Over the past several months security researchers have found serious vulnerabilities in many mobile advertising libraries that could be exploited to abuse the permissions of Android apps or to execute unauthorized code on users’ devices. The risks resulting from those vulnerabilities would be significantly lower if those libraries would use HTTPS, security researchers said.
If, for example, an app using a vulnerable ad library has permission to access the Android device’s camera, then a remote attacker could exploit this issue to take photos or record video over the Internet without the user’s consent, the FireEye researchers said.
“Our analysis shows that, currently, at least 47 percent of the top 40 ad libraries have this vulnerability in at least one of their versions that are in active use by popular apps on Google Play,” the FireEye researchers said.
The FireEye researchers claim that InMobi requested user consent for actions through these methods, except for the makeCall one. “If an app has the Android permission CALL_PHONE, and is using InMobi versions 3.6.2 to 4.0.2, an attacker over the network (for example, using Wi-Fi or DNS hijacking) could abuse the makeCall annotation in the app to make phone calls on the device without a user’s consent—including to premium numbers,” the FireEye researchers said.
InMobi added a consent requirement for makeCall actions in version 4.0.4 after FireEye notified the company of the issue, the researchers said. However, there are still many apps on Google Play that use older and vulnerable versions of this ad library, they said.
“We have identified more than 3,000 apps on Google Play that contain versions 2.5.0 to 4.0.2 of InMobi—and which have over 100,000 downloads each as of December, 2013,” the researchers said. “Currently, the total download count for these affected apps is greater than 3.7 billion.”
A fake lottery-related message, a free coupon or some other kind of offer injected into the WebView could be used to mislead users into clicking the consent button, Tao Wei, senior staff research scientist at FireEye, said via email. HTTPS with correct certificate verification would provide better protection than HTTP, he said.
“The insecure usage of JS Binding and JS Binding annotations in third-party libraries exposes many apps that contain these libraries to security risks,” the FireEye researchers said. “When third-party libraries use JS Binding, we recommend using HTTPS for loading content.”
InMobi doesn’t agree with FireEye’s conclusions.
“Unfortunately, FireEye has taken industry-level concerns and applied those specifically to InMobi, making some incorrect assumptions along the way regarding our products,” said Chris Davies, InMobi’s head of privacy and its general counsel for the EMEA region, via email. “They’re making vast generalizations regarding potential industry vulnerabilities and applying those to InMobi without understanding our products and our commitment to privacy and security. We have tried to work with FireEye to discuss their claims but our attempts of opening a meaningful dialogue have been unsuccessful to date.”
“It should be understood that the required situation for a potential breach includes multiple sets of conditions that are extremely unlikely to occur at the same time and that the real potential risk is minimal, at best,” Davies said.
He agreed that using HTTPS would mitigate a potential attack, but said there are other technological methods of achieving the same result.
“While HTTPS is a standard technology for the Internet, even in the desktop world there are cases where you’d want to apply HTTPS versus cases where you wouldn’t,” he said. “HTTPS is a very CPU- and network-intensive protocol. There are many other ‘lighter’ technologies available which can provide the same benefits.”
InMobi couldn’t find any ad network in the mobile space that conducts all transactions over HTTPS, Davies said. “In the ad tech industry we are all aware of the benefits of HTTPS but still have chosen not to use it, there must be some reason for it.”
InMobi already encrypts device identifiers so that if anyone sniffs ad requests, the data they would obtain couldn’t be associated with specific device IDs, he said. “Inmobi plans to encrypt all the user information using a secret key in our SDK before requesting for an ad. This will be included in our next release of the SDK.”
The company makes significant efforts to encourage developers to use the latest version of the SDK, Davies said. “We conduct comprehensive marketing and communications campaigns when we launch products or new, improved versions of a product and this includes direct emails to developers and publishers in our database, as well as general public awareness tactics like press releases, articles, interviews, blog posts, videos, etc.”
If it believes there is a significant security risk, the company will advise app developers to upgrade immediately to a new version of the SDK, he said.
Some security experts don’t think the performance impact of implementing HTTPS should outweigh its security benefits.
“Plenty of applications such as email clients and social networking clients have already fully migrated to SSL without side effects,” said Bogdan Botezatu, a senior e-threat analyst at security firm Bitdefender. “We are talking about personal information being sent unencrypted over the network, and this is something app developers should take seriously.”
Last month researchers from Bitdefender found a vulnerability in an ad library called HomeBase SDK that would have posed less of a risk if the library had used HTTPS. They found that HomeBase was updating itself over HTTP, allowing man-in-the-middle attackers to potentially inject a rogue update package into the traffic that would then get executed on the device with the host application’s permissions.
Widdit, the Israel-based company that develops HomeBase SDK, said at the time that it plans to secure the traffic with SSL by the end of January.
“By design, mobile devices spend most of the time connected to wireless networks that the user has no control over, such as those in coffee shops, airports and so on,” Botezatu said. “More than that, anybody can set up a rogue access point with no security set in place, lure the nearby users into connecting to it and then intercept or manipulate traffic. Man-in-the-middle attacks on Wi-Fi networks are definitely a possibility that should be taken into account.”
MWR researchers built a proof-of-concept box that can be placed on any wireless network to intercept and exploit traffic from phones connected to that network, Miller said.
HTTPS would mitigate the man-in-the-middle attack vector, but not others like rogue ads potentially making their way into the ad network and exploiting this issue. However, adding HTTPS would massively increase the levels of security that ad library vendors offer to their customers, Miller said.