Eric Johnson

Recent Posts by Eric Johnson

After Spat Over Apps and Privacy, Bitdefender and Airpush (Mostly) Hug It Out


Sergey Nivens /

You have a lot of personal information on your phone, and widespread mobile Internet access has given rise to a security industry that tries to warn against privacy-invading software via installable apps.

So, it was with great interest that I opened a recent email from one of those mobile security companies, Bitdefender, with the subject line “New Android app tells which apps spy on you.” After some back and forth, I acquired a list of Google Play games that one of Bitdefender’s apps, Clueful, claimed were “high risk.”

What did “high risk” mean? To Clueful, apps put users at risk when they leak information like email addresses or phone numbers, and insert advertisements into the push notification bar or Android home screen. And all five of the games it red-flagged had one thing in common: The ad network Airpush.

As you might expect, Airpush had a thing or two to say about that.

Several Airpush and Bitdefender execs talked earlier this week, and (sorry, drama fans) appear to be on happy, even cooperative, terms after the fact. Airpush’s marketing VP, Cameron Peebles, said their discussions were “so productive that we are going to continue to work together” on public awareness campaigns about ads and privacy.

So, what happened? According to sources at both companies, an older version of Airpush’s SDK did not include the option to opt out of a feature that would pass users’ email addresses and phone numbers to an advertiser’s landing page when they tapped on an ad. Clueful saw this behavior and reported it as “leaking” that info, but Airpush insisted the info was never stored on its servers. It only left the device when users chose to submit a registration form to the advertisers.

In any case, that feature was only used by “less than half a percent” of advertisers, Airpush CEO Asher Delug said. Although some apps with the old SDK — the ones Clueful caught — are still in the wild, the email/phone-sending feature has also been “deprovisioned on the advertiser side,” Delug added.

On Bitdefender’s side, the fact that Airpush’s newer SDKs provide the choice of opting in or opting out of any data collection seems to have satisfied its security team. With dozens of other ad networks out there, Chief Security Researcher Catalin Cosoi said, Bitdefender will be focusing more on how much choice consumers are given about data collection.

Cosoi said the fact that all five of the high-risk apps were on the Airpush network was a coincidence.

That said, Clueful will continue to label some Airpush-using apps as “high risk” if they use that old SDK or if they tap into some of the still-currently-offered Airpush advertising features. Ads that appear in push notifications or the home screen are still a problem, as far as Bitdefender is concerned.

Delug said those sorts of ads are still okay because it’s possible for users to permanently opt out of them, and they are popular among Airpush’s clients.

Latest Video

View all videos »

Search »

There was a worry before I started this that I was going to burn every bridge I had. But I realize now that there are some bridges that are worth burning.

— Valleywag editor Sam Biddle