{"id":20117,"date":"2018-04-17T17:15:04","date_gmt":"2018-04-17T21:15:04","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=20117"},"modified":"2019-11-15T22:35:21","modified_gmt":"2019-11-15T11:35:21","slug":"leaking-ads","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/leaking-ads\/20117\/","title":{"rendered":"Leaking ads"},"content":{"rendered":"

We have repeatedly warned<\/a> our readers about the dangers<\/a> posed by programs of unknown origin. But most people seem to have no qualms about trusting apps from reliable developers and reliable sources: Positive ratings, millions of downloads, and distribution through official stores like Google Play are seen as a badge of security. However, there are no guarantees.<\/p>\n

This article is not about Trojans, but about bona fide apps that can nevertheless leak your data online. Our experts studied a total of 13 million APKs<\/a> (Android application packages) and found that roughly a quarter of them transmit unencrypted data over the Internet. Some of these apps boasted hundreds of millions of downloads, sometimes more than half a billion! This isn\u2019t a small problem.<\/p>\n

Information sometimes leaks online because of a developer mistake, but that\u2019s not how it happens in most cases. If called upon to send user data to a server, most apps use the secure HTTPS protocol, which prevents outsiders from intercepting the data. The problem lies in the third-party services that developers plug in without background checks. For example, some analytics or advertising services transmit information over the Internet, but using the standard HTTP protocol, which is not secure.<\/p>\n

<\/strong><\/p>\n

What information might be affected?<\/h2>\n

<\/p>\n

Most of the data leakage we detected had to do with the device model, its technical specification, network or ISP-related data, and the APK name (by which the system recognizes the package); many services also leaked the smartphone or tablet coordinates.<\/p>\n

In some cases, information about app usage was transmitted over HTTP by an embedded third-party service. This information included likes, posts, pages visited, and so forth, as well as details about the owner of the gadget \u2014 name, phone number, date of birth. Unique keys created for each authorization request were also often found to be transferred insecurely. Fortunately, most services do not transmit logins and passwords in unencrypted form, although some did.<\/p>\n

One in four mobile apps transmits a portion of your personal data over an unprotected channel<\/p>Tweet<\/a><\/blockquote>\n

<\/strong><\/p>\n

What\u2019s dangerous about that?<\/h3>\n

<\/p>\n

Information transmitted over HTTP is sent as plain text, allowing almost anyone to read it \u2014 including your ISP, for example. What\u2019s more, the path from the app to the third-party server is likely to have several \u201ctransit points\u201d in the form of devices that receive and store information for a certain period of time.<\/p>\n

Any network equipment, including your home router, may be vulnerable. If hacked, it will give the attackers access to your information. (The ISP, meanwhile, can view that without having to hack anything.) And obtaining some information about the gadget (specifically IMEI and IMSI numbers) is enough to monitor your further actions. The more complete the information, the more of an open book you are to outsiders \u2014 from advertisers to fake friends offering malicious files for download.<\/p>\n

However, leaks of device and user data are only part of the problem; unencrypted information can also be substituted. For example, in response to an HTTP request from an app, the server might return a video ad, which cybercriminals can intercept and replace with a less innocuous version. Or they might simply change the link inside an ad \u2014 and instead of a cute game or deal aggregator, the user risks downloading something far more nefarious.<\/p>\n

<\/strong><\/p>\n

What can you do?<\/h2>\n

<\/p>\n

These issues should really be tackled by app developers. But they can\u2019t be completely trusted to handle the task, so we\u2019ve got a few simple tips to keep you and your data better protected.<\/p>\n