Researchers reviewed the accuracy of personalised ads that were served to test subjects based upon their personal interests and demographic profiles; and examined how much a mobile app creator could uncover about users because of the personalised ads served to them.
They found that 73 percent of ad impressions for 92 percent of users are correctly aligned with their demographic profiles.
Researchers also found that, based on ads shown, a mobile app developer could learn a user's gender with 75 percent accuracy, parental status with 66 percent accuracy, age group with 54 percent accuracy, and could also predict income, political affiliation, marital status, with higher accuracy than random guesses.
Some personal information is deemed so sensitive that Google explicitly states those factors are not used for personalisation, yet the study found that app developers still can discover this information due to leakage between ad networks and app developers.
"Free smart phone apps are not really free. Apps - especially malicious apps - can be used to collect potentially sensitive information about someone simply by hosting ads in the app and observing what is received by a user," said Wei Meng from Georgia Institute of Technology.
"Mobile, personalised in-app ads absolutely present a new privacy threat," Meng said. Mobile app developers choose to accept in-app ads inside their app. Ad networks pay a fee to app developers in order to show ads and monitor user activity - collecting app lists, device models, geo-locations, etc, researchers said.
This aggregate information is made available to help advertisers choose where to place ads. Advertisers instruct an ad network to show their ads based on topic targeting (such as "Autos & Vehicles"), interest targeting (such as user usage patterns and previous click throughs), and demographic targeting (such as estimated age range), they said.
The ad network displays ads to appropriate mobile app users and receives payment from advertisers for successful views or click-throughs by the recipient of the ad.
In-app ads are displayed unencrypted as part of the app's graphical user interface. Therefore, mobile app developers can access the targeted ad content delivered to its own app users and then reverse engineer that data to construct a profile of their app customer, researchers said.
"Mobile devices are intimate to users, so safeguarding personal information from malicious parties is more important than ever," said Wenke Lee from Georgia Institute of Technology.