Unsafe Exposure Analysis of Mobile In-App Advertisements Offense: Rachel Stonehirsch
Android Security Permission Model Protection LevelDescription NormalLow-Risk Permissions Granted to any package requesting them DangerousHigh-risk permissions that requires user confirmation SignatureOnly packages with the same author can request the permission SignatureOrSystemBoth packages with the same author and packages installed in the system image can request the permission
Android Security Permission Model Issues Android’s current system is unable to determine the difference between an app and an ad library. Ad libraries embedded in an app will undermine Android’s security system. Inherit the permissions granted to an app. Collect personal information and provide it to advertisers.
More Android Security Permission Model Issues Ad libraries are given the same permissions as the apps that contain the ad libraries. No solution is presented to isolate permissions granted to an app from permissions granted to an ad library.
Data Does not Lead to a Solution to Protect User Privacy Conclusion mentions need for a change the way existing ad libraries are integrated into apps. How? Where is the experimental data that points to a solution? Approaches that have attempted to address the issue are dismissed and no alternative is presented.
Other Methods that Address User Privacy H. Haddadi, P. Hui, and I. Brown. MobiAd: Private and Scalable Mobile Advertising. In Proceedings of the 5th ACM International Workshop on Mobility in the Evolving Internet Architecture, MobiArch ’10, pages 33–38, September S. Guha, B. Cheng, and P. Francis. Privad: Practical Privacy in Online Advertising. In Proceedings of the 8th USENIX Conference on Networked Systems Design and Implementation, NSDI ’11, March 2011.
Ad Libraries Ad libraries request information that is not useful to them. What is the basis for your claim that an app’s user cannot determine which ad libraries the app contains? ◦ Your paper analyzes ad libraries that exist within 10,000 apps. ◦ Discovered which ad libraries are in which apps.
Lack of Evidence Issue with ad libraries is that they fetch and load dynamic code. Mention that there are 5 ad libraries that have this unsafe behavior. Which five? How was this detected?
Tool Performance Tested performance of AdRisk on 5 ad libraries. 1/20 th of the sample size. Why was the performance measured on 5 ad libraries, and not on all 100 ad libraries.
Summary of Problems With this Paper Make statements about results from research but fail to provide a suggestion for a solution. Often fail to back up statements with actual results. Lack of evidence. Tool performance.