In a recent consumer survey, 88% of respondents reported having at least one shopping app installed on their mobile device1. Given their popularity, you might think these apps are pretty harmless. In our previous research, we already looked into the Google Play Store data safety section and how to determine the amount of data apps really “share”.
Key findings:
In short, ad libraries are SDKs (Advertisement Software Development Kits) that developers can incorporate into their apps to serve ads. This is a common way for developers to monetize their applications, even if they are free for the user.
These ad libraries are provided by ad networks. The most popular ad network, by far, is Google’s own AdMob, with 61.9% of shopping apps that use ad libraries opting for this network. This is followed by AppsFlyer (36.9%) and Adjust (17.3%).
Apps running ads might not come as a surprise to anyone. This is nothing new or uncommon, after all. In fact, two-thirds (65.2%) of analyzed shopping apps use ad libraries. But what are the privacy and security implications of this for consumers?
According to a study on ad libraries2, the main issue with apps using ad libraries is that they share permissions with them, giving them access to the same information and functionality as the host app. For example, if you give your shopping app permission to create accounts and set passwords or to read your text messages (both permissions some shopping apps request), you’d be letting any ad libraries these apps use do the same.
The same study found that Android systems don’t distinguish between host app and ad library permission use and won’t prevent the ad library from using all permissions given to the app.
In some cases, external libraries can even add permissions to apps without the developer’s or your knowledge3.
While an app may be harmless on its own, the ad libraries it includes could contain harmful or invasive code. There have been instances of this happening in the past.
In June 2016, an anti-malware company called Doctor Web revealed that 155 Google Play apps, with an estimated 2.8M+ collective downloads, had a Trojan called Android.Spy.305 embedded in their code. It was uncovered that the Trojan originated from an ad library the apps had used4.
Another instance was reported by Trend Micro in 2017. They discovered that more than 800 Google Play apps had a Trojan called Xavier that could steal user data and download other malicious code onto infected devices. Again, this Trojan originated from an ad library5.
While the potential damage a malicious ad library can cause is clear, avoiding them is trickier. There’s no simple way to determine which networks serve ads on your apps. This makes it difficult to choose which shopping apps are safe to download.
So how can you minimize the risk these ad libraries pose?
Everyone knows apps require permissions. But to understand what kind of impact these can have on your privacy and security, let’s break down what these permissions are exactly, what they mean, and how many shopping apps request them. While some of these permission types are already clearly alarming at a glance, like your location, messages, and personal information, others might not sound so bad.
Storage permissions, for example, involve storing the app’s files on your device, which makes sense. However, it also allows the shopping app (and its ad libraries) to take pictures and videos. 55.5% of the shopping apps we analyzed requested this specific permission.
While your accounts permissions allow the app to create accounts and set passwords within the app, this permission type can also find accounts on the device (16.7%), add or remove accounts from your device (4.4%), and use accounts on your device (9.4%).
But when you look at the specific permissions each type may include, they start to look more alarming.
Starting with some scary-sounding ones, your personal information includes permissions that allow 15.8% of the apps we analyzed and subsequent ad libraries to read your contacts.
6.1% request permission to read calendar events plus confidential information. So not only can they find out what you’re doing and when, but also with whom. Even scarier, still, 6.1% of the shopping apps request permission to add or modify calendar events and send email to guests without owners’ knowledge.
One specific permission under the messages type allows apps to actually read your text messages (both SMS and MMS). 1.6% of the shopping apps we analyzed request this.
Similarly, giving apps permission to use services that cost you money could mean allowing them to directly call phone numbers from your device. As many as 8% of the apps we analyzed request this permission (100% of the apps that request this permission type).
Storage permissions, on the other hand, may sound less alarming. They involve storing the app’s files on your device, which makes sense. However, this permission type may also allow apps to take pictures and videos. 55.5% of the shopping apps we analyzed requested this specific permission.
This type also includes permission to modify or delete the contents of your USB storage. A whopping 58.4% of the shopping apps we looked at request this.
While your accounts permissions allow the app to create accounts and set passwords within the app, this permission type can also find accounts on the device (16.7%), add or remove accounts from your device (4.4%), and use accounts on your device (9.4%).
Combine this with the 22.3% of apps that request permission to record audio (hardware controls) and 48.3% that request precise location (location), and you’ve got a full surveillance kit on your device.
This information may have left you wondering why shopping apps need permissions like record my audio or read my text messages. We don’t have the answer to that, unfortunately. But our research will help you judge for yourself which apps you feel comfortable downloading.
Combine a few of these permissions together and you’ve got a full surveillance kit on your device.
If you assumed that well-known and popular apps are safer, you’d be mistaken. It turns out, the opposite is true.
For example, while the top-ranking shopping apps in the U.S. use an average of 1.8 ad libraries, the same as the overall average, they request more permission types (7.5 vs 6.9 overall average). They also request an average of 24.9 permissions (22.3% more than the overall average of 20.4).
Even though our researchers found, in a previous study, that paid apps are more private and secure than free apps, free apps are downloaded 400 times more often6. They are also 2x more likely to use ad libraries7. However, this doesn’t mean that paid apps don’t use ad libraries. Some apps offer both paid and free versions. It’s important to remember that regardless of which account type you create, these types of apps may still include the ad libraries8.
Our researchers split the 640 shopping apps we analyzed into four categories, based on popularity. Comparing them by the number of ad libraries used, permission types requested, and permissions requested, here is what we found:
Two thirds (65.7%) of shopping apps that use ad libraries use only one. One-third (34.3%) use two or more. How does this correlate with popularity, though?
Four out of five of the most popular apps use ad libraries compared to only half (53.2%) of the least popular apps. However, it’s not the most popular apps, but those with between 1M and 10M downloads that use the most ad libraries, with an average of 1.9.
This is followed by the most popular apps with an average of 1.8 ad libraries and the least popular apps, in last place, with 1.6.
Dicta consequuntur sit sequi nihil et amet saepe ex voluptas officia qui asperiores voluptas quo vitae atque et eligendi inventore! Ut libero urna, congue vel odio quis praesent eget orci.
