Advertising is the financial lifeblood of the Internet. In the dawning mobile era, ads have invaded smartphones and tablets. Yet not every mobile ad provider plays nice. According to Lookout Security, 5% of free mobile applications include “aggressive” ads that invade privacy, change settings or deliver ads outside the context of the app, affecting 80 million downloads. What can app developers and ad providers do to curb aggressive ads, respect user privacy and enrich the ecosystem for users?

Ad Networks Do Not Always Play Nice

Lookout Security released a report on mobile advertising guidelines that outlines the best practices for app publishers and ad providers. The guidelines are intended to curb adware on mobile devices that generates spam, churns out notifications and uploads personal information without the user's consent. 

The first thing to understand about ads in mobile apps is that they are usually not provided by the app publisher. Ads are served into apps by third-party providers – ad networks – that are plugged into the app. This is similar to the way the Web has worked for nearly two decades. For instance, if you have a blog with advertising on it, there is a good chance that a third party like Google delivers the ads. Ad networks control open windows into an application. Ads go in the window, data about usage and users comes out. 

In March, North Carolina State University released a study detailing the behavior of the 100 most prevalent mobile ad networks. The results were not encouraging. Many ad networks performed a practice called “dynamic code loading” that allowed them to gain access to not only the host application, but also data on the device such as its unique identification number, contacts, calendars and messages. Some nefarious ad networks utilize dynamic code loading to upload personal information about the user to remote servers. The worst ad networks take contact information and send SMS and push-notification “spam” to the users and their contacts. 

Many application developers do not actually know how an ad network behaves when it is integrated into their apps. In a rush to make their apps profitable, developers use the ad network that offers the biggest payoff, regardless of what that might mean for users. Often, they have no idea (or just do not care) what the ad network is doing. 

“Developers are not thinking about acceptable best practices,” said Kevin Mahaffey, chief technology officer of Lookout.

Best Practices for Ad Networks and App Publishers

Lookout provides five guidelines for working with ad networks:

1. “Provide transparency and clarity to users about data collected, and present such information in a way that is readily accessible, easily understandable, and actionable by average users.”

Users do not interact directly with ad providers but rather do so through the app. That means the onus of transparency falls on the app developer to describe, as simple and upfront as possible, what information the ad network is tracking and why the network is doing so. 

2. “Enable individual control – Mobile users must be able to exercise control over what identifying data is collected by Ad Providers, and how it is used. This is tied closely to Transparency & Clarity, in that App Publishers must make it easy for users to understand what tools are available to them by communicating this within the mobile app itself.”

Users should be able to turn off advertising easily. They should be able to keep their information from being used by the ad network. Lookout recommends that app developers institute the TRUSTe Mobile Ads program that lets users opt out of data collection from individual ad networks. 

3. “Provide context and control when experimenting with new Ad Delivery Behavior.”

An ad is usually some type of banner or a video that plays within an app. But mobile ads are evolving. Some ad networks place ads in user notification bars (“push notifications”), modify browser bookmarks or add shortcuts to mobile desktops without permission. If an app is going to do something out of the ordinary, let users know. 

4. “Focused data collection – Ad providers should respect reasonable limits on the collection and retention of data collected from end user devices. The collection, usage and storage of data that can be used to uniquely identify a user on their device must be performed in ways that are consistent with the context in which users provide that data and accompanied by methods of user notice that reflect the relative privacy implications of such data.”

Ad providers should not use unique identifiers that can home in on precisely who a user is. A device’s unique identifier often cannot be changed even if the device's memory is wiped. Data collection also refers to specific personal information such as user names, phone numbers, email addresses, demographic data, contacts and other social information, location and browser history. Personal information should be supplied by the user through a form, not automatically collected by the ad network through the app. 

5. “Transport security – Device or user identifying data must be secure and handled responsibly at all times by both App Publishers and Ad Providers.”

This is a big one and something that often slips through the cracks. For instance, LinkedIn created a recent scandal by the way it transfers user information, including passwords. LinkedIn did not do enough to secure that information, making it easy for hackers to steal it. There are a variety of best practices for transmitting information including “hashing” and “salting” passwords and using transport layer security/secure sockets layer. Developers need to be familiar with best-practice security measures when it comes to transporting data. 

Everybody’s Problem

Privacy and security in the digital era are not just issues for individual apps, ad networks, brands or companies. Everybody is involved. Advertising is an important part of delivering free applications to users. App developers need to get paid or their apps will not be available. 

Ad networks should hold user privacy in the highest regard and be as clear and straightforward as possible with their intentions and practices. App developers must relay those intentions and practices to the end user in simple terms. Developers cannot just trust ad networks to do the right thing. They need to educate themselves on the ins and outs of ad delivery and network behavior. At the same time, just as developers cannot blindly trust ad providers, users cannot blindly trust app publishers. Users need to take responsibility for their own information and be aware of what they are downloading and how it works.