What Mobile Ads know about mobile users

Slides:



Advertisements
Similar presentations
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Advertisements

Enabling Secure Internet Access with ISA Server
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Chapter 6 Security Kernels.
SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.
An Evaluation of the Google Chrome Extension Security Architecture
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Security of Mobile Applications Vitaly Shmatikov CS 6431.
On the Feasibility of Large-Scale Infections of iOS Devices
Clay Bavor Group Product Manager, Mobile Ads Selling Across All Screens.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Presentation By Deepak Katta
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
By : Windi Widiastuti XII TKJ  DEFINITION.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST)
Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
HTML+JavaScript M2M Applications Viewbiquity Public hybrid cloud platform for automating and visualizing everything.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
EVALUATING SECURITY OF SMART PHONE MESSAGING APPLICATIONS PRESENTED BY SUDHEER AKURATHI.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Chapter 2 Securing Network Server and User Workstations.
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.
FCM Workflow using GCM.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Wireless and Mobile Security
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
No Escape From Reality: Security and Privacy of Augmented Reality Browsers WWW '15.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Analyzing Input Validation vulnerabilities in Android System Services NAMJUN PARK (NPAR350)
AppAudit Effective Real-time Android Application Auditing Andrew Jeong
“What the is That? Deception and Countermeasures in the Android User Interface” Presented by Luke Moors.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
WHAT THE APP IS THAT? DECEPTION AND COUNTERMEASURES IN THE ANDROID USER INTERFACE.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
ANDROID ACCESS CONTROL Presented by: Justin Williams Masters of Computer Science Candidate.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Privacy in Mobile Systems Karthik Dantu and Steve Ko.
What mobile ads know about mobile users
Module 51 (Mobile Device Fundamentals - Android)
Presented By – Nikhil PAwar
Advanced Endpoint Security Data Connectors-Charlotte January 2016
The Price of Free Privacy Leakage in Personalized Mobile In-App Ads
Spying on Android Users Through Targeted Ads
Containers as a Service with Docker to Extend an Open Platform
Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.
Presentation by Jun Hao Xu
Mobile Applications (Android Programming)
Talia ringer, dan grossman and Franziska roesner
Android System Security
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Security mechanisms and vulnerabilities in .NET
Social Networks Integration in Android
What Mobile Ads Know About Mobile Users
Analyzing WebView Vulnerabilities in Android Applications
Unit 27 Web Server Scripting Extended Diploma in ICT
Brandon Dean, Elliot Garner, Brannon Mason
WebSpector: JavaScript Execution Monitor Minyeop Choi
CS323 Android Topics Network Basics for an Android App
And I have to create mobile apps too?
Mobile Security Evangelos Markatos FORTH-ICS and University of Crete
Presentation transcript:

What Mobile Ads know about mobile users Authors - Sooel Son, Daehyeok Kim, and Vitaly Schmatikov (2016) Presented by - Aditya Walanj

Motivation Advertising is an important part of the mobile ecosystem. Mobile advertising helps app developers obtain revenue. Mobile advertising is integrated in mobile apps through an advertising library known as AdSDK. Over 41% of apps in Google play store include at least one mobile advertising library. Malicious advertising is a serious issue in the mobile advertising ecosystem.

Background AdSDK is a library to fetch and display ads as app is running. Creatives displayed on devices are called impressions. Service provider place trackers into creatives. WebView instances don’t share cookies or state across app Service providers rely on device identifiers. e.g GAID, Android ID HTTP Requests (GET/POST) Advertising creatives (HTML, JSON, XML) Impressions displayed as WebView Instances.

Problem Apps on users device and AdSDK are benign but advertisers are not. Impressions undergo auctions, brokers, and exchanges before reaching device. Trusted ad service providers – AdMob, MoPub, AirPush, AirMarvel Service providers serve ads over HTTP --> man in the middle attack possible! Malicious mobile ads can cause leakage of location Access to location required for geotargeted advertising Malicious mobile ads can Infer sensitive information about users Ads cache images and file so require external storage access After Android 4.4, write permission to external storage automatically grants the read permission Same Origin Policy in WebView prevents malicious ads to read external storage files, but not prevent from learning file names!

Experiment Used a proxy server to intercept creatives sent by the advertising network and add a script element to it. Each exploit requires two apps: A Target app which creates the local files on devices external storage whose presence leaks sensitive information. An Attack-vector app which is an ad supported app that shows a malicious creative using one of the AdSDK. Any app using the same AdSDK can be exploited by an attack vector.

Results Both use same AdSDK Local files created by these apps

Summary Target app caches HTML files or images in external storage to improve user experience Names of cached file are predictable regardless of Android version or device An attacker can precompute an offline database of file names, use local resource oracle in his ads, and check presence of file on users device. E.g. Bookmark functionality in GoodRX

Defences App Developers cannot do much: Business logic of AdSDK and configuration setting of WebView instances are opaque to developers. Developers have no mechanism to restrict the privileges of the AdSDK they include. AdSDK providers can do a few things: Scan advertising creatives  can be evaded by attackers Ban scripts in creatives  Impractical Jail the WebView instance used to show impressions so it only accesses a dedicated subspace of external storage  More feasible but difficult to implement. Mobile OS designers can do useful things: Provide an inbuilt “Jail” functionality that can be invoked by an API call iOS-each app’s files are located under a file path with a 128-bit unique ID

Issues and Improvements Only location and external storage permissions explored. Assumption that other apps on users device are benign - not necessarily Not much on what users can do. Look into camera and microphone permissions too Investigation taking into account other apps on device are not benign. What can users do – AdBlockers efficient? Checksum-type logic?

Thank you for listening