Spying on Android Users Through Targeted Ads Eeva Terkki, Ashwin Rao, and Sasu Tarkoma Department of Computer Science University of Helsinki
Acknowledgements David Choffnes, Mohammad Hoque, Tiia Koskinen, Thorben Krüger, Arnaud Legout, Mika Viinamäki, and Otto Waltari Nokia Center for Advanced Research (NCAR) Academy of Finland grant 303815 Poju 2 / 19
... ... Background Phones have a wealth of our private information We use a large number of free* apps ... -Our daily schedules and what we plan to do next - Our bank cards and receipts - Our pictures - And many more -Games such as Angry Birds, -Apps to use the sensors, barcode scanners, torchlight, etc. -Multimedia, music and video, -Chatting and conversations such as Skype, ... *may contain ads 3 / 19
Mobile Ads Ecosystem Ad Network Ads targetted to mobile users Provide ad libraries ad libraries Embed in apps Show ads to users Interact with ads 4 / 19
Targeted Ads Mobile devices are an ideal medium Ads that match our likes and needs Phone Ad Network Mobile devices are an ideal medium for showing targeted ads GET http://adnetwork.com/getAd?location=xxx&age=xxx&dob=xxx&gender=xxx&income=xxx&education=xxx&interests=xxx&.... Advertisement time time 5 / 19
Targeting Parameters 6 / 19
Permissions from Apps Ad networks collect a wealth of private information 7 / 19
Device Identifier for Requesting Ads IMEI, Android ID, Phone number, etc were used As of August 2014, Android mandates ad libraries only use the Android advertising ID Users can reset Android advertising ID The advertising ID is a vital key to a user’s information in the ad networks 8 / 19
Android advertising ID Leaks Millennial Media Ad Library Millennial Media Ad Network GET http://ads.mp.mydas.mobi/getAd?dm=Nexus+6&lat=xxx&long=xxx&age=xxx&children=xxx&education=xxxðnicity=xxx&gender=xxx&income=xxx&marital=xxx&politics=xxx&zip=xxx&state=xxx&dob=xxx Some ad networks exchange the advertising ID over HTTP text/html GET http://bank-2.ads.mp.mydas.mobi/getImage.php5? &aaid=<advertising id>&... time time 9 / 19
Motivation Can an attacker exploit the leaked identifier Mobile devices are an ideal medium for targetted ads Ad networks collect a wealth of private information The advertising ID is a vital key to a user's information available at the ad networks Some ad networks exchange this ID over HTTP Can an attacker exploit the leaked identifier to request and receive ads targeted at a victim? What are the hurdles faced by an attacker when conducting such an attack? 10 / 19
Emulated Victims of Spying Samsung S5 (Android 5.0) Nexus 6 (Android 6.0.1) 11 / 19
Apps Installed Pregnancy Dating 12 / 19
Custom App for Requesting Ads 13 / 19
Preliminary Observation Metric: Ad Fill Rate fraction of ad requests made by the ad library to which the ad network responds with an ad Flurry 14.3% InMobi 13.01% Millennial Me dia – same ad AdMob 100% Ads in Finnish, different ads in different profiles Artefact of geographical location? 14 / 19
Assumptions Attacker has access to the Android advertising ID Attacker uses emulated Android devices Two virtual devices on Genymotion Can receive real ads Generic: Random advertising ID Attack: Victim's advertising ID 15 / 19
Attack Scenarios Internet Meddle Server Ad Server Victim's device VPN Ad Server Victim's device VPN Laptop emulating virtual Android devices Scenario 1) Same App Different Network Scenario 1) Same App Different Network Scenario 2) Same App Same Network Scenario 2) Same App Same Network Scenario 3) Different App Different Network 16 / 19
Experiment Results Pregnancy Dating 17 / 19
Discussion Targeting of Mothers Geographical Location Choice of Emulator Importance of Context Adding noise to profiles Preventing leaks and spying Awareness of privacy issues 18 / 19
Thank You! ashwin.rao@helsinki.fi 19 / 19