Shopping cart of online store showing shopping apps share permissions with ad networks

Ad Networks Embedded in Popular Shopping Apps Sponge off of Permissions, Have Worrying Levels of Access to Consumer Phones

A new study from Dutch privacy group Incogni finds that many popular shopping apps, including some from Amazon, are coming bundled with an unpleasant surprise: sharing of their wide-ranging permissions with ad libraries, allowing ad networks indirect access to the device.

There are dozens of these third party ad networks that interface with shopping apps, and the apps may be granting background access to anywhere from 1 to 13 of them. The ad networks wind up with the same permissions to access the device that the shopping apps are given, and over half of these apps ask for the ability to rifle through USB storage and take photos or videos.

Permissions granted to shopping apps leak out to ad networks via embedded libraries

The study examined the nuts and bolts of 640 of the most popular shopping apps currently available via the Google Play Store. About two-thirds of these make use of these ad libraries, and on average these apps connect with 1.8 ad networks that can share phone permissions. Of the shopping apps that do include libraries, 83% request some sort of permission that could expose sensitive personal information.

Among the most common permission for shopping apps to ask for is the ability to take pictures and videos (55.5%). There are benign reasons for these apps to ask for this permission, such as allowing for photo uploads for a return or for scanning QR codes, and usually nothing is done without first being initiated by the user. But it is possible for this permission to be abused, and it is unknown what the ad networks will do with it once they have it.

Another very common permission granted to shopping apps is the ability to access USB storage (58.4%). This is sometimes a generic permission included due to the fact that phones commonly rely on an SD card for the bulk of file storage, but there is less specific reason for shopping apps to need this.

48.3% ask for access to precise GPS location, 22.3% ask to record audio, 15.8% ask to have access to contact lists, 8% want the ability to make calls to phone numbers, and 6% want access to the calendar. All things that may have legitimate uses for shopping apps, but are ripe for abuse by rogue or malign ad networks that also end up with these permissions.

Android structure creates back door for ad networks

Ad libraries are a type of software development kit (SDK), a package of third party code that apps very frequently turn to for assorted functions. In this case, the function is showing ads for the store’s products on user devices (usually targeted by personal interest) and moving the users that click through back to the store. Google’s AdMob is the most popular of these ad networks, used by over 60% of the shopping apps studied. Other popular choices include AppsFlyer, Adjust and Facebook Audience Network.

The central problem is that Android does not distinguish between permissions granted to an app the user actually interacts with, and permissions for the libraries the app is using. In addition to concerns about privacy invasion, attackers sometimes leverage ad networks to deliver malware in this way. The report notes that this has happened already, with incidents in 2016 and 2017 involving two different ad networks that collectively impacted hundreds of Play Store apps.

While the malware incidents involved smaller ad networks, the study finds that the big-name and popular shopping apps are not necessarily much safer than the more obscure ones. Bigger shopping apps actually tend to use more ad libraries, with apps in the millions of downloads having a slightly higher average of 1.9 ad networks per app. The smallest apps had an average of 1.6 ad networks. The worst of the apps had 12 or 13 ad networks integrated, and most of these were smaller off-brand “shopping list” apps, but the one of the biggest offenders was Chinese powerhouse AliShop.

More popular apps also tend to request more permissions. Amazon led the list in this category; the Indian version of its app requests 64 permissions, the general shopping app requests 61 and the Amazon Business app requests 60.

#Adnetworks wind up with the same permissions to access the device that the #shoppingapps are given, and over half of these apps ask for the ability to rifle through USB storage and take photos or videos. #privacy #respectdataClick to Tweet

What alternatives do consumers have? Many of these permissions can be denied without impacting the shopping app’s basic functionality, but the surest way to avoid mobile ad networks is to shop through a retailer’s website using a web browser instead. Privacy-focused browsers such as Brave, Chromium and LibreFork automatically strip and block many of the invasive components of ad networks right out of the box. Other major browsers, such as Firefox and Edge, can be made more secure with some tweaking of default settings and addition of plugins.