Monetization of mobile applications: Everything about user profiling

Posted by Roxane Suau on October 12, 2018

It is common to observe in films or books a society where citizens are constantly spied on. Even though this  vision is exaggerated, these narratives lead us to put into perspective the concept of confidentiality in our era.

 

Profiling

 

Smartphones and tablets provide us with mobile tools on which we rely daily, that directly manipulate our sensitive data (SMS, calendar...). Furthermore, it is also our habits, preferences, opinions, travel, etc. that are within their grasp.

A free mobile application embeds an average of 6 marketing libraries which turn it into an advertising space, where targeted ads are displayed and from which user data are collected and resold. And this is the reason behind the strong craze for advertising libraries: they make mobile applications profitable.

When looking at a larger scale, we observe that the same advertising libraries frequently come up. We identified the 3 most widespread libraries among a sample of applications coming from every category, in more than 40 countries. The first, is integrated within 43% of applications, the second one in 10%, and the next in 8% of them. More concretely, this affects millions of applications, and billions of data are sent to the servers of these three advertising companies.

During a study, we noticed that social and game applications are the ones that embed the most ad libraries. However, when looking into applications dedicated to more serious operations, in the banking or health area, the results are concerning. Indeed, some of them also include advertising modules, despite the high confidentiality of the data they manipulate.

From a more technical point of view, the method usually used by developers to integrate advertising libraries is basic and simply calls the API to launch the main service. With no further indication, marketing companies are allowed to gather all the data collected by the applications integrating their library.

Although these practices are allowed, few mobile users can accurately identify the data accessed by their applications and very few are aware that these are nearly always sold. The variety of categories of applications affected and the widespread use of the 3 libraries observed show that some companies establish very precise user profiles, including contacts, call logs, photos, SMS, calendar, travels, preferences, and more.

In order to control access to mobile data and prevent exfiltration, companies can rely on mobile security solutions such as Pradeo Security. Pradeo’s Mobile Threat Defense solution protects mobile devices against threats operating at the application, the network and the device level. It ensures personal and corporate data protection via an on-device detection and remediation.

 

Topics: Cybersecurity, Mobile Security