Use of dangerous permissions by Android ad libraries

Abstract

Privacy concerns exist with ad libraries which come bundled with Android appli-cations. These libraries are known to collect personal information such as the user’s approximate location to use to tailor ads to the user. Many people find this intrusive and some might not even be aware that this is taking place. One way apps can gain access to a user’s personal information is by requesting it directly from the Android device itself. To do this, it requests the use of one of Android’s permissions. The user may think a given permission is only being requested because the app has legitimate use for it. For example, a weather app has a legitimate reason for asking the user’s location, but an ad library bundled with that app might also access the user’s location. Since the app has permission to access the user’s location, any ad library bundled with that app shares this permission. We took a sample of 134 apps and analyzed them to determine whether “dangerous permissions,” that is, permissions which could potentially leak sensitive data are typically being requested by the app itself or by ad libraries bundled with that app. We found that 71 those apps have at least one dangerous permission request originating from an ad library. In six of these apps, the only requests for dangerous permissions came from ad libraries, meaning the app itself had no need for the permissions at all.