Mobile app ads security

When deciding to monetize a mobile app, are looking to be following 2 routes. Free and with ads, or paid. And obviously want to distribute one package. I’m leaving the advert provider and the implementation as well as the payment platform (damn, that’s another angle to test) to the code jockeys, but…

Security, to keep this focused, when showing ads, what security checks should I be doing aside from obvious ones like does tapping on an advert take me to a app or a page that could be malicious.

  1. I assume adverts can take users to a web page - not much we can do about that is there? How can I check if that’s even a real security vulnerability.
  2. I assume an advert can take you to the advertised apps store page. Are there any side attack vulnerabilities this can present.
  3. An advert causes my app to lose focus does it not, what side attacks can that create? Backgrounding differs for Apple and Android, all very technical, and we are still in design phase, so hard to actually test any assertion. Is the advert an “activity”? But… concerned because customer sensitive data will normally be displayed by us after the advert closes… yuck. Sensitive data may also precede the advert, and I don’t want any of this leaking.

Things to look out for, since my main responsibility is normally the desktop, not mobile.

Oh boy security testing … where to start :slight_smile: Well I work for a big international bank and we have ( obviously ) a mobile banking app. So I’m not confronted with the advertising stuff on there ( lucky me ).
But in order to point out what you should really be testing I need more info about the app.
For example, does the app use authentication means ? Are you using a ssl connection towards your servers ? Are the adds in an authenticated zone or not ? Etc … In the first place you should look if the adds have access to ( like you already pointed out ) sensitive data of your users. If we take the example of google and facebook, they do have access so they can throw out tailored adds. Is this something the add service does or not ? So a million questions :slight_smile:

But in general I don’t treat an app different then a web application in terms of security. Things like x-site scripting, sql injection, data intrusion, man-in-the-middle attack etc … are all possible on both apps and web based tech. The most important part for me anyway is that a hacker should not be able to steal data and / or in my case be able to change money / credit transfers.

In the end also never forget that nothing is 100% secure, but you can make it as secure as possible :slight_smile:
As said I’ll be in Brighton, let’s talk over a beer or 2 and share our thoughts here :slight_smile:

He He.

I hate this whole job separation thing we do, because it can easily expose points at which product not yet released gets tainted if we are working on a new thing. Nobody wants a leak that turns sour traced back. I love that test do get involved a lot earlier these days. When your org is agile, things move so fast you don’t actually get time to “explore” very deeply. But yes, my reason for asking about pointers is exactly that. The application, specifically when adverts are shown will actually have a secured connection going on, a variety of reasons mean this will never fly in a financial application due to regulation.

But I don’t know much about Swift and Native apps, but enough to know that it’s all in your process space. The mobile OS is unable to intervene by it’s very design. However I am assuming that the Admob component must be doing things to prevent memory probes from within their framework. I am thinking that we might be live by the time we meet, so I’ll have to bring a few devices with me to “hackfest”.

Oh giddy stuff to play with LOVE IT :slight_smile:

1 Like