This work investigates privacy characteristics of Android advertising libraries. Taking a sample of 114,000 apps, we extract and classify their ad libraries. We then seek to understand how they make use of sensitive user data. First, we study the use of permission-protected Android API calls that provide access to user data. Here, we measure change over time by distinguishing unique versions of each library, dating them, and calculating their permission usage. We find that the use of most permissions has increased over the last several years, and that more libraries are able to use permissions that pose particular risks to user privacy and security. Next, we shift to the application side and consider information passed directly from the application to the ad library. We do this by reconstructing the APIs for our libraries, and examining how those APIs are used in our sample of Android applications. We find that many applications pass personal information directly to their ad libraries, without any need for the library to query the operating system directly. This behavior is most common in more popular applications, suggesting that the promise of advertising dollars encourages application developers to violate users' privacy. Finally, we examine the interface between ad libraries and their datacenters. Focusing on the most popular ad library, we create a network of simulated mobile devices and collect 225,000 individual ads. We use differential correlation to measure the features used to target ads. We find that ads are targeted by application, time, location and user, and quantify those observations. In sum, we find that ad libraries make use of both the operating system and their host application to collect sensitive information about their users, and that this information is, in turn, used for ad targeting.