Advertising in mobile apps – how much is too much?

The annual Virus Bulletin conference starts on Wednesday in Berlin, Germany.

Numerous Sophos researchers will be giving papers this year, and with two Naked Security regulars in attendance (Chester Wisnieweski and John Hawes), we hope to bring you a blow-by-blow account of who says what, and why, as the conference unfolds.

Even though the event hasn’t started, however, I’d like to tell you about a paper that two of my long-term friends and colleagues from SophosLabs will be presenting.

Vanja Svajcer and Sean McDonald will be presenting a mixture of research, analysis and proposal they’ve written up under the headline Classifying Potentially Unwanted Applications in the mobile environment.

At this point, you’re probably wondering:

  • Why a write-up of a talk that hasn’t been given yet?
  • Isn’t every application potentially unwanted to someone?

Taking the second question first, you need to know that Potentially Unwanted Applications, or PUAs, are programs that aren’t unequivocally malicious.

Nevertheless, PUAs sail close enough to the metaphorical wind that well-informed system administrators often want to ban them from (or at least to regulate them tightly) on their networks.

Often, security products can’t block this sort of application by default, no matter how reasonable that might seem, for legalistic reasons.

For example, it’s easy to argue that a computer virus – a self-replicating program that spreads without authorisation or control – should be blocked outright.

On the other hand, you can argue that software that isn’t intrinsically illegal, but merely happens to be ripe for abuse, ought to be given the benefit of the doubt, and should be classified somewhere between “known good” and “outright bad.”

Indeed, if you are the vendor of such software – spyware that is sold to monitor children, or to investigate an errant spouse, for example – you might even choose to argue such a matter through the courts.

That’s why most security software has a category of possible threats known as PUAs, or perhaps PUPs (potentially unwanted programs), or Potentially Unwanted Software. (That’s Microsoft’s name, and the acronym proves that at least someone in Redmond has a sense of humour.)

PUAs are programs that some people may want to use, that don’t openly break the law, and yet that many people will want to block.

And now to the second question.

I’m writing about Vanja’s and Sean’s yet-to-happen talk in order to offer you a chance, in the comments below, to pose questions (or blurt out opinions) that I can send to them, as part of helping them with their work.

I’ll pass your comments and questions to them to consider in the “question time” at the end of their talk, thus giving you a chance of having your say from a distance!

After all, most of us aren’t going to be attending the VB 2013 conference (though there is still time to register if you’re in the Berlin area), but we probably have some feelings – perhaps even strong feelings – about PUAs in the mobile ecosystem.

That’s down to adware, one of the mobile world’s biggest sub-categories of PUA.

In Sean’s and Vanja’s own words:

Has the world of PUAs changed with the advent of mobile apps? As the revenue model for application developers changes, should the security industry apply different criteria when considering mobile potentially unwanted applications?

In mid 2013, there are over 700,000 apps on Google Play and over 800,000 apps on iTunes, with numerous alternative application markets serving their share of Android apps. The major source of income for most of the apps are advertising revenues realised by integrating one or more of advertising frameworks.

The difference between malware, PUAs and legitimate apps for mobile platforms is often less clear than in the desktop world... This leads application developers as well as developers of individual advertising frameworks into confusion about which features are acceptable.

Indeed, if you think about it, the appearance of banner ads inside mobile apps seems much more tolerable, and tolerated, than the same sort of thing in desktop applications.

Even amongst online ad-haters, there seems to be a general recognition that ads in mobile apps, done gently enough, represent a fair way for developers to earn a crust without needing to charge an up-front fee.

(Or there’s a reasonable and modest fee – typically a dollar or three – that will turn the ads off but still reward the developers.)

Vanja’s and Sean’s concerns, if they will forgive me oversimplifying what they have argued, is that the computer security industry would like to be proactive in stamping out aggressive – possibly even dangerous and privacy-sapping – mobile adware behaviour.

At the same time, the security industry doesn’t want to spoil the ad-supported mobile app industry for those who are prepared to play fair.

But where do we draw the line?

Sean and Vanja identify several grades of adware aggression in the mobile world:

  • Banner ads. (Appear in ad-sized windows in the app itself, and are visible only in the app.)
  • Interstitial ads. (Typically fill the screen temporarily, for example between levels in gameplay.)
  • Push or notification ads. (Use the operating system notification area to present their message.)
  • Icon ads. (Appear outside the app, even after it exits, typically as home screen icons.)

So, what do you think? How far is too far in the ad-funded mobile ecosystem?

Let us know and we’ll pose your questions and comments from the floor at the Virus Bulletin conference…