Mobile users at risk from lack of HTTPS use by mobile ad libraries, security researchers say

Recent vulnerabilities found in many advertising SDKs for Android apps could be mitigated by using HTTPS, researchers said

By Lucian Constantin, IDG News Service |  Security

Over the past several months security researchers have found serious vulnerabilities in many mobile advertising libraries that could be exploited to abuse the permissions of Android apps or to execute unauthorized code on users' devices. The risks resulting from those vulnerabilities would be significantly lower if those libraries would use HTTPS, security researchers said.

Researchers from security firm FireEye recently reported that many ad libraries expose sensitive functionality to JavaScript code over insecure connections, making apps using them vulnerable to man-in-the-middle attacks. An attacker who could intercept traffic from such libraries -- for example on public wireless networks, through DNS hijacking or by hacking into an Internet gateway -- could inject malicious JavaScript code into the connection to perform unauthorized actions using the host app's permissions, they said.

If, for example, an app using a vulnerable ad library has permission to access the Android device's camera, then a remote attacker could exploit this issue to take photos or record video over the Internet without the user's consent, the FireEye researchers said.

The vulnerability stems from an Android API (application programming interface) feature called addJavascriptInterface that allows JavaScript code running in a WebView to access the app's native functionality. A WebView is a browser window that apps can use to display Web content.

Advertising libraries, also known as advertising SDKs (Software Development Kits), consist of third-party code that many developers include in their apps in order to earn revenue from advertising displayed in the app. These libraries commonly use the WebView feature to display ads loaded from a remote server and many of them also use the addJavascriptInterface for more advanced features. Android device users who want to keep tabs on what mobile ad networks are running in their apps can download products like Lookout's Ad Network Detector.

The security risks appear when the addJavascriptInterface method is used and remote content is loaded in a WebView over an unencrypted HTTP connection, because plain HTTP traffic is susceptible to tampering by anyone in a position to intercept it.

"Our analysis shows that, currently, at least 47 percent of the top 40 ad libraries have this vulnerability in at least one of their versions that are in active use by popular apps on Google Play," the FireEye researchers said.

Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question