Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin

Introduction “What if advertising networks took full advantage of the information-sharing characteristics of the current Android architecture?”

Introduction Many studies focused on detecting/measure security risks in app ad libraries To fully assess the risk of ad libraries – all allowed behaviors must be explored.. Identifies four main attack channels and systematically explores their potential reach Pluto framework: Can be leveraged to analyze an app and discover what user data it exposes to opportunistic ad libraries Uses NLP and machine learning algorithms

Background: Mobile advertising Advertising services assist in matching ads to users to turn more impressions into conversions. This is achieved with the use targeted data. Advertisers collaborate with data brokers who collect user data and maintain user profiles, in order to target certain segments of the population. Data brokers incorporate ad libraries into apps that can collect user attributes and interests

Background: Android protection mechanisms Each app on is assigned a unique static UID when it is installed – can only access it’s own resources. Ad libraries inherits the UID of the host app - shares privileges and permissions DAC allows access the apps local files Granted permissions allow access to other services on the device (e.g. GPS)

The Threat Model A risk is the potential compromise of an asset (User targeted data) as a result of an exploit of a vulnerability (Attack channel) by a threat (Opportunistic ad library) Out App: Unprotected/public APIs In App: Using protected APIs Access to host app’s local files Observing user inputs into host app Data points derived from attributes in FT calculator e.g. Gender = data point Male = data point value

In-App: Locally stored data During lifetime apps produce local persistent files, provides SharedPreferences class to access and store retrieve app resources in UID protected directory. Ad libraries inherit DAC privileges and SE Android MAC capabilities from host As such can access and read app’s locally stored files – including any user data Example: My Ovulation Calculator (1,000,000–5,000,000 downloads) Headaches, pregnancy status, trimester etc. -> $$$

In-App: Protected APIs Ad library uses same system identifier as host – both in static UID and dynamic PID Thus library can use any permission-protected APIs the host is granted access too E.g. account permissions, location etc. Results of manual inspection of 262 apps

In-App: Observing user input An ad library could use its position to peak on user input Find UI elements in resource files corresponding to targeted data and monitor them Example: Text Me! Free Texting & Call (10,000,000–50,000,000 downloads) Could capture users gender, age and zip code.

Out-App: Public APIs Public APIs considered harmless by AOSP and are unprotected. Can be used without requesting permission Can gather targeted data such as age and gender from installed applications. 12.54% of the examined apps (318/2535) incorporate ad libraries that these APIs to collect the app bundle of the user

The Pluto framework Modular framework for estimating in-app and out-app targeted data exposure for a given app In-App: Local files that the app generates App layout and string resource files App manifest file Out-App: Installed app bundles

The Pluto framework: In-App Dynamic Analysis Module: Runs app on emulator and extracts files Decompiles and extracts layout, resource and runtime generated files File miners: Uses a set of user attributes and interests as a matching goal. Reaches matching goal if data point is found in a file Context disambiguation layer uses similarity metrics to prune matching goals - driodLESK

The Pluto framework: Out-App Given a set of installed apps, what data points can we derive? Co-installation Pattern module (CIP) Co-installation Pattern: Given an app, what is the probability of finding another set of apps Dynamically updated records of install apps FPM algorithms to discover associations between apps Classifiers Takes corpus of user attribute/interest and app bundle pairings to train classifier Infer user attributes and interests from the CIP estimated app-bundles

Criticism and recommendations Only four attack channels were explored. Pluto is modular – would recommend this be extended in future work if new attack channels covered. Camera and microphone permissions not explored – ML can infer a lot from their info. Android watches etc. – many possible avenues of attack omitted File miner NLP only accounts for common conventions e.g. camelCase, snake_case Recommend further investigation and possible methods to interpret more cases

Criticism and recommendations Framework did not address complications that could arise from obfuscated code – simply omitted those that broke. Any apps that work with ad libraries to obscure their exposure would not be detected by Pluto. Recommend further inquiry into this area. Exposure of sensitive information beyond user attributes/interests E.g. details of financial records and data are not explored in the framework. 243 survey participants, resulted in 1985 distinct package names collected. Over 1.4 million apps on google play store.

Questions?