Recently, I had the opportunity to sit down and chat with a few Android users who aren’t computer scientists. One of the things that we talked about was advertising. If a person mentioned using an app with ads, I asked, “Do you think the advertiser can use the app’s permissions?” Twelve people answered this question:
- Yes: 5
- No: 2
- I don’t know: 5
People were right to be confused by the question. The correct answer is complex (check out the last paragraph of this blog post). However, I wasn’t trying to test people. Instead, I wanted to get a general sense of what people think the relationship is between ads, applications, and permissions.
Some people didn’t think the advertiser should get permissions:
- “I gave these permissions to [app name]. No permissions to the ad.”
- “They can have advertisements like TV has advertisements, a million people’s phones can have advertisements, but they shouldn’t have access to your phone just cause they have advertisements on them. They shouldn’t get a permission at all.”
- “I guess it’s possible, depending on their relationship with whoever made the app. But I couldn’t imagine why they would have permissions that would go through my phone state and identity. … I hope not.”
On the other hand, some people said that they think it’s reasonable for advertisers to get access to information about them via permissions:
- “I’ve read that advertisers are sending people things on mobile devices based on, like– you might be near some store, so you might get something that pops up on your phone that says, ‘We’re giving a two for one deal today in the next two hours,’ or so.”
- “They probably get at least location-based so they know where people are accessing it and where they’re downloading it from, how they’re getting to their ads most likely.”
- “The advertisers could use what I look up on the Internet to better, I guess, suit the ads that they put in for my specific [ads]. When I’m searching for things if it has access to what I look for on the Internet, it could find and put ads that are similar to interests I’ve looked up on the Internet to my phone.”
These are just simple anecdotes, but I find them interesting.
It’s hard to gauge how people feel about advertising and permissions because they don’t understand Android permissions to begin with. For example, the person who mentioned Internet search history made that statement because he misunderstood an unrelated permission that does not give access to Internet search history.
Can an advertiser use an app’s permissions?
When you see an advertisement in an application, there are three parties. First, there’s the application itself, which asks the user for permissions. Second, there’s the advertising library, which is shoved into the application and therefore gains access to all of the app’s permissions. Third, the advertising library displays the advertisement itself. The advertisement can’t directly use any of the permissions, but the advertising library might share information with the company that is running the ad. So if you see an REI ad while playing a game, you should know that the invisible ad library gets all of the game’s permissions, and it might share information like your location with REI.
P.S. Thanks to Elizabeth Ha, Serge Egelman, Ariel Haney, and Erika Chin, who interviewed users with me.
Did you ask people about permissions other than location and Internet? Libraries get all the permissions but the responses here are only about location.
This post is mentioned in a TechRepublic article: http://www.techrepublic.com/blog/security/android-apps-and-advertising-a-bit-too-cozy/7003?tag=content;blog-list-river
Ian — We asked people about all of the permissions, but no one mentioned anything but location. I think it’s because people didn’t understand what the other permissions meant.