"The insecure usage of JS Binding and JS Binding annotations in third-party libraries exposes many apps that contain these libraries to security risks," the FireEye researchers said. "When third-party libraries use JS Binding, we recommend using HTTPS for loading content."
InMobi doesn't agree with FireEye's conclusions.
"Unfortunately, FireEye has taken industry-level concerns and applied those specifically to InMobi, making some incorrect assumptions along the way regarding our products," said Chris Davies, InMobi's head of privacy and its general counsel for the EMEA region, via email. "They're making vast generalizations regarding potential industry vulnerabilities and applying those to InMobi without understanding our products and our commitment to privacy and security. We have tried to work with FireEye to discuss their claims but our attempts of opening a meaningful dialogue have been unsuccessful to date."
"It should be understood that the required situation for a potential breach includes multiple sets of conditions that are extremely unlikely to occur at the same time and that the real potential risk is minimal, at best," Davies said.
He agreed that using HTTPS would mitigate a potential attack, but said there are other technological methods of achieving the same result.
"While HTTPS is a standard technology for the Internet, even in the desktop world there are cases where you'd want to apply HTTPS versus cases where you wouldn't," he said. "HTTPS is a very CPU- and network-intensive protocol. There are many other 'lighter' technologies available which can provide the same benefits."
InMobi couldn't find any ad network in the mobile space that conducts all transactions over HTTPS, Davies said. "In the ad tech industry we are all aware of the benefits of HTTPS but still have chosen not to use it, there must be some reason for it."
InMobi already encrypts device identifiers so that if anyone sniffs ad requests, the data they would obtain couldn't be associated with specific device IDs, he said. "Inmobi plans to encrypt all the user information using a secret key in our SDK before requesting for an ad. This will be included in our next release of the SDK."
Sign up for CIO Asia eNewsletters.