Mobile ad networks are ripe for exploitation by hackers, leaving mobile users open to attack and risking data theft or worse.
Dave Hartley, principal security consultant at MWR Infosecurity, demonstrated a series of attacks against advertising services operating in common mobile apps, on multiple phone platforms. Hartley was speaking at ZaCon, an annual security conference in Johannesburg.
Many mobile apps are offered free of charge, with revenue coming from in-app advertising. This is a popular model, which the phone manufacturers actively encourage, providing tools and services to deliver and manage ad delivery and monitoring. Unfortunately, Hartley said, the implementations of these ad services is focused on media serving and data mining, not on security.
"These companies are evil," Hartley said bluntly. "They exist to gather data about you and sell it. Security is the last thing on their minds."
And there are hundreds of mobile ad networks, affiliates, monitoring services, mobile currency and rewards programmes, and many more, existing in a complex ecosystem trading user data to better position advertising for maximum effect.
Instant vulnerabilities, just add code
For developers, integrating mobile advertising is quick and easy - the networks have put a great deal of effort into easing the placement of advertising. The app coder drops in a couple of lines of code and includes the pre-build third-party library of ad code, and places the ad display area in his app. From there, the ad code takes over.
A handful of key implementation issues open security flaws, Hartley noted. Firstly, the ad code, being embedded inside the host app, inherits all the app's permissions. This means that although its function should be restricted to retrieving and displaying ads, the code can access any part of the phone open to the app, such as messaging services, address books, calendar data, and so on. Even before an external attacker is involved, there is a great deal of personal data laid bare to ad networks, which, he pointed out, exist to gather as much data about users as possible.
Secondly, the ads are displayed in Web views within apps, and all their data is transferred using standard Web protocols. This, Hartley demonstrated, is easily exploited by an attacker via a man-in-the-middle attack, since few ad networks bother to encrypt their data.
Lastly, and crucially, the apps include the ability to retrieve additional code later. As the ad providers develop new functionality, they don't wait for the apps to be updated, instead providing the capability to download and execute new functions on the fly. Coupled with the ability to inject malicious code into an ad stream via a man-in-the-middle attack, an attacker can leverage the ad code to exploit the ad code and run malware on any device.
Sandboxes vary
With malicious code running on a device, an attacker can immediately exploit the user's data to the limits allowed by the app's permissions. In addition to stealing data, an attacker could also prime a spear-phishing attack by injecting meetings, contacts or e-mails to build credibility for a later attack, Hartley said.
But it gets worse. Mobile devices are vulnerable to privilege escalation, and the attacker could attempt to escape the application sandbox, using a known exploit against the device, taking full control of its hardware and data. Here, device security varies, Hartley noted.
On Android and on jail-broken iPhones, he has achieved full system exploitation. On stock iPhones and Windows, he has had limited success, and on BlackBerry (which uses a stronger sandbox and places tight restrictions on ad networks as well) the sandbox has so far proven impenetrable. With more time to research mobile OS vulnerabilities, and a wider knowledge of this form of attack, Hartley cautioned that additional attacks are likely to follow.
Compounding the risk is another factor: ad code is often pre-built against old versions of the development toolkits, Hartley said, so if new versions are released with security updates, and app developers push out updates, the ad code may still be vulnerable.
Barring a radical change in the way mobile ads are delivered (possibly to a constrained model like BlackBerry devices), there is no obvious fix to the problem, Hartley said. Users cannot mandate that apps, much less ads, use HTTPS to secure their data. And Android users are especially vulnerable since they cannot turn off individual permissions per app. For now, Hartley recommended simply avoiding ad-supported apps entirely. "Pay for your apps," he said, or you'll be paying with your data anyway.
Share