Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Mobile users at risk from lack of HTTPS use by mobile ad libraries, security researchers say

Lucian Constantin | Feb. 3, 2014
Researchers from security firm FireEye recently reported that many ad libraries expose sensitive functionality to JavaScript code over insecure connections, making apps using them vulnerable to man-in-the-middle attacks.

InMobi appears to actually be in a better position when it comes to this problem than many other ad libraries, which according to Wei, still have the more serious addJavascriptInterface vulnerability in their latest versions. Wei declined to name any of those libraries as FireEye is still in the process of notifying its developers.

InMobi was the only library found by FireEye so far that used the new @JavascriptInterface annotation but had JS sidedoor problems, he said. "We want other vendors to be aware of this issue and not repeat it."

The Android version fragmentation is also a problem. The @JavascriptInterface mechanism only works on Android 4.2 or higher, but according to the latest statistics published by Google, around 75 percent of Android devices that visited Google Play at the beginning of January were running Android versions older than 4.2.

"The insecure usage of JS Binding and JS Binding annotations in third-party libraries exposes many apps that contain these libraries to security risks," the FireEye researchers said. "When third-party libraries use JS Binding, we recommend using HTTPS for loading content."

InMobi doesn't agree with FireEye's conclusions.

"Unfortunately, FireEye has taken industry-level concerns and applied those specifically to InMobi, making some incorrect assumptions along the way regarding our products," said Chris Davies, InMobi's head of privacy and its general counsel for the EMEA region, via email. "They're making vast generalizations regarding potential industry vulnerabilities and applying those to InMobi without understanding our products and our commitment to privacy and security. We have tried to work with FireEye to discuss their claims but our attempts of opening a meaningful dialogue have been unsuccessful to date."

"It should be understood that the required situation for a potential breach includes multiple sets of conditions that are extremely unlikely to occur at the same time and that the real potential risk is minimal, at best," Davies said.

He agreed that using HTTPS would mitigate a potential attack, but said there are other technological methods of achieving the same result.

"While HTTPS is a standard technology for the Internet, even in the desktop world there are cases where you'd want to apply HTTPS versus cases where you wouldn't," he said. "HTTPS is a very CPU- and network-intensive protocol. There are many other 'lighter' technologies available which can provide the same benefits."

InMobi couldn't find any ad network in the mobile space that conducts all transactions over HTTPS, Davies said. "In the ad tech industry we are all aware of the benefits of HTTPS but still have chosen not to use it, there must be some reason for it."

InMobi already encrypts device identifiers so that if anyone sniffs ad requests, the data they would obtain couldn't be associated with specific device IDs, he said. "Inmobi plans to encrypt all the user information using a secret key in our SDK before requesting for an ad. This will be included in our next release of the SDK."

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.