Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mobile Ads May Serve As a Malware Conduit

Posted by timothy on from the send-you-this-advert-to-have-your-advice dept.

alphadogg writes with this excerpt from Network World: "Many mobile apps include ads that can threaten users' privacy and network security, according to North Carolina State University researchers. The National Science Foundation-funded researchers studied 100,000 apps in Google Play (formerly Android Market) and found that more than half contained ad libraries, nearly 300 of which were enabled to grab code from remote servers that could give malware and hackers a way into your smartphone or tablet. 'Running code downloaded from the Internet is problematic because the code could be anything,' says Xuxian Jiang, an assistant professor of computer science at NC State."

79 comments

  1. Solution by Anonymous Coward · · Score: 0

    Don't like it? Don't use it.

    1. Re:Solution by vlm · · Score: 4, Informative

      Don't like it? Don't use it.

      So far so good with this app called "adfree". Which was free. Any /. opinions on which blockers work better? Do I already have the best?
      All its doing (so far as I know) is the 1990s desktop era technique of putting certain hostnames in the /etc/hosts file, so at the ip addrs level its blocking entire hostnames.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:Solution by Anonymous Coward · · Score: 1

      Or spend the $1 on the non-free version.

      The publishers of these apps aren't trying to hit you with malware, they're just trying to make a few pennies and give you something you want.

    3. Re:Solution by forkfail · · Score: 1

      You're so clever you must cut yourself on a regular basis.

      --
      Check your premises.
  2. Sponsored by Symantec and McAfee by iserlohn · · Score: 2

    Please buy our products!

    --
    :. Ultimate Control Dedicated/VM Servers
    1. Re:Sponsored by Symantec and McAfee by cpu6502 · · Score: 1

      0.3% odds of downloading one of these apps. I am not worried. Especially since I rarely download apps (I prefer mpg, mp3, and txt files via torrent).

      --
      My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    2. Re:Sponsored by Symantec and McAfee by tripleevenfall · · Score: 1

      Is there any evidence these products are needed for iOS, or that "free" iOS apps containing these kinds of vulnerabilities slip through the approval process?

    3. Re:Sponsored by Symantec and McAfee by Anonymous Coward · · Score: 0

      Yes. Charlie Miller's little experiment demonstrated this problem; you cannot check for everything. Asides, the approval process only check for certain things -- mostly UI and crashiness. It only does a cursory check for most other things. (See: Flashlight tethering which requires a whole software DHCP, DNS server, along with modifying low level wifi packets. See: Storm8's harvesting of phone numbers. See: Camera software usage of side volume key. All of these apps - and more - have been banned AFTER they were approved.)

      If you actually bother reading the article, it's all FUD. There's no specific examples or data to back up their information. As far as I know, an application cannot modify it's own code. It may show a miniature HTML browser window. Any additional code must go through the standard install permission screen. For some reason, this article that doesn't have specific infections listed. It only says "apps could" and a horribly generic "Running code downloaded from the Internet is problematic because the code could be anything" (NO SHIT SHERLOCK).

      Basicallly, all it's saying is that if you see one of those "install other app for 1000 xyz coins", you should be wary if it comes from the Android Market or randomly from the 'net.

  3. Anything like adblock by 3.5+stripes · · Score: 1

    on an android system level?

    etc/hosts, or dns blacklists?

    --


    He tried to kill me with a forklift!
    1. Re:Anything like adblock by fuzzyfuzzyfungus · · Score: 4, Interesting

      If you have root access, the underlying linux(while spare) isn't terribly alien, fucking with DNS would be a definite option). If not, You Are Product.

    2. Re:Anything like adblock by compro01 · · Score: 1

      Yes, etc/hosts exists on Android and works exactly the same as any other Linux.

      There's a fine app called adaway that'll do it all for you. Obviously requires root though.

      --
      upon the advice of my lawyer, i have no sig at this time
  4. malware in ads by Anonymous Coward · · Score: 1

    Isn't there a way to sandbox the process running the ads?

    1. Re:malware in ads by nullchar · · Score: 1

      You mean sandbox the app itself as it calls the ad library which execute the remote code? But you've already granted that app the permissions necessary to do bad things!

    2. Re:malware in ads by GameboyRMH · · Score: 1

      Why not just *not install* these fucking skeezy apps? I see so many replies on how to block the functionality instead of just not infecting your phone in the first place, it's pretty sad.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    3. Re:malware in ads by TheRaven64 · · Score: 1

      The Android store that comes preinstalled with most new phones is hosted by a company that makes most of its money from advertising. For obvious reasons, it doesn't make it easy to differentiate free apps from adware.

      --
      I am TheRaven on Soylent News
    4. Re:malware in ads by SadButTrue · · Score: 1

      I am not sure that follows. Even if every android app used google's mobile ad platform, which isn't even close to being reality, the conversion quality matters. In fact it matters a lot. Even CPM contracts are highly non linear with quality. At least they were when I was around the business in 2002ish.

      PS: Looks like google currently has around 1/4 of the mobile ad space;
      http://www.bloomberg.com/news/2011-12-12/google-millennial-media-take-ad-share-away-from-apple-idc-says.html

      --
      grape - the GNU free, open source rape
  5. ad block effect by vlm · · Score: 4, Interesting

    I suspect the "ad block effect" that I'm used to from years of firefox will exist on android very soon. "(shock amazement) Thats what the unfiltered internet looks like now? how can anyone use that? (insert more shock amazement)"

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:ad block effect by ciscoguy01 · · Score: 1

      Having used Adblock Plus on Firefox for a number of years I don't really know what the unfiltered internet looks like. Whenever I am forced to use IE I have to experience it however briefly.
      I know people who use IE exclusively which I can't imagine.
      How many blinking ads can you stand? Darned few!
      We badly need a way to support Adblock Plus on Android and on IE, or at least their filter list subscriptions.
      IMHO Firefox has some pretty serious issues today, I would dump it except for Adblock Plus.

      --
      .
    2. Re:ad block effect by Anonymous Coward · · Score: 0

      Not just ads. It is the fact that most malware comes from ad servers. Because no ad service except for Google's text ads is actively doing anything about clients using their rotators for infection vectors, I consider them either passive condoners, or even active accessories to computer crimes.

      So, until this is done, which is doubtful in my mind, I will continue to block ads.

      The funny thing? I've yet to have any trouble with malware on my systems since I've started using hosts files, dropping bad IPs into my router's deny list, and using SpywareBlaster to add entries into the killbit area of IE. This tells me a lot.

    3. Re:ad block effect by Anonymous Coward · · Score: 1

      Chrome has an Adblock extension that works really well.
      You can even tell it to block Google's text ad's (though I don't, as sometimes they are quite hilarious).

    4. Re:ad block effect by SadButTrue · · Score: 1

      It is a jarring experience when you lose adblock. Was dicking around with chromium and managed to break my plugins a few months ago. It had literally been years since I had seen the unfiltered net... yuk :)

      --
      grape - the GNU free, open source rape
    5. Re:ad block effect by ciscoguy01 · · Score: 1

      I know Google Chrome has an adblocker, it might use the same maintained blocking lists that Adblock Plus uses. If so I would really recommend it for Chrome users.
      But Google Chrome is too minimalist for me, I like all the menubars and controls that Firefox has.
      That said, I don't like the new Firefox as well as I liked the old version with again, more menubars and controls. Heh.
      But I am an old guy.

      --
      .
  6. Great... by MachDelta · · Score: 1

    I really didn't want to root my Gnex and lose all my settings and such, but it looks like I may have to anyways. Wonderful.

    1. Re:Great... by nullchar · · Score: 1

      You shouldn't lose anything if you root your stock device. Installing a new rom will of course wipe everything. However, root allows you to truly backup everything on your device. (Check out TitaniumBackup once you root.)

    2. Re:Great... by MachDelta · · Score: 1

      Unfortunately, unlocking the bootloader on a Gnex, while very simple to do, will wipe the /sdcard/ partition. Security feature, apparently.

    3. Re:Great... by nullchar · · Score: 1

      The sdcard is the one thing that's trivial to backup - root or no-root! As it's removable, remove it and copy it.

    4. Re:Great... by nullchar · · Score: 1

      Actually, I have TitaniumBackup write to /sdcard then I mount the device over USB mass storage (though I hear that'll be removed in future versions) and rsync everything just like a regular rsync backup script (--link-dest hard links and all that jazz).

  7. Adware? Malware? What's the difference? by KiloByte · · Score: 4, Interesting

    Wasn't it the case just several years ago that "adware" and "malware" were considered to be mostly synonyms? I don't see why, just because the plarform changed, they would behave any differently. You're back to the Bonzi Buddy "goodness".

    I just stay away from any "App Stores" and "Foo Markets". A Debian chroot (when there are no native builds) means the code I run can be trusted.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:Adware? Malware? What's the difference? by idontgno · · Score: 1

      You have Debian running on a modern mobile device? Do tell!

      And by "running" I mean "with full telephony functionality".

      A Nokia N9 or N900, maybe, I could see. But those aren't representative of "modern mobile device".

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    2. Re:Adware? Malware? What's the difference? by KiloByte · · Score: 1

      You can install Debian in a chroot on most Android devices. I do use an N900, though, instead of a "modern" device -- there is nasty memory pressure, but the input dev runs circles around anything droid. You do need to beat it a bit to get basics including keys like [ ] ESC PgUp and so on, but once you're there, it's on par with most laptops. That's worlds behind a desktop with a mouse and a good ergonomic keyboard, of course.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:Adware? Malware? What's the difference? by wanzeo · · Score: 1

      There was a very detailed thread here a while back (which I am too lazy to find) where someone explained why you can't get Debian running on a "modern mobile device". It basically involves the vast fragmentation of platforms, and the lax GPL adherence to include SOC firmware source when shipping with the kernel. You would basically have to go to China and bang on doors to get what you need.

      However, I have a theory that this fragmentation is just a result of the rapid growth of mobile ARM devices. Once it gets to the point where everyone has a smartphone that is "good enough" the pace of development should slow, and a Debian friendly platform like the N9 will emerge. Heck, if you were the sporting type, you could make a Debian tablet with a Raspberry pi and a suitable screen.

      Don't give up comrade, our day will come.

  8. Droid Wall by nullchar · · Score: 4, Informative

    Got root?

    An iptables front-end on Android. Droid Wall is sweet: https://play.google.com/store/apps/details?id=com.googlecode.droidwall.free

    As each android app runs as a separate uid, it makes it easy to block net access app-by-app. The problem, of course, is when the app you don't really trust needs net access for a real reason. Sometimes you can allow net access, let the app do it's thing, then revoke it so it's not background connecting all the time.

    Also the ability to set some apps wifi-only and others 3G-only is pretty handy. This saves hours of battery life.

    1. Re:Droid Wall by ciscoguy01 · · Score: 3, Informative

      And that background data that all those apps seem to want to use costs you money in this day of metered data.
      It's easily possible for apps you never ever use to leak data day after day day, downloading ads you never see. This could make you go over your allotment from your cellular carrier and they will bill you for the overage.
      All for nothing.
      You never even saw those cool ads you downloaded!
      Root your phone and put a big hosts table in there.

      But, someone will say, "If you don't let them download and show you ads they won't be able to make those cool apps for free."
      Sorry, if showing ads to someone who doesn't want to look at them is your business model and it stops working, you will have to either get a business model that works or go out of business.
      I have been to websites that contained a warning "You are blocking ads, you may not use our website. Unblock our ads before you come back here".
      Sounds like a website to stay away from to me.

      --
      .
    2. Re:Droid Wall by mlts · · Score: 1

      LBE Privacy Guard is also a good tool on a rooted phone. I use it with DroidWall to ensure that apps that have too many permissions don't get to use them.

      The downside is that it takes a little bit on boot for the LBE Privacy Guard daemon to load, but it is an excellent tool that in reality should be part of the OS.

    3. Re:Droid Wall by Anonymous Coward · · Score: 1

      LBE Privacy Guard is closed-source. I'm not big on closed-source root programs. Never mind that it's also (incoming xenophobia) written by a Chinese developer.

    4. Re:Droid Wall by SadButTrue · · Score: 1

      Is it possible to do the same thing with built in data manager in ICS? I know it can be configured per app so I guess the real question is, can it be set to zero?

      --
      grape - the GNU free, open source rape
    5. Re:Droid Wall by Anonymous Coward · · Score: 0

      The problem with me is that DroidWall just doesn't work. I explicitely block an application and it still can connect to the internet and make requests. This is on a rooted Samsung Nexus S with Android 4.0.3.

    6. Re:Droid Wall by Anonymous Coward · · Score: 1

      But Android users are notoriously cheap and don't pay for apps. So, how are developers supposed to make money? What novel business model do you suggest?

    7. Re:Droid Wall by __aasdno7518 · · Score: 1

      " Sorry, if showing ads to someone who doesn't want to look at them is your business model and it stops working, you will have to either get a business model that works or go out of business.

      So very true. You can show me ads till you are blue in the face..But keep in mind,ads annoy me..You are guaranteeing yourself I will not buy your product when you annoy me.

      "I have been to websites that contained a warning "You are blocking ads, you may not use our website. Unblock our ads before you come back here". Sounds like a website to stay away from to me.

      Yes..You tell me to unblock and look at your stupid ads that I'd never click on anyway and I'm gone.

    8. Re:Droid Wall by Anonymous Coward · · Score: 0

      The problem with me is that DroidWall just doesn't work. I explicitely block an application and it still can connect to the internet and make requests. This is on a rooted Samsung Nexus S with Android 4.0.3.

      Sounds like you didn't apply the firewall rules. You need to do this explicitly. It won't work by just checking the box.

      I have never seen it fail.

    9. Re:Droid Wall by Anonymous Coward · · Score: 0

      Really? What a bad design. I'll test it out but this has been going on through reboots, so I doubt it is the issue.

    10. Re:Droid Wall by Anonymous Coward · · Score: 0

      But Android users are notoriously cheap and don't pay for apps. So, how are developers supposed to make money? What novel business model do you suggest?

      The answer is obvious: Move out of the Android market, idiot. Apple's ecosystem is still going strong and Microsoft's might be the next big thing, for all we know.

      You can't make a living from fanboyism alone.

    11. Re:Droid Wall by blackest_k · · Score: 2

      Actually it makes sense to pay for good apps on android. My mobile operator three.ie (hutchinson telecom) gives me free unlimited data for 30 days when I top up by 20 euro (and an extra 10 euro credit), which is good but when that 30 days expires I then start to pay for data a couple of days ago I get a text telling me i've used 5 euro odd on data. That is pretty much down to ads being downloaded.

      Wouldn't I have been better off to buy the ad free version of the app rather than paying for data I didn't want or need? That excess data charge could have paid for maybe 2 or more apps, most apps seem to be priced from 99 cent to 3 or 4 euro.

      For some reason debit cards are not accepted for most online purchases, so i use prepaid credit cards which are fairly inexpensive but usually end up with 2 or 3 euro credit that gets eaten by the card provider transferring to a new card costs about 2.50 or a balance remaining costs 1.50 a month till it reaches 0 so again it is worth paying for an app with these useless bits of money.

      not every app is worth buying but i have bought quite a few, and I intend to keep doing so especially as it costs me less to buy them than the ad supported versions.

      --
      Blarney Quality Restaurant, Plants
    12. Re:Droid Wall by Inda · · Score: 1

      "My Data Manager" has served me well for tracking apps that consume data when not in use.

      https://play.google.com/store/apps/details?id=com.mobidia.android.mdm&hl=en

      It actually reset yesterday (my billing date). A lot of apps are showing <0.1MB in a day of no-use.

      Big players like eBay, Google Shopper, Dropbox, BBC iPlayer have all used data and I've not used them in weeks.

      Small games like checkers, reversi, chess, Go, etc, that I also haven't run, haven't used any at all.

      TuneIn radio sucks the most data. But I'm happy about that. Best app on my phone by far!

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    13. Re:Droid Wall by vlm · · Score: 1

      Big players like eBay, Google Shopper, Dropbox, BBC iPlayer have all used data and I've not used them in weeks.

      I can't excuse the others but I have my dropbox configured for offline sync every hour. I'm not bothered by apps using BW to transfer my data on my command.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  9. Block Ads... by RLU486983 · · Score: 1

    that's the real solution. It was only a matter of time... this type of exploit (and others to come no doubt) are the strongest argument for blocking ads.

    If you want people to buy your app, create a good app and provide a malware/adware/shareware free/lite version of it. If it is a good app then people will buy it. You piss people off before they have a real chance to test your app then you stand to lose that customer. Those that do not buy your app after trying it would not buy it under any circumstance. I will continue to block apps as long as I have a means to do so. And, I will continue to buy apps from those DEV's that actually create good apps and provide them without the hassle of dealing with the garbage on the side.

    1. Re:Block Ads... by RLU486983 · · Score: 1

      The "shareware" belongs with "free/lite" above and should read "malware/adware free shareware/lite version"... my eyes are playing tricks on me!

    2. Re:Block Ads... by noh8rz3 · · Score: 0

      You piss people off before they have a real chance to test your app then you stand to lose that customer.

      How can you piss off customers before they have downloaded your app? By not giving them a free version? Stands to reason that it's no big loss to piss off people who want something for nothing.

    3. Re:Block Ads... by tlhIngan · · Score: 1

      If you want people to buy your app, create a good app and provide a malware/adware/shareware free/lite version of it. If it is a good app then people will buy it. You piss people off before they have a real chance to test your app then you stand to lose that customer. Those that do not buy your app after trying it would not buy it under any circumstance. I will continue to block apps as long as I have a means to do so. And, I will continue to buy apps from those DEV's that actually create good apps and provide them without the hassle of dealing with the garbage on the side.

      Works great on iOS, where the App Store is available everywhere iDevices are sold.

      Not so much for Android, which are sold where Google Checkout isn't supported.

      In the beginning, support for paid apps in Android was atrocious, at best. This forced developers to have to start offering the apps for free just to show up in the listing (otherwise only places where you could pay for the app would see it). This resulted in a market that started out as an alternative to the App Store turn into one where the vast majority of apps are free. (Across other platforms, it's roughly 25% free, 75% paid. For Android, it's well over 50% free).

      It doesn't help that iOS users seem to pay for 2-3 apps a month, whilst most Android users either don't buy apps, or don't pay for them (i.e., pirate).

      So developers who aren't developing apps for free have to stick ads in them.

      It happens on iOS as well ,but it's usually as a choice - either in-app purchase or two separate apps (a free ad-supported one, and a paid ad-free one). It's just on Android, it's a lot harder to charge for stuff when a good chunk of your users can't pay.

      It also doesn't help when people are talking about global ad-blocking at the system level. That just scares away developers and leaves all the crapps left over

    4. Re:Block Ads... by cynyr · · Score: 1

      I want to know if your "make my android phone a BT keyboard" will work on my phone, same goes for your 3d game, etc. No sense shelling out $5 until I know it will run.

      --
      All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
    5. Re:Block Ads... by noh8rz3 · · Score: 1

      instead of stealing my app, you could do things the "old fashioned way:" 1) read app store reviews and ratings 2) read external reviews like touch arcade.com 3) use word o mouth / "the social network" 4) if shiit don't work, contact the developer for a refund. you have plenty of options w/o getting all righteously upset.

  10. Nobody should be supprised. by Anonymous Coward · · Score: 1

    Mobile ads are just like traditional website ads? A massive infection vector?
    Poorly secured servers that touch millions of individual hosts across millions of different sites, by design?
    Scummy ad vendors that don't care that they're linking to dropper sites?

    Yeah, not suprised. You can't trust ad vendors at all.

    Ad-Aware and other ad blockers are really security products. Blocking ads is just a pleasant side effect.

    1. Re:Nobody should be supprised. by gl4ss · · Score: 1

      it's xss by design. soo.......

      --
      world was created 5 seconds before this post as it is.
  11. Re:Doesn't happen on the iPhone/iPad thank Jobs by jesseck · · Score: 1

    We're beginning to see the cracks in the Android dam

    I don't think there ever was a dam- I've been able to install anything I want on my Android as long as I've had it. People will exploit devices and services whether it is Android, Windows, Mac,or Linux. That's life, and it's the risk we take to have the freedom to do what we want on our devices. Freedom isn't free, right?

  12. No shit by thePowerOfGrayskull · · Score: 1

    For years I've been telling fellow mobile developers that in exchange for ad revenue - or even for usage statistics - they're giving up AT MINIMUM the privacy of their users -- something which isn't theirs to give up in the first place. As ad libraries grow more complex, it's certainly no surprise to learn that there's more than privacy at stake.

    When you incorporate libraries that give up part of your control over your application, you can also be certain that you're giving up your users' control over their device.

    1. Re:No shit by gabereiser · · Score: 0

      extreme but I can definitely see your point... Ad libraries may collect (do collect?) informational analytics on the devices they are displaying ads for and thus may [potentially] have an avenue to find out who the device owner is and how to gain back-door access via delivering trojans or exploits.

  13. Android adware by Windwraith · · Score: 1

    I can only speak for Android, since I don't own an iDevice, but the market is so saturated with ad-driven apps that it reminds me of windows some years ago, where everything was adware or shareware.
    Being from a Linux world where you get pretty much free (in both meanings) access to tools and programs, check/edit the source and other things, Android feels like a wild jungle, so closed and just feels like it's kind of hostile to the user, somehow.
    Besides, you are getting ad-based versions of paid apps as "FREE" most of the time. So you are paying with ad revenue and purchases. I bet there are paid apps with ads as well.

    1. Re:Android adware by jo_ham · · Score: 1

      It's similar on iOS too - there are a large number of ad-supported free apps, often just direct duplicates of the paid version and listed as "(app name) Lite" or "(app name) Free". It's a strong encouragement to upgrade to the paid version if you like the app and are annoyed by the ads (some more obnoxious than others).

      Ironically, some apps make more money for the developers as free, ad-supported than they do as paid apps. It's probably due to volume of "sales" of the free apps though.

      As far as I know there aren't any paid apps that also show ads - I certainly haven't seen any, but I'm only one data point. I'm sure the big-player game apps (like Zynga?) probably cross-promote their other games, but don't otherwise advertise products and services.

      I used a free app the other day that was serving ads for a loan shark, err sorry a "payday loan company". Skeevy.

    2. Re:Android adware by Anonymous Coward · · Score: 0

      I used a free app the other day that was serving ads for a loan shark, err sorry a "payday loan company". Skeevy.

      A bit off topic but payday loans should be illegal. Consider this, you are short of money before your next payday so you borrow against that next payday and they charge you insane interest for that "loan". The net result is that you are potentially even further behind just before the next payday.

    3. Re:Android adware by mcelrath · · Score: 1

      I've been sorely disappointed with the Android Market/Google Play. First, the ads are a throwback to the punch-the-monkey style ads. They're invasive blinking colorful shit that takes up valuable screen real estate on a small screen, and suck your bandwidth and battery. You're paying not only with the mind virus they install, forcing you to look at them, but also with your bandwidth and power bills. Second, the app market seems to be full of half-finished weekend projects. Very few of the apps in the market are even worth downloading, and for any given purpose you will find 100 apps that you have to sort through. Often you have to pay just to discover that the app doesn't do what you need. The open source community isn't much better -- let's face it, most things on freshmeat/sourceforge/github are half-finished weekend projects. But every once in a while someone comes along and finishes someone elses project, or a collaboration lets those projects get a bit further. This never happens in the ad-supported market. Everyone is jealous of their half-finished crap, so you have an explosion of completely crappy apps. Even the open source ones that appear are often shrouded in mystery and some dickhead with a compiler is getting a money from ads, while the original developers get nothing.

      To mitigate the poor quality, security, and ad-annoyingness of that market, I offer the following proposal to Google:

      • 1) Require that anything in the android market have its source uploaded to a Google repository. Create a license that allows collaboration, and also a fair-share distribution of any funds to contributors (perhaps using repository commits as a metric), while legally disallowing wholesale forking of the code. (Or perhaps allowing forks on the master repository only, but tracking funds that need to go to the original authors)
      • 2) Have all apps compiled by Google. Disallow binary blob uploads appearing on the market. (for security)
      • 3) Give the ad library a "master switch" to turn off ads in an app, in exchange for an amount of money commensurate with the proceeds from ads. Therefore all ad-based apps can become no-ad apps in a uniform way.
      • 4) Make the ad library a separate app (ad server) with its own permissions so that the app, and the ad library can have separate permissions. (for security)
      • 5) Make all paid apps "try-before-you-buy" with a reasonable time to evaluate, like a few days. The current 15 minute window is only useful for users that click on the wrong thing, it is not nearly long enough to try most apps.
      • 6) Finally, addressing TFA, return to the text-based ads that made Google famous, and get rid of the current invasive android advertising.

      Yes, a tiny fraction of users will be able to download apps and compile them themselves, but this is also the same set who might become contributors. Requiring open source will seriously discourage malware, and in the event some gets through, it can be detected from the source, and you will know where it came from through repository commits.

      --
      1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
  14. Re:Doesn't happen on the iPhone/iPad thank Jobs by JeanCroix · · Score: 2
    FTFA:

    One problem with ad libraries, which are served up via Google, Apple [emphasis mine] or other such companies, is that app users essentially give them the same access permissions as the apps themselves, allowing them to skirt standard security processes.

  15. Re:Doesn't happen on the iPhone/iPad thank Jobs by jo_ham · · Score: 1

    This is still a threat on iOS - ads don't just come in free apps, the browser can load them on websites too. Detecting and serving specific ads to specific hardware is trivial.

  16. Good point by Anonymous Coward · · Score: 0

    'Running code downloaded from the Internet is problematic because the code could be anything,' says Xuxian Jiang,'

    Take it from the Chinese guy.

  17. As an app author I get lots of spam by DrXym · · Score: 4, Informative
    I use AdMob as my ad provider (consequently bought out by Google) and feel reasonably confident that they vet their ads and the chance of malware is is relatively low risk. Even if one slipped past my app only runs with internet permissions which limits what it could do. The most dangerous thing an ad might do is take a user out of my app into a web browser and from their somehow their phone is infect. But I'm being as responsible as I can to avoid that.

    This isn't pure altruism but simply because I don't want my app tainted by scummy annoying ads or malware. I get a lot of spam from alternative ad providers with a hook such as I can earn 10x as much money by using their service. But a cursory glance at their marketing blurb leads me to conclude that their business is usually derived from enticing users to take surveys, 30 day trials and run other apps and all with far broader permissions such as read/write from SD, GPS location and so on. One advertiser worryingly also says they install "ad icons" on the user's phone meaning that my app would have to have ask for a pile of permissions just to enable this crap and it wouldn't be for the user's benefit.

    So as a responsible developer I stick with AdMob. But I can see how the danger is there. My advice for end users is only install apps which ask for a minimal set of permissions and uninstall apps which start serving annoying or dodgy content. Perhaps it won't stop attacks occurring but at least it means they won't be occurring for people exercising some restraint and common sense.

    1. Re:As an app author I get lots of spam by Anonymous Coward · · Score: 0

      I've got to ask... do you actually make money from those ads? I have no idea what ads your apps show people, but all the ad-supported apps I have show me absolute and utter rubbish. I frequently get "Appz | Ringtones | Games" (does anyone even download ringtones anymore?), and I've also been seeing ads for my own mobile phone network (which seems counter-productive). Possibly the best ads I've seen are in a game called Stick Stunt Biker, where at least the ads look intelligent, but they're all for motobike shops and repair places (I only play the game because it's fun - it doesn't make me want to buy a motorbike - duh!).

      So in short, apart from the one time I accidentally touched an ad and then immediately closed the browser it opened, I have never 'engaged' with a mobile ad. Unless they get considerably better, I doubt I ever will, and to be honest, adfree is just around the corner for me (just as soon as I get Ice Cream Sandwich on my phone).

    2. Re:As an app author I get lots of spam by DrXym · · Score: 1
      My app is fairly niche - only 1500 active users but it's pretty good within its class and under active development. I have a major release coming out tonight hopefully. But no I get a pittance from advertising - .40c on a good day. I think if I sold the same app for $1 that the number of users would be 1/4 but I'd make a much more money. I'm pondering ways to monetize the app at the moment. I'm selling an ad free version on RIM's store and intend to do the same with Amazon shortly. For Android Marketplace I'll probably put some options in for users to pay to turn off advertising as well as some other ideas I have to incentivize spending money.

      I still think the app was worth doing though and continuing to support it. It looks great on a CV to say I'm a developer and have an actual app to back up that claim. Another benefit is that I've been sent freebies from Nokia / Microsoft and RIM of free hardware worth about $1000 which is nice too.

      So no, unless you're writing something anticipating at least 10,000 or more users I'd say advertising doesn't make any money. The temptation would be to switch to some shady ad supplier but then I drag my app's reputation down with it so I wouldn't do that.

  18. Another fanboy article... by Anonymous Coward · · Score: 1

    Take a look at the author's blog on Networkworld (click on his alphadogg tag in the byline). Mostly "i"thing announcements. Gee, I wonder if his "research" is skewed.

    He's really confusing 3 things in the article:
    1) Ads have the same permissions as the app itself. However, HTML has no provisions to access the filesystem automatically. It would only have access to your GPS should the originating app also have permission.

    2) Downloading code? Downloading HTML is practically harmless to the running state of the OS; it might damage your privacy a bit, but that's it.
    2.5) Is it talking about apps that try to get you to install more programs? On Android, you're still greeted with a permission screen at least.

    Again, all 3 of these could apply to ALL Operating systems, but for some reason has a heavy Android slant. I mean seriously, "to grab code from remote servers that ***could*** give malware and hackers a way into your smartphone or tablet."? They reviewed 300 ad networks and found that it "could"? I could catch all sorts of diseases by sitting on a public toilet, do you see anyone getting cancer/AIDs/STDs?

    1. Re:Another fanboy article... by Anonymous Coward · · Score: 0

      This is a notable point that would serve the community well if they understood it.

      The potential of downloading remote code and executing isn't the problem. The problem is the actual action. Since no such actions were explicitly reported, no problems were actually found. And even if they were found, they are only as problematic as the application's permissions, which most good admins would protect with a robust firewall and malware protection filtering systems. And some malware might even ask the user if it's OK to do it's malware-ish things. In which the obvious answer is "No!".

      And therefore, there is no problem here.

  19. The Conduit by cidersylph · · Score: 1

    I immediately thought of Saren saying "One step closer to finding the conduit." Been playing too much Mass Effect :)

  20. Most replies encouraging ad-blocker miss the point by hmbcarol · · Score: 1

    The vast majority of posts I see point out the obviousness of rooting your phone and running any of a number ad-blockers and how great they are. That's no different than someone responding to a regular Joe's desktop Linux complaint with a "Duh, change your config, rebuild your kernel and move on....". You've just lost the average person who might otherwise be interested in playing. The VAST majority of Android users have absolutely no ability or interest in having to "root" their phone, finding a good ad-blocker, and then install it. There are millions of people having a less-than-steller experience, probably not even realizing what's going on and the best answer from the tech community isn't "Let's fix the process", or even "Let's exhort Google to fix the process", but rather an almost patronizing rolling of the eyes and an explanation of how "easy" it is to fix.

  21. It's biting off what I get ribbed on here for by Anonymous Coward · · Score: 0

    HOW TO INSTALL A CUSTOM HOSTS FILE ON AN ANDROID SMARTPHONE:

    DO THE FOLLOWING (after obtaining a good reputable solid HOSTS file, like mvps' -> http://www.mvps.org/winhelp2002/hosts.htm ) OR better yet, HpHosts -> http://hosts-file.net/?s=Download

    ---

    1.) Get ahold of the "Android Debugging Bridge" (ADB) & install it

    2.) Mount your system mountpoint as READ + WRITE (as powerful of priveleges as you need is this)

    3.) Using the PULL command, copy the file over from your PC (or even on your ANDROID if its there already) using PULL & overwrite the etc. folder's copy of HOSTS

    ---

    * DONE! Yes, it's THAT simple... &, it works!

    No 3rd party apps required @ all/whatsoever + completely free also since folks already have one on ANDROID smartphones!

    (Other types of smartphones too. I simply note android because last I knew of, it even surpassed iphones out there in terms of marketshare).

    As to my subject-line?

    Well, there's a pack of idiots around here that calls me "hosts file troll", but they NEVER ONCE MANAGE TO DISPROVE FACTS I PUT OUT REGARDING HOSTS FILES... (20 of them vs. AdBlock &/or DNS Servers alone in fact).

    Not once, for years now, in fact.

    Who are they?

    No doubt malware makers themselves, or webmasters losing out on adbanner views!

    (Too bad the latter don't admit they suck up CPU time, RAM, & other forms of I/O a user pays for, including electric power, as well as bandwidth & speed a user pays for out-of-pocket... & adbanners loaded with malicious script? Tons of that happened over time now... want proof? Just ask, I'll put out a TINY sampling of it (dozens)...

    Who else agrees with me on it?

    Mr. Stephen Burn of hpHosts, & here is a quote from he on it as we discussed this this week in fact, and how the idiot trolls around here tried to libel & mock myself calling me "hosts file troll", when hosts files are for helping folks get FAR better speed, security, and even anonymity to an extent (vs. DNSBL + DNS request logs):

    ---

    "I don't actually get time for many sites such as slashdot anymore, but certainly see my fair share of trolls on the MyWot (Web of Trust (I'm a moderator there, and MyWot includes hpHosts in their "ratings")) and Malwarebytes forums, and you're correct -it's always either users of malicious software/sites, or the owners of such, that are doing it."

    ---

    It doesn't take a brain to realize that anyone harassing, stalking, & libelling myself as they have here repeatedly to no avail (they've never disproved points I make about hosts files benefits for users of them I extolled above after all), is done by those who gain by people NOT using them.

    (That came about after I submitted a 64-bit hosts file mgt. program to he is why, another story in & of itself where I proved COMODO & Arcabit have problems with exe compressors & produce false positives)

    APK

    P.S.=> You MIGHT have to run a Dos-2-Unix program over your custom HOSTS file, per the above directions for installation into an ANDROID smartphone, & especially IF you didn't import one built for *NIX, but that's about it (since ANDROID is a Linux & thus, yes, a *NIX variant essentially)... apk speed a user pays for out-of-pocket...

    1. Re:It's biting off what I get ribbed on here for by cynyr · · Score: 1

      now what do you do when you run into the app that checks to see if it's ad network is in your hosts file(mind you only looks to see that it is there, not that it is set to something non-nonsensical)?

      --
      All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
  22. Many problems by SuperKendall · · Score: 1

    1) Require that anything in the android market have its source uploaded to a Google repository.

    Goodbye Angry Birds, and EA...

    Have all apps compiled by Google.

    As a developer I am greatly dismayed by the idea that I may have to fix bugs introduced by Google messing up compiler settings.

    Give the ad library a "master switch" to turn off ads in an app, in exchange for an amount of money commensurate with the proceeds from ads. Therefore all ad-based apps can become no-ad apps in a uniform way.

    That's not a bad idea, but the ad company builds the library so how will they get money from the action that kills off the only revenue stream they have?

    Make the ad library a separate app (ad server) with its own permissions so that the app,

    I'm not sure you understand how many different ad libraries there are, you seem to think of this as there being just one.

    Make all paid apps "try-before-you-buy" with a reasonable time to evaluate, like a few days.

    If only Apple and Google would BOTH do that. It is in the power of the system to de-atuth after some time....

    Finally, addressing TFA, return to the text-based ads that made Google famous, and get rid of the current invasive android advertising.

    Too late for that I'm afraid.

    Requiring open source will seriously discourage malware

    I am very doubtful that would be the case. Lots of malware is just copied from elsewhere. They don't care if people find out after a bit, by then they have what they wanted from a lot of users.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Many problems by mcelrath · · Score: 1

      You're right on most of that. Oh well, ad-blockers for half-finished weekend projects it is... and using Android will continue to be a miserable experience.

      P.S. I think I've been isolated, using only FOSS since about 1995. Android was my first re-introduction to the bad-old-world of closed source. It's a chaotic shit-show and I hate it.

      P.P.S. I thought everyone on Android was using Google's AdMob? Which made me think Google could force some improvements to the situation...

      --
      1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
  23. I may or may not work for a secuity company... by Anonymous Coward · · Score: 0

    And I may or may not know that Xuxian Jiang, the researcher at NC state, is a fear mongering self serving blowhard.

    1. We already know that every fucking ad network out there can "track location" to give you ads based on geolocation.
    2. There is nothing inherently more dangerous by ad libraries downloading data, or "code", to devices. They can't break permission models, so the downloaded code can't do anything more than the apps can anyways.
    3. The ad library itself would have to be malicious in order to execute malicious code.

    I hate fear mongers.

  24. Re:Doesn't happen on the iPhone/iPad thank Jobs by gmhowell · · Score: 1

    I am sure nobody will remember this post while they accuse you of being an Apple shill/fanboi.

    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon
  25. AdBanner powered freeware costs money by Anonymous Coward · · Score: 0

    Which serving up ad banners uses more battery life/electricity, and ad banners HAVE BEEN KNOWN TO BE INFESTED BY MALICIOUS CODE more than "just a few times" over the past decade++ now also...

    * Assuming of course, that any apps that are merely "fronting" for, or doing the same as (like AdBlock or even a local DNS server) custom HOSTS files can do, for free & for LESS ( doing more with less = good engineering) are indeed, funding themselves via adbanners.

    Some do... but, lol, not sure an adblocking app would (that'd be ironic!).

    By the by: You're reading the words of a MANY time internationally published shareware/freeware (even "open SORES" contributor lately) and commercial software code programmer-analyst/software engineer, since 1995... so, it's "been there, done that" here, dozens of times (over 40 apps out there over time since then, & I "laid off" around 2004/2005 or so).

    APK

    P.S.=> You MAY want to refer to this:

    http://tech.slashdot.org/story/12/03/19/1750233/free-apps-eat-your-smartphone-battery

    Because I've been noting THE SAME THING about using HOSTS files vs. DNS servers locally (or ring 3 / rpl 3 /usermode apps like AdBlock which doesn't even work as well as it used to vs all ads by default anymore either -> http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option ):

    There's an ENTIRE ARTICLE with a BODY OF RESEARCH regarding it today in fact, backing points I've been making for YEARS in favor of hosts files (which are a filter for the ring 0 / rpl 0 / kernelmode (PnP design in Windows) IP stack only, not some 'heavier layered on' ring 3/ rpl 3 /usermode service OR app, which, face it, ARE REDUNDANT vs. custom hosts files usage (but can/could act as 'good layered security')... apk