Free mobile apps that use third-party advertising code are putting users in danger of being hacked, according to MWR InfoSecurity.
The firm found that ad networks were inheriting the permissions of free apps, granting them access to the address books, text messages and emails of potential victims if the network was compromised by hackers.
Robert Miller, a senior security researcher at MWR, said: "Most mobile devices contain a security model that means app A can’t easily see the data of app B and also can’t use the same permissions. So if app A can see your SMS and app B can’t, app B can’t ask app A for your SMS."
"However, if app A and app B contain code from the same ad network, then the ad network can view your SMS, if it wishes."
He added that hackers were "highly likely" to steal information if they took advantage of the "cross application" data vulnerability, and that the flaw could be used to track a person’s location using GPS, make phone calls and turn on the microphone or camera on a smartphone.
"Consumers need to understand the ecosystem of mobile applications. Free apps are supported by ad networks that trade in data," Miller added.
"While users may not be paying for that nifty application in monetary terms, they will be paying with their information. And this means that user data is only as safe as the ad network."
He added that advertisers should take more responsibility for security, while users should read permissions that apps request before downloading and installing them.
"Sadly, there is rarely a chance to pick and choose the permissions you are comfortable with, so if you don’t agree with any one of the permissions requested, don’t install the app," he said.