A new study from the School of Computer Science at the Georgia Institute of Technology, has found that personal information of millions of smartphone users is at risk because of in-app ads which are leaking sensitive user information between ad networks and app developers.
Based on the results of 200 participants using a custom-built Android app, Georgia Tech researchers took a closer look at personalised ads served from Google’s AdNetwork to find out just how much information app developers can uncover from users through these targeted ads.
The group found that 73% of ad impressions for 92% of users were correct for matching demographics. Mobile app makers were also able to detect gender with 75% accuracy. Parental status came in correctly for 66%, whilst age group was correct half of the time (54%). Other personal information detectable were income, political affiliation and marital status.
Despite Google deeming some information too personal to be used for targeting ads, developers were able to obtain that information through leakage between ad network and themselves.
Wei Meng, a lead researcher and a graduate student studying computer science at Georgia Tech, explains:
“Free smart phone apps are not really free. Apps – especially malicious apps – can be used to collect potentially sensitive information about someone simply by hosting ads in the app and observing what is received by a user. Mobile, personalized in-app ads absolutely present a new privacy threat.”
The way it works is simple. App developers opt for in-app ads. Ad networks then pay a fee to the developer in order to show their ads and track user activity. This ensures that marketers are targeting the right audience. Targets can be defined by topic, personal interest as well as demographics. The ad network then displays the appropriate ad inside the app and receives payment from the advertiser for views. In-app ads are unencrypted which enables app developers to access targeted ad content delivered to their own app’s user base. The information obtained helps them to profile their app consumers.
Ad networks deliver personalized ads inside mobile apps, which can leak sensitive profile information about the user to the mobile app developer
In comparison to web advertising, personalised ad content isn’t protected from mobile publishers through something similar to the Same Origin Policy. This puts households at risks who rely solely on their mobile internet connection instead of a broadband network.
Wenke Lee, Professor of Computer Science and Co-Director of the Institute for Information Security & Privacy, Georgia Tech, adds:
“People use their smartphones now for online dating, banking, and social media every day. Mobile devices are intimate to users, so safeguarding personal information from malicious parties is more important than ever.”
Whilst mobile advertising providers are ramping up their privacy efforts using HTTPS protocols, the study finds that these may not offer enough protection in the mobile landscape. Google AdNetworks has been contacted with the study’s findings.