Initially, ads that popped up while using an app were little more than an annoyance, but now, they have become a possible danger as they can leak your personal data.
The personal information of millions of smartphone users is at risk due to in-app advertising that can leak potentially sensitive user information between ad networks and mobile app developers, according to a new study by the School of Computer Science at the Georgia Institute of Technology.
The study examined more than 200 participants who used a custom-built app for Android-based smartphones, which account for 52 per cent of the US smartphone market according to comScore's April 2015 report. Georgia Tech researchers reviewed the accuracy of personalised ads that were served to test subjects from the Google AdNetwork based upon their personal interests and demographic profiles; and secondly examined how much a mobile app creator could discover about users because of the personalised ads served to them.
Researchers found that 73 per cent of ad impressions for 92 per cent of users are correctly aligned with their demographic profiles. Researchers also found that, based on ads shown, a mobile app developer could learn a user's gender with 75 per cent accuracy; parental status with 66 per cent accuracy; age group with 54 per cent accuracy and could also predict income, political affiliation, marital status, with higher accuracy than random guesses.
Some personal information is deemed so sensitive that Google explicitly states those factors are not used for personalisation, yet the study found that app developers still can discover this information due to leaks between ad networks and app developers.
According to lead researcher Wei Meng, free smart phone apps are not really free. Apps, especially malicious apps, can be used to collect potentially sensitive information about someone simply by hosting ads in the app and observing what is received by a user. Mobile, personalised in-app ads absolutely present a new privacy threat.
Unlike advertising on a website page, where personalised ad content is protected from publishers and other third parties by the Same Origin Policy, there is no isolation of personalised ad content from the mobile app developer.
People use their smartphones now for online dating, banking, and social media every day, said Lee, adding that mobile devices are intimate to users, so safeguarding personal information from malicious parties is more important than ever.
The study acknowledges that the online advertising industry is taking steps to protect users' information by improving the HTTPS protocol, but researchers believe the threat to user privacy is greater than what HTTPS protection can provide under a mobile scenario.
Results have been presented at the 2016 Network and Distributed System Security Symposium (NDSS '16) in San Diego.