What Mobile Ads Know About Mobile Users

Slides:

Advertisements

Similar presentations

Attie Naude 14 May 2013 Windows Azure Mobile Services.

Advertisements

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building Mobile Apps in the Cloud – Comparing Approaches.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

An Evaluation of the Google Chrome Extension Security Architecture

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Cross Platform Mobile application development HTML5 and JavaScript Chris Connor.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Presentation By Deepak Katta

Presented by…. Group 2 1. Programming language 2Introduction.

SANS Technology Institute - Candidate for Master of Science Degree

박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST)

INTRODUCTION TO HTML5 Geolocation. Display a Specific Location with Google Maps  You can use the Google Maps API to display a custom map on your own.

CRITICAL DESIGN REVIEW Gregory LaFlash Patrick O’Loughlin Zachary Snell Joshua Howell Hao Sun Kira Jones THAT ONE SPECIAL SHOT TOSS

TOUCHSIGNATURES Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, Feng Hao Newcastle University CryptoForma meeting, Belfast 4 May 2015.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

Leave Me Alone: App- level Protection Against Runtime Information Gathering on Android NAN ZHANG, KAN YUAN, MUHAMMAD NAVEED†, XIAOYONG ZHOU AND XIAOFENG.

ON THE SECURITY OF ANDROID COMMUNICATION APPS September 2015 By Shasi Pokharel Bachelor Of Information Technology (Honours) Supervisors: Dr. Raymond Choo,

Restricted © Siemens AG All rights reserved A Developer’s Insights Into Performance Optimizations for Mobile Web Apps CT DC AA EM LP2 | June 2015.

DeepDroid Dynamically Enforcing Enterprise Policy Manwoong (Andy) Choi

丁建文國立高雄應用科大資管系副教授兼任計網中心軟體發展組組長跨平台行動應用軟體開發技術 : HTML5 & Mobile JavaScript Framework 暨南大學.

THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.

Android and IOS Permissions Why are they here and what do they want from me?

What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources Literature by S. Demetriou et al. Presented.

By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.

Windows 10 Tech Support Call On Windows 10 the latest product updates from Microsoft providing a lots of easy facilities to the It professionals.

How to Enable Account Key Sign Instead Of Password In Yahoo? For more details:

What mobile ads know about mobile users

Presented By – Nikhil PAwar

REDCap Mobile Application

100% Exam Passing Guarantee & Money Back Assurance

BUILD SECURE PRODUCTS AND SERVICES

The Price of Free Privacy Leakage in Personalized Mobile In-App Ads

What Mobile Ads know about mobile users

Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.

Presentation by Jun Hao Xu

Introduction to Operating Systems

VPN Joshua Turner.

Are these ads safe? Detecting hidden attacks through the mobile app-web interface Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan.

Android System Security

AUDACIOUS: USER DRIVEN ACCESS CONTROL WITH UNMODIFIED OPERATING SYSTEM

Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.

Code Expert-Web design & Development Product by: Codexoxo Source:

MIT GSL 2018 week 1 | day 4 Introduction to Web Development II.

Cloud Storage Services

Azure AD Line Of Business Application Integration

Auditing Etsy The Security of Etsy

Introduction to Operating Systems

Analyzing WebView Vulnerabilities in Android Applications

Unit 27 Web Server Scripting Extended Diploma in ICT

Chapter 3 – part2.

What's in an Ad? Connor Leonhardt.

TechEd /15/2019 8:08 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

ARCHITECTURE OVERVIEW

Office 365 Development.

This presentation document has been prepared by Vault Intelligence Limited (“Vault") and is intended for off line demonstration, presentation and educational.

Understanding Android Security

Mobile Security Evangelos Markatos FORTH-ICS and University of Crete

MyLion Registration Website | Mobile device

Introduction to JavaScript

Mobile Security What is mobile secuirty & Identifying smartphone security holes& Sayed Hashimi Proposal Project.

Exploring DOM-Based Cross Site Attacks

Report from the trenches of an HTML5 game provider

Presentation transcript:

What Mobile Ads Know About Mobile Users By Sooel Son (Google), Daehyeok Kim (KAIST), and Vitaly Shmatikov (Cornell Tech) Presented by Rebecca Lee

Introduction Mobile Apps rely on advertising for most of their income Apps use advertising libraries (AdSDKs) to deliver ads 41% of Apps in the Google Play Store uses at least one mobile advertising library AdSDKs fetch ads from its servers and displays it to users Redirection, obfuscation, and proliferation of ads makes it difficult to check they are safe This study focuses on the idea of malicious advertisers Introduction

Background Focused on 4 popular Android AdSDKs AdMob MoPub AirPush AdMarvel External storage in a modern Android device is shared Some apps cache files with very predictable names Easier for malicious advertisers to have their ads displayed Each Creative (Ad) displayed on a mobile device is called an Advertising Impression Background

The Threat AdSDKs need access to geolocation and external storage Permission requested by the app is for AdSDK or app? Users cannot determine Critical for AdSDK to reduce latency, thus need cached files From Android 4.4, permission is needed to access external storage READ_EXTERNAL_STORAGE permission is implicitly granted by the WRITE_EXTERNAL_STORAGE permission MoPub, AirPush, and AdMarvel all ask for the Write permission The Threat

Integrate each AdSDK into an Android test app and use a proxy server to analyse advertising requests Target app creates the local files that contain sensitive information Attack-vector app is the ad- supporting app that happens to show a malicious creative Experiment & Results

Sensitive Information Medications Gender preferences for dating partners Browsing history Social graph User trajectories Sensitive Information

Attack Mechanism Reading local files User downloads an HTML page that holds malicious payload (unintentionally) Attacker’s ad invokes the payload, Javascript in the payload can steal local files Javascript code may seem harmless in Web Context , when translated into Mobile context, causes privacy issues Attack Mechanism

The Defence Developers have few options to protect their users No way for app developers to restrict privileges of the AdSDKs they include Apps cannot confine WebView modules to subspace of external storage, not supported by Android AdSDK providers can Ban scripts -> Impractical “Jail” the WebView instance *Proposed defence is designed against malicious advertisers. Not effective against malicious apps The Defence

Opinions Not many experiments The Experiment Assumptions Proxy servers Phones tested Android versions tested Apps tested Opinions

After thoughts Expectations What other ways of attacking? What can users do? IOS? After thoughts