According to the IDG news service in the past few months the security researchers have detected serious issues in the field of mobile advertising libraries. The risks that are result of such issues like exploitation of permission to android apps, execution of unauthorized codes on a device of the user can be still reduced if the libraries make use of HTTPs according to the researchers.
It has been recently reported by the researchers from the firm FireEye that there are ad libraries that are exposing sensitive functions to JavaScript code that too over insecure connections which makes the apps that use them to be highly affected and attack the man in the middle. An attacker that is a person who can intercept traffic from these libraries can inject problem creating JavaScript code in the connection which can result in unauthorized actions of using the permissions to the apps of the host. The exposure begins from an Android API feature termed as addJavaSciptInterface which allows the JavaScript code that is running in the WebView to access the native functionality of the app. A WebView mentioned here is a type of browser window that is used by the apps to display the content of web.
Advertising libraries are also known as advertising SDKs and they consist of a third party code that is included by many of the developers in their apps so as to earn revenue from the advertisement that is displayed in the app. WebView feature is used by these libraries commonly for display of the ads which are loaded from a main server out of which many use the addJavaScriptInterface for more of advanced features. The users of Android devices can download products like Lookout’s Ad Network Director to keep a tab on what ad networks of mobile are running in their apps.
The risks in security come when the addJavaScriptInterface methodology is taken in use and the main content is uploaded in WebView over HTTP connection that is unencrypted. The FireEye researchers said that they have made an analysis that shows at least 47 percent out of the top 40 ad libraries persist with these vulnerabilities in at least one of their different versions which are in use actively on Google Play by the popular apps.
The security risks, however, that are associated with addJavaScript are known for a while. Researchers from London based security firm MWR InfoSecurity have reported in September, the use of addJavaScriptInterface combined with use of HTTPs can be exploited to attain a reverse TCP shell on a device.