Unsafe Exposure Analysis of Mobile In-App Advertisements Offense: Rachel Stonehirsch.

Slides:



Advertisements
Similar presentations
The Future Internet: A clean-slate design? Nicholas Erho.
Advertisements

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Software Engineering Techniques for the Development of System of Systems Seminar of “Component Base Software Engineering” course By : Marzieh Khalouzadeh.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Top 5 Small Business Tips on Creating a Mobile App.
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Sharing Geographic Content
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Enhancing User Privacy on Android Devices Bachelor of Computer Science (Honours) Name: Quang Do Supervisor: Raymond Choo Associate Supervisor: Ben Martini.
박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST)
1 / 18 Fariba alamshahi Secure Routing and Intrusion Detection in Ad Hoc Networks Supervisor: Mr.zaker Translator: fariba alamshahi.
Auditing Cloud Administrators Using Information Flow Tracking Afshar David ACM Scalable Trusted Computing.
Aims and Objectives.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
Experimenting with Programmable Management Policies over GENI ProtoRINA over GENI Abraham Matta Yuefeng Wang Computer Science Department Boston University.
A Presentation Of TaintDroid & Related Topics
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Migrating your Data.
University of Central Florida TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Written by Enck, Gilbert,
User Interface Toolkit Mechanisms For Securing Interface Elements Franziska Roesner, James Fogarty, Tadayoshi Kohno Computer Science & Engineering DUB.
AppShield: A Virtual File System in Enterprise Mobility Management Zhengyang Qu 1 Northwestern University, IL, US,
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.
D IRECTIONS FOR R AISING P RIVACY A WARENESS IN SNS P LATFORMS Konstantina Vemou, Maria Karyda, Spyros Kokolakis 18th Panhellenic Conference on Informatics.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Edmodo Training A Guide to Getting Started. 2 Free social learning network for teachers, students, schools and districts Safe and easy way to connect.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
CompSci 725 RiskRanker Authors Michael Grace - North Carolina State University, Raleigh, NC, USA & NQ Mobile Security Research Center, Beijing, China Yajin.
Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.
Wireless and Mobile Security
PRIVATE INFORMATION EXPOSURE IN ONLINE SOCIAL NETWORKS WITH IOS, ANDROID AND SYMBIAN MOBILE DEVICES Security and Cooperation in Wireless Networks Laboratory.
Android Permissions Remystified: A Field Study on Contextual Integrity Presenter: Hongyang Zhao Primal Wijesekera (UBC) Arjun Baokar (UC Berkeley) Ashkan.
Preserving User Privacy from Third-party Applications in Online Social Networks Yuan Cheng, Jaehong Park and Ravi Sandhu Institute for Cyber Security University.
Dispatching Java agents to user for data extraction from third party web sites Alex Roque F.I.U. HPDRC.
1 A Service-based Approach to Developing Android Mobile Internet Device (MID) Applications Hyun Jung La and Soo Dong Kim Department of Computer Science.
By: Collin Molnar. Overview  Intro to Android  Security basics  Android architecture  Application isolation  Application permissions  Physical access.
THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.
Android and IOS Permissions Why are they here and what do they want from me?
Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.
WELCOME Mobile Applications Testing
What mobile ads know about mobile users
Facebook privacy policy
Sensors Journal, IEEE, Issue Date: May 2013,
Containers as a Service with Docker to Extend an Open Platform
More Security and Programming Language Work on SmartPhones
Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.
Automated Experiments on Ad Privacy Settings
Android System Security
Privacy Leakage in Personalized Mobile In-App Ads
Social Networks Integration in Android
The Improvement of PaaS Platform ZENG Shu-Qing, Xu Jie-Bin 2010 First International Conference on Networking and Distributed Computing SQUARE.
Test Automation for IoT solutions A Paradigm shift
Are these Ads Safe: Detecting Hidden A4acks through Mobile App-Web Interfaces Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan Riley.
Android Mobile apps development services company in India
Analyzing WebView Vulnerabilities in Android Applications
Chapter 27 Security Engineering
Securing Home IoT Environments with Attribute-Based Access Control
What's in an Ad? Connor Leonhardt.
Ad Hoc Phase Structured Phase Enterprise Phase
Mobile App Advertisements
Firefox focus Lana Marinculic.
Recitation on AdFisher
Harrison Howell CSCE 824 Dr. Farkas
Chapter 10. Mobile Device Security
Trust-based Privacy Preservation for Peer-to-peer Data Sharing
New type of devices for identification of users of “Raiffeisen ONLINE” – Hardware and Software Tokens.
Presentation transcript:

Unsafe Exposure Analysis of Mobile In-App Advertisements Offense: Rachel Stonehirsch

Android Security Permission Model Protection LevelDescription NormalLow-Risk Permissions Granted to any package requesting them DangerousHigh-risk permissions that requires user confirmation SignatureOnly packages with the same author can request the permission SignatureOrSystemBoth packages with the same author and packages installed in the system image can request the permission

Android Security Permission Model Issues Android’s current system is unable to determine the difference between an app and an ad library. Ad libraries embedded in an app will undermine Android’s security system.  Inherit the permissions granted to an app.  Collect personal information and provide it to advertisers.

More Android Security Permission Model Issues Ad libraries are given the same permissions as the apps that contain the ad libraries. No solution is presented to isolate permissions granted to an app from permissions granted to an ad library.

Data Does not Lead to a Solution to Protect User Privacy Conclusion mentions need for a change the way existing ad libraries are integrated into apps.  How? Where is the experimental data that points to a solution? Approaches that have attempted to address the issue are dismissed and no alternative is presented.

Other Methods that Address User Privacy H. Haddadi, P. Hui, and I. Brown. MobiAd: Private and Scalable Mobile Advertising. In Proceedings of the 5th ACM International Workshop on Mobility in the Evolving Internet Architecture, MobiArch ’10, pages 33–38, September S. Guha, B. Cheng, and P. Francis. Privad: Practical Privacy in Online Advertising. In Proceedings of the 8th USENIX Conference on Networked Systems Design and Implementation, NSDI ’11, March 2011.

Ad Libraries Ad libraries request information that is not useful to them. What is the basis for your claim that an app’s user cannot determine which ad libraries the app contains? ◦ Your paper analyzes ad libraries that exist within 10,000 apps. ◦ Discovered which ad libraries are in which apps.

Lack of Evidence Issue with ad libraries is that they fetch and load dynamic code. Mention that there are 5 ad libraries that have this unsafe behavior.  Which five? How was this detected?

Tool Performance Tested performance of AdRisk on 5 ad libraries.  1/20 th of the sample size. Why was the performance measured on 5 ad libraries, and not on all 100 ad libraries.

Summary of Problems With this Paper Make statements about results from research but fail to provide a suggestion for a solution. Often fail to back up statements with actual results. Lack of evidence. Tool performance.