What mobile ads know about mobile users Sooel Son – Google, Daehyeok Kim – KAIST, Vitaly Shmatikov – Cornell Tech Presented by Isabel Zhuang

introduction Mobile advertising allows many mobile applications to obtain revenue without directly charging users May incorporate ad libraries called AdSDKs to support advertising To increase user response, demand for modern AdSDKs to support media rich content with active JavaScript, images and videos AdSDKs need to provide caching of ad content and access to external storage

Problem Why is this a problem? Ads are fetched dynamically They originate from other advertising networks Ad content can be redirected and obfuscated Difficult for AdSDKs to analyse or sanitize their ads They could be untrusted and damage the user’s device or extract private information Ad isolation required

Motivation Mobile advertising is very popular More opportunities for an attacker Greater chance of creatives to be displayed on user devices Do not have to evade app store filters (eg, Google Bouncer) as seen with applications Realistic threat in mobile advertising ecosystem The question: What can an advertisement learn about the user of the device they are displayed on?

Key Words Creative Advertising impression AdSDK An image that can be rendered as an advertisement on an ad serving platform Advertising impression A creative that is delivered and displayed on a mobile device AdSDK An advertising library developers can use to integrate ads into their application Fetches and displays ads when the application is running

Experiment set up Assumptions: Environment: Application is benign AdSDK is benign Advertisers untrusted Impressions contain malicious content Environment: Ads shown in a embedded WebView browser that prevents JavaScript reading content from other origins Different permissions to host app and AdSDK

Experiment set up Cont. 4 popular AdSDKs: 4 Target Apps AdMob - Google MoPub - Twitter AirPush - Private AdMarvel – Opera Software 4 Target Apps Applications that create files in external storage on a user’s device (Do not need to use AdSDKs) 4 Attack-Vector Apps Any ad-supporting application using one of the AdSDKs previously mentioned to show malicious ads

Mobile advertising ecosystem Experiment Aim: To determine what information AdSDKs sent to AdSDK Providers and make available to advertisers Method: Integrate AdSDKs into android test apps Use proxy server to analyse ad requests sent by AdSDK Mobile advertising ecosystem

Inference Attacks Data mining technique to infer sensitive information about users As a result, can allow advertisers to target users with ads based on user profiles In this context, achieved by reading or inferring existence of local resource files to find out information about the user

Simulating Malicious Advertisers Intercept creatives sent to mobile devices Add a script element to fetch another JavaScript file Fetched file runs in context of advertising creative to attempt to collect or infer sensitive information

Results Successfully determine drugs user searched for Means that an app using that AdSDK, displays the attack ad which can find out which medications the user shopped for Results Successfully determine drugs user searched for Can infer gender preference Correctly identified all site visited by Dolphin Identified presence and absence of friends thumbnail images

Defence Developer No way to restrict privileges of AdSDK Isolation of external storage subspace not supported in Android OS AdSDK Provider Ban scripts in creatives – impractical / contradicts trend towards richer interactive ads Scan creatives - evasion of malicious code detection by obfuscation Block local resource loading – unnecessary mobile data usage Mobile OS Designers Add facilitates to restrict WebView to dedicated storage subspace Provide built in “jail” functionality invoked via API call

Issues and improvements Good focus on capabilities of malicious advertisers Addresses defence for AdSDK Providers and Mobile OS Designer More information for defence for users Provide Adblockers similar to online browsers? Play Store to explicitly state which permissions required by app and AdSDK? – Allow the user to be informed and choose whether to download app Comparison of different OS Repeat for IOS or Windows devices and compare the effectiveness inference attacks Use more popular applications as target apps Users more likely to have these apps on their devices – assess what kind of information attack vector apps can infer

Thank you for listening Presented by Isabel Zhuang