[UPDATE! April 15: Pandora removes all advertising libraries from its Android and iPhone apps!]
The blog post we made earlier this week entitled, Mobile Apps Invading Your Privacy, gives detail around the information being requested by the advertisement libraries embedded inside a popular online radio application. There have been a number of great posts and comments that got us thinking more about the issues and the types of data being requested.
First off we want to thank some people who commented about the Pandora application not having permission to actually access the GPS on the device. Below are the Manifest permissions for the version of Pandora currently in the Google Application Marketplace:
- Full Internet Access
- Create Bluetooth Connections
- Read Contact Data
- Add or Modify Calendar Data and Send Emails to Guests
- Read Phone State and Identity
- Modify Global System Settings
- Prevent Device from Sleeping
- Bluetooth Administration
- Change Wifi State
- Change Network Connectivity
As you can see, GPS access is NOT included in that list. There was an error in the original post we made stating that some of the library code was requesting permissions from the Google system for GPS access, and as the commenter pointed out, that is incorrect. The code snippet we posted is only checking whether the parent application, Pandora in this case, has permission to access the GPS. If the parent does not have permission, the accessing of GPS data can't occur.
However, the overarching theme of the original post is still valid. If Pandora had required GPS access for a legitimate reason, the embedded advertisement library would have been able to request the GPS data and send it off device. As we mentioned in the original post, there is a chance that Pandora has no idea what the embedded advertising library actually does, simply taking it from the advertising partner and embedding it into their application.
To further illustrate this point, we downloaded a few more applications that use some of the same advertising libraries. In particular, we found AdMob (the code snippets we outlined on the previous post) embedded into the free CBS News Android application and the TVDotCom application. Both of these applications have GPS coarse and fine permissions allowed within their application manifest. They don't have some of the other permissions required to send certain data, but in these cases the advertising code will fail silently. Essentially, the advertising libraries use the parent application as an enabler, taking advantage of whichever permissions happen to be available. It also seems revelant to note that AdMob was acquired by Google in May 2010.
The current model where permissions are granted to applications combined with the way 3rd party libraries such as mobile ad network libraries request many different types of information sets up a situation where the ad network will get the information if the application needs it to operate.
Veracode Security Solutions
Software Testing Tools
Static Analysis Tool
Web Application Security
Static Code Analysis