Advertising within mobile apps can leave users open to privacy and security risks, according to research carried out by academics at North Carolina State University.

In a study of 100,000 apps available from Android Market between March and May 2011, 48,139 apps were found to have ad libraries that track the location of phones via GPS, most likely to better target users. Of more concern, 4,190 apps had ad libraries that allowed advertisers themselves to access user locations. Other ad libraries accessed call logs, phone numbers and lists of apps on devices.

The study also found that 297 apps included “aggressive” ad libraries that were set up to download and run code from remote servers, one of the most extreme examples of the risks being presented to user privacy and security.

Assistant professor of computer science at the university, Xuxian Jiang, said code downloaded from the Internet “could be anything” and could potentially launch root exploit attacks to take control of devices in a similar way to the recently discovered Android malware RootSmart.

Many free apps incorporate advertising as a way to generate revenue and use ad libraries to retrieve ads from remote servers to run them on the device. The ad libraries often have the same permissions granted to the apps, despite the user not necessarily being aware of the fact.

These ad libraries could also be a security risk if hackers use them to get past Android’s security protection. Jiang said that to minimise these kinds of risks, ad libraries need to have permissions separate from apps.

“The current model of directly embedding ad libraries in mobile apps does make it convenient for app developers, but also fundamentally introduces privacy and security risks. The best solution would be for Google, Apple and other mobile platform providers to take the lead in providing effective ad-isolation mechanisms,” said Jiang.