Parental status with 66 percent accuracy,
- The age group with 54 percent accuracy, and
- It could also predict income, political affiliation, marital status, with higher accuracy than random guesses.
How it Works
- Mobile app developers choose to accept in-app ads inside their app.
- Ad networks pay a fee to app developers to show ads and monitor user activity – collecting app lists, device models, geo-locations, etc. This aggregate information is made available to help advertisers choose where to place ads.
- Advertisers instruct an ad network to show their ads based on topic targeting (such as “Autos & Vehicles”), interest targeting (such as user usage patterns and previous click thru), and demographic targeting (such as estimated age range).
- The ad network displays ads to appropriate mobile app users and receives payment from advertisers for successful views or click thru by the recipient of the ad.
- In-app ads are displayed unencrypted as part of the app’s graphical user interface. Therefore, mobile app developers can access the targeted ad content delivered to its app users and then reverse engineer that data to construct a profile of their app customer.
To understand the seriousness, we need to put this research in context with the applications that people use on their phones these days. If you’re a person who keeps apps like banking apps, dating, social media, etc then you should be really worried about this revelation and security of your sensitive and personal data. Unlike advertising on a website page, where personalized ad content is protected from publishers and other third parties by the Same Origin Policy, there is no isolation of personalized ad content from the mobile app developer.
Results have been presented at the 2016 Network and Distributed System Security Symposium (NDSS ’16) in San Diego.