mobile ads are threat to security

Your smartphone is flooded with lots of mobile ads guided through different applications. The advertisement algorithms are so sophisticated that they deliver the most appropriate ad to most appropriate user at most appropriate location at most appropriate time. A series of ads is associated with a specific individual as well as predetermined GPS coordinates. When those ads are served to a smartphone app, you know where that individual has been.

“The first step to enable location tracking using ads is to obtain the target’s MAID [Mobile Advertising ID] by sniffing their network traffic (see below), which allows us to specify ads to only be served to the target device,” explain the study authors. “Then we create a series of ads, each targeted at that MAID, but each also targeted at a different GPS location. This creates a geographical grid-like pattern of ads. Then we can observe which of these ads gets served, and this indicates where the target actually was.” 

This diagram illustrates the concept: the blue dots are individual ads targeted at different locations, the purple path is the actual path of the target through space, and the red dots are ads that are served. 
Credit: University of Washington’s Paul G. Allen School of Computer Science & Engineering 

As the mobile ads business continues to boom — 87 percent of Facebook’s ad revenue, for example, now comes from mobile — it’s worth remembering that the advertisements being served to you are more than just an annoyance. They just might be a threat, as well. 

The advertisers deploy mobile ads in a number of ways to carry out frauds. Ad Stacking is one such way in which fraudsters stack multiple ads so that a user sees ad only at the top. A user might find the top ad useful but the ads underneath may carry malicious code that can breach your security and harm your data. 

Ad Stacking
Credit: Trend Micro

A smartphone user’s personal data is compromised between an app developer and the advertisement network. Digital advertisers approach mobile app developers to offer them monetary benefits by allowing them to show in-app ads to reach their target audience. Using these ads, fraud advertisers then monitor user activities, collect apps list, geolocation, device models etc. 

Advertisers configure their mobile ads providers to show ads based on the target user’s interest (automobiles, phones, photography etc.), usage pattern and previous click throughs, and demographics (age, gender, locality etc.) 

Moreover, in-app ads are un-encrypted which further allows a mobile app developer to reverse engineer and get access to user’s data through the same ad from which advertiser is also benefitting.   

In a study by researchers at Georgia Institute of technology, it is found that based on ads shown, a mobile app developer could learn a user’s gender with 75 per cent accuracy, parental status with 66 per cent accuracy, age group with 54 per cent accuracy, and could also predict income, political affiliation, marital status, with higher accuracy than random guesses. 

Some personal information is deemed so sensitive that Google explicitly states those factors are not used for personalization, yet the study found that app developers still can discover this information due to leakage between ad networks and app developers. 

“Free smart phone apps are not really free. Apps – especially malicious apps – can be used to collect potentially sensitive information about someone simply by hosting ads in the app and observing what is received by a user,” said Wei Meng from Georgia Institute of Technology. 

Please provide your comments in the comment section below.