Advertising in mobile apps - how much is too much?

Filed Under: Featured, Malware, Mobile, Privacy

The annual Virus Bulletin conference starts on Wednesday in Berlin, Germany.

Numerous Sophos researchers will be giving papers this year, and with two Naked Security regulars in attendance (Chester Wisnieweski and John Hawes), we hope to bring you a blow-by-blow account of who says what, and why, as the conference unfolds.

Even though the event hasn't started, however, I'd like to tell you about a paper that two of my long-term friends and colleagues from SophosLabs will be presenting.

Vanja Svajcer and Sean McDonald will be presenting a mixture of research, analysis and proposal they've written up under the headline Classifying Potentially Unwanted Applications in the mobile environment.

At this point, you're probably wondering:

  • Why a write-up of a talk that hasn't been given yet?
  • Isn't every application potentially unwanted to someone?

Taking the second question first, you need to know that Potentially Unwanted Applications, or PUAs, are programs that aren't unequivocally malicious.

Nevertheless, PUAs sail close enough to the metaphorical wind that well-informed system administrators often want to ban them from (or at least to regulate them tightly) on their networks.

Often, security products can't block this sort of application by default, no matter how reasonable that might seem, for legalistic reasons.

For example, it's easy to argue that a computer virus - a self-replicating program that spreads without authorisation or control - should be blocked outright.

On the other hand, you can argue that software that isn't intrinsically illegal, but merely happens to be ripe for abuse, ought to be given the benefit of the doubt, and should be classified somewhere between "known good" and "outright bad."

Indeed, if you are the vendor of such software - spyware that is sold to monitor children, or to investigate an errant spouse, for example - you might even choose to argue such a matter through the courts.

That's why most security software has a category of possible threats known as PUAs, or perhaps PUPs (potentially unwanted programs), or Potentially Unwanted Software. (That's Microsoft's name, and the acronym proves that at least someone in Redmond has a sense of humour.)

PUAs are programs that some people may want to use, that don't openly break the law, and yet that many people will want to block.

And now to the second question.

I'm writing about Vanja's and Sean's yet-to-happen talk in order to offer you a chance, in the comments below, to pose questions (or blurt out opinions) that I can send to them, as part of helping them with their work.

I'll pass your comments and questions to them to consider in the "question time" at the end of their talk, thus giving you a chance of having your say from a distance!

After all, most of us aren't going to be attending the VB 2013 conference (though there is still time to register if you're in the Berlin area), but we probably have some feelings - perhaps even strong feelings - about PUAs in the mobile ecosystem.

That's down to adware, one of the mobile world's biggest sub-categories of PUA.

In Sean's and Vanja's own words:

Has the world of PUAs changed with the advent of mobile apps? As the revenue model for application developers changes, should the security industry apply different criteria when considering mobile potentially unwanted applications?

In mid 2013, there are over 700,000 apps on Google Play and over 800,000 apps on iTunes, with numerous alternative application markets serving their share of Android apps. The major source of income for most of the apps are advertising revenues realised by integrating one or more of advertising frameworks.

The difference between malware, PUAs and legitimate apps for mobile platforms is often less clear than in the desktop world... This leads application developers as well as developers of individual advertising frameworks into confusion about which features are acceptable.

Indeed, if you think about it, the appearance of banner ads inside mobile apps seems much more tolerable, and tolerated, than the same sort of thing in desktop applications.

Even amongst online ad-haters, there seems to be a general recognition that ads in mobile apps, done gently enough, represent a fair way for developers to earn a crust without needing to charge an up-front fee.

(Or there's a reasonable and modest fee - typically a dollar or three - that will turn the ads off but still reward the developers.)

Vanja's and Sean's concerns, if they will forgive me oversimplifying what they have argued, is that the computer security industry would like to be proactive in stamping out aggressive - possibly even dangerous and privacy-sapping - mobile adware behaviour.

At the same time, the security industry doesn't want to spoil the ad-supported mobile app industry for those who are prepared to play fair.

But where do we draw the line?

Sean and Vanja identify several grades of adware aggression in the mobile world:

  • Banner ads. (Appear in ad-sized windows in the app itself, and are visible only in the app.)
  • Interstitial ads. (Typically fill the screen temporarily, for example between levels in gameplay.)
  • Push or notification ads. (Use the operating system notification area to present their message.)
  • Icon ads. (Appear outside the app, even after it exits, typically as home screen icons.)

So, what do you think? How far is too far in the ad-funded mobile ecosystem?

Let us know and we'll pose your questions and comments from the floor at the Virus Bulletin conference...

, , , , , , , , , ,

You might like

6 Responses to Advertising in mobile apps - how much is too much?

  1. mtlevy · 387 days ago

    One of the best implementation of ads I've seen is in the Handcent SMS app.

    Although the app is ad-supported, they only appear in the settings menu, and therefore don't encroach on day-to-day use.

    unsure how much revenue this actually generates for the developer, but it does represent a possible compromise.

  2. With small devices, on some apps, the ads cover the screen, rendering the app unusable. Also, some apps opt to display full screen ads for limited time (like 5 seconds) before letting you continue between levels.

  3. MattD · 386 days ago

    One app I use has a banner in-game and a pop-up ad when the game loads.

    I don't mind either in principle, except that the pop-up appears randomly: not every time it launches, and not always instantly, but within 1-2 seconds at most.

    Compounding this, the "Yes, please take me to the Play Store and let me buy this" button appears over the "Play new game" button when I launch the app. Which is obviously done on purpose to drive users to the Store by accident.

    That is over the edge imho, and I'd stop using the app if I hadn't learnt to expect and manage that behaviour.

  4. Deramin · 386 days ago

    "Even amongst online ad-haters, there seems to be a general recognition that ads in mobile apps, done gently enough, represent a fair way for developers to earn a crust without needing to charge an up-front fee."

    I think most online ad-haters mostly just want a gentle touch when it comes to ads. Text ads that can be ignored are ok in any setting (provided they're not malicious, of course). But bright, flashing attention whore ads break my brain and prevent me from using the site or software, so I ban them in any setting (or stop using the app or site that spawns them). Adblock Plus is a disability aid if you have ADD on the internet.

    In mobile apps I think consistency counts for a lot. Ads that pop up under my fingers when I'm trying to do something are very irritating. I'd almost call that a form of click fraud because you're not convincing people to click on the ad, you're tricking them. A defined ad space which quietly serves text ads is good for everyone.

    I think PUA blockers for mobile aps need an equally light touch. Don't have one list, have several which are targeting specific types of app behavior. And make it easy for administrators to make their own blacklists, and whitelists. It would also be great if lists like these could be set for different groups of users. A BSOD screen saver is hilarious among the IT drugeons, but could be used as ransomware against less savvy users. *Potentially* is the key word in PUA. You can't make judgements for all PUA for all users.

  5. Hearth · 385 days ago

    Any unwanted push notifications, be they ads or they "hey don't forget to use our app" type, merit an immediate uninstall from me (and I wont touch an app that I know uses them).

    I don't *mind* ads in free apps, provided the bandwidth they use is limited - ie: not huge graphics and not refetching new ones every 30 seconds - as it costs too much in data charges. I'm also of agreement that ads of the "attention whore" variety have no place anywhere on any of my devices, systems, websites, etc. I just don't need the aggrivation - I no longer even watch commercial television because I can't be bothered to sit through all the rubbish.

    I much rather pay a *reasonable* price to have a more pleasant experience. If the price is too high, or the ads/etc too annoying, I will simply find an alternative.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog