Mobile security apps often leak information via ad network libraries

January 5, 2016

Why you should not use so called security software, specially if they are “free”, on your mobile? Because they make your security worse most of the time.  And no I’m not talking about vulnerabilities in the software itself – sure there a plenty. No there is principle problem as they use ads to finance their software. Why is that bad for your security?

Most big websites like Google and Facebook use today HTTPS for anything you transfer to/from them. But what most people miss is that most ad networks still use HTTP for tracking the user. If you’re just using an app or sometimes even in the background, it sends your information in the clear to the tracking network. Its bad that you get tracked in the first place but in a public WiFi, this information can be used to target and attack you.  Lets show you an example.

Lets take a look at 360 Security – Antivirus Boost

360security

And yes their claim for 200 million users seems to be valid

360security2

As the app is free they include some ads … e.g. from vungle.com

vungle_girl

What is vungle?

Vungle helps mobile application developers promote and monetize their apps through in-app video trailers. They enable developers to get a short, snappy video trailer made and distributed through their in-app mobile video platform. They also generate incremental revenue for developers by displaying video trailers inside of their apps. (Text from CrunchBase)

Lets take a look what their library does – it sends an HTTP post request in the clear

 

vungle1

So far so good, but lets take a look at the body, which is a json file.

vungle2

Oh nice, now we know the location, the mobile phone type, the Android version and the mobile provider. If you know which phone your target uses you now got his/her IP address and Android version for the exploit to inject. For 4.4.2 there should be some easily available. 😉

ps: the NSA does not need to track your location via the mobile operator in a foreign nation … they just look at the internet traffic which goes to AWS cloud to get your location.

amazon

Buts not the only ad network which the app includes:

Lets take a look at www.applovin.com .. the homepage looks similar to the first … hmm

applovin_homepage

Here the HTTP request again

applovin1

oh, this time no location …. 🙁

applovin2

“360 Security – Antivirus Boost” is just one test case … most apps which use ads libraries leak such information.

 

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 38 queries. 0.090 seconds.