Risk Implications of Push Advertisement in Android System
Push Advertisement (Push Ad)
Recently, Android users reported that they have received some unknown advertisements on the notification bar. After investigation, this is known as "push ad" (advertisement) which prompts on an irregular basis notification message, such as text ad, game recommendation, app update, app recommendation, etc.
Fig 1. Push Advertisement
Not only is the push ad annoying, it also brings about other hidden security risks. To avoid the nuisance of "push ad", we have to understand the operations in Android first.
Notification Bar
Notification bar is nothing new to Android users. In addition to the clock, battery level and network signal information, the system displays messages or app updates information on the top bar of the user interface when it receives any.
Notification bar is very convenient. Users can read the messages through a quick glance on it. Take SMS for instance (Fig 2), when you receive a SMS message from your friend, you may slide down the notification bar and preview the message. When you click on the message, the SMS app starts up for you to reply the message instantly.
Fig 2. SMS Notification
Push Message
"Push Message" is one of the services under Android system, called "Google Cloud Messaging for Android (GCM)". The previous generation was called "Cloud to Device Messaging" (C2DM). The development of this service is provided by Google. If the app applied this service, the app developer can send messages to users whenever necessary. For example, a popular messaging tool, WhatsApp, is using this kind of service. The Android phone is not required to keep visiting messaging servers. Until there is a message to user, the server sends the message to the Android phone.
Fig 3. Basic flow of Cloud to Device Messaging
Making use of the GCM service, some advertising agencies provide the connection between developers and commercial companies. Through applying the API provided by the agencies to send "push ad", developers can earn part of the advertisement returns.
Note: The permission of "Cloud to Device Messaging" (c2dm.permission.RECEIVE) must be granted if the app requires usage of the GCM service.
For more details of GCM, refer to: http://developer.android.com/guide/google/gcm/index.html
Background services of Android
Android system provides a multi-tasking environment which enables you to run multiple apps in the foreground and multiple services in the background simultaneously. It is not easy to recognize which app is running due to the background servicing system. Some apps can even auto-run when the system starts. Although no information of executing apps is shown on the phone interface, the app is already started running in the background.
Fig 4. Apps serving in the background
If the downloaded app possesses the permission of "Auto-start at boot" (RECEIVE_BOOT_COMPLETED), it can start automatically and registers cloud messaging service after the phone is powered on. The phone is ready to receive push messages, but it is not easy for users to be aware such process. If the app receives push advertisement, or it proactively gets the advertisements from the server to display, it becomes very annoying.
Risk Implications of Push Advertisement
Some users think that other than nuisance it is nothing special when the phone receives push advertisements. In fact, it is not the truth.
Problem 1: Data usage increase
Push advertisements may consist of text and images. These contents consume your mobile data usage volume. If you are located overseas, data roaming charges may be a great expenditure.
Problem 2: Battery drain
Push advertisements are usually associated with notification sound and vibration. It will drain your phone battery if received a lot of push advertisements.
Problem 3: Produce useless files
Some push advertisement may contain image files. These files are temporarily downloaded, and store in your phone. It will consume your phone storage capacity.
Problem 4: Trigger other information security problems
Many apps which consist of push advertisement usually requires a lot of permissions. Some advertising messages usually look like normal system messages, software updates, etc. If users are not alerted of the content of messages and click on it, users might be brought to some high risk websites or phishing websites. Due to the app has already been granted a lot of permissions, the risk of hacking and privacy leak will increase.
For the four above-mentioned issues, "Triggering other information security problem" is of the highest risk. Our next article "Safeguard your phone from Push Ad" to discuss about the solutions to the information security problem caused by "push ad".
Share with