Mobile Users At Risk From Lack of HTTPS Use By Mobile Ad Libraries, Security Researchers Say

Recent vulnerabilities found in many advertising SDKs for Android apps could be mitigated by using HTTPS, researchers said

By Lucian Constantin
Fri, January 31, 2014

IDG News Service — Over the past several months security researchers have found serious vulnerabilities in many mobile advertising libraries that could be exploited to abuse the permissions of Android apps or to execute unauthorized code on users' devices. The risks resulting from those vulnerabilities would be significantly lower if those libraries would use HTTPS, security researchers said.

Researchers from security firm FireEye recently reported that many ad libraries expose sensitive functionality to JavaScript code over insecure connections, making apps using them vulnerable to man-in-the-middle attacks. An attacker who could intercept traffic from such libraries -- for example on public wireless networks, through DNS hijacking or by hacking into an Internet gateway -- could inject malicious JavaScript code into the connection to perform unauthorized actions using the host app's permissions, they said.

If, for example, an app using a vulnerable ad library has permission to access the Android device's camera, then a remote attacker could exploit this issue to take photos or record video over the Internet without the user's consent, the FireEye researchers said.

The vulnerability stems from an Android API (application programming interface) feature called addJavascriptInterface that allows JavaScript code running in a WebView to access the app's native functionality. A WebView is a browser window that apps can use to display Web content.

Advertising libraries, also known as advertising SDKs (Software Development Kits), consist of third-party code that many developers include in their apps in order to earn revenue from advertising displayed in the app. These libraries commonly use the WebView feature to display ads loaded from a remote server and many of them also use the addJavascriptInterface for more advanced features. Android device users who want to keep tabs on what mobile ad networks are running in their apps can download products like Lookout's Ad Network Detector.

The security risks appear when the addJavascriptInterface method is used and remote content is loaded in a WebView over an unencrypted HTTP connection, because plain HTTP traffic is susceptible to tampering by anyone in a position to intercept it.

"Our analysis shows that, currently, at least 47 percent of the top 40 ad libraries have this vulnerability in at least one of their versions that are in active use by popular apps on Google Play," the FireEye researchers said.

However, the security risks associated with addJavascriptInterface have been known for a while. In September researchers from London-based security firm MWR InfoSecurity reported that the use of addJavascriptInterface, which they refer to as JavaScript bridging, combined with the lack of HTTPS, can be exploited to obtain a reverse TCP shell on a device. They too pointed out that many ad libraries are vulnerable to this attack.

Continue Reading

Our Commenting Policies