박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST). 2012
Computer Security & OS Lab. ContentsContents 2 Introduction Background Unique Privacy Concern in Ad Methodology Permission Private Data on the network Tracking User Potential Solution Conclusion
Computer Security & OS Lab. IntroductionIntroduction 3 Smart phone have Rapidly increased in popularity in recent years Many Developer release their applications for free and generate revenue from ads Advertisement Libraries Send information about the device and user to the ad server Growing concern about user privacy In this paper Identify unique privacy concerns in Android app advertising Discover privacy threats resulting from these concerns Analyze popular Android ad libraries for these threats
Computer Security & OS Lab. BackgroundBackground 4 Android Linux-based smart phone operating system Require application to specify a list of permissions(manifest.xml) Permission access sensitive user information Android Third-party Library Developer use libraries to parse a specific file format Communicate with a popular web applications or provide advertising functionality Libraries the same privileges as application code Allow to read application-specific private information or utilize functionality granted by any permission the application declares Unique Device Identifier(UDID) ANDROID_ID Random hex string that is generated during the first boot of device IMEI, MEID, ESN The telephony device ID of the Phone Android.os.Build.SERIAL Does not require a permission MAC address Phone’s Wifi or Bluetooth adapter
Computer Security & OS Lab. BackgroundBackground 5 Online Advertising Refer to the Internet Advertising Bureau’s glossary of advertising terms AdvertiserAd Provider Ad Request Users Ad Server Response with Advertisement Publisher
Computer Security & OS Lab. BackgroundBackground 6 Advertising on Android Android ad providers give developers a Software Development kit(SDK) library, which provide an API for displaying advertisements
Computer Security & OS Lab. Unique Privacy Concern in Ad 7 Consider three specific differences Between in-app advertising using an ad library and in-browser advertising 1. Lack of Privilege Separation Between Application and Ad Code Give ad provider the opportunity to run code on user’s device with the same permission as the application that uses the library Allowing the ad provider to exfiltrate data from the device In-browser advertising Exfiltrating user information is difficult because of same origin policy in-app advertising Has specific permission which gives application the ability to access to user information 2. Detailed User Data On the user’s device may have more privileged access to the user’s data In-browser advertising Browser assume external code is untrusted and sandboxes in-app advertising Allow in-app advertising code to run in a very privileged state
Computer Security & OS Lab. Unique Privacy Concern in Ad 8 Consistency of User Identifiers Ad provider to track the user’s behavior UDID can be sent with the ad request and allow the ad provider to track user behavior In-browser advertising IP addresses and cookies change over time may be reset by user in-app advertising Resetting the UDID values on Android either requires a factory rest or root permission on the phone
Computer Security & OS Lab. MethodologyMethodology 9 Examine the most Popular ad providers To gain the best insight into current Android ad provider Combine ad provider list Determine the ad providers that are the most popular in terms of the overall amount of ad traffic Ad traffic of mount is number of user using applications supported by the ad provider Examining most prevalent ad providers in the top 500 applications on the google play Market
Computer Security & OS Lab. MethodologyMethodology 10 Analyze the behavior of library Signed up as a developer each ad provider downloaded a copy of the most recent library Instrumented a sample application using library Captured the data(ad request) sent over network Determine the fields such as age or gender Referenced the provider’s documentation Determine how the fields were populated Ensure fields are present in live traffic Manually verified that ad request from each ad provider contained the relevant fields
Computer Security & OS Lab. PermissionsPermissions 11 Permissions Classification Ad library cat take advantage of permissions to covertly access sensitive data Kind of Permission in ad provider documentation Required permission Optional permission Stowaway Detect Android framework API methods the application accesses using an internal mapping between API methods and required permissions Mannually investigated Each of the undocumented permissions Determine if they were being used
Computer Security & OS Lab. PermissionPermission 12 Permission misuse Conjecture actively collecting personal data using permission Most ad libraries require similar core set of permission INTERNET, ACCESS_LOCATION, ACCESS_NETWORK. READ_PHONE_STATE Moblix library Include four invasive permissions READ CALENDAR, WRITE CALENDAR, READ CONTACTS, and WRITE CONTACTS Contain contains read / write a user’s calendar and contacts databases mOcean and lnmobi library contain functionality to start phone calls Add events to a user’s calendar without user interaction mOcean can send SMS messages without user interaction
Computer Security & OS Lab. PermissionPermission 13 Permission misuse
Computer Security & OS Lab. PermissionPermission 14 JavaScript Interface Can be used to dynamically invoke other method during method Android documentation Specifically warns against running untrusted JavaScript Interface Vulnerable Ad libraries Confirm that four ad libraries will run external code within the Webview User would be vulnerable to loss of personal data or other malicious action Ad Libraries exfiltrate Mobclix Modify users’ calendar, contact, User’s audio and image file On/off the camera LED greystripe Get and/or set user’s cookies mOcean Send SMS and message, Start phone call, add calendar entries Get location make arbitrary network request Lnmobi Send SMS and message, Start phone call, Modify the user calendar
Computer Security & OS Lab. PermissionPermission 15 JavaScript Interface Proof-of-Concept To demonstrate the significance of vulnerability Set up a test environment Attempted to exploit Mobclix and mOcean ad libraries Used Samsung Galaxy Nexus as the victim device To simulate the user’s vulnerable application Perform a end-to-end attack to victim device from Mobclix and mOcean Initiate a phone call to an arbitrary number with no user interaction
Computer Security & OS Lab. Private Data on the Network 16 Report what private user information Each ad library is capable of sending over the network Observed each library’s behavior both in emulated environment and live traffic Determine how the fields were populated in ad request Referenced the provider’s documentation about specified fields Determine which fields the library would set automatically by observing the permission that the ad library used
Computer Security & OS Lab. Tracking Users 17 Android UDID Never change or can only be changed with root privilege Concerned with two primary treats Unscrupulous ad provider tracking users across several installed application A network sniffer tracking users across several ad provider Ad provider consistently transmit The same UDID filed(hashed or unhashed UDID value) regardless of the appllication Network Sniffer that may track users across several libraries
Computer Security & OS Lab. Tracking Users 18
Computer Security & OS Lab. Potential Solution 19 Failure to Protect the Contents of ad request Protecting sensitive information during transmission Need to encrypt their communication such as SSL SSL is expensive and allow for concurrency on the server Solution Low overhead – minimal session stae Lightweight – perferrably symmetric key Mishandling of UDID User’s privacy must be protected against a network sniffer Solution hash(ad provider || package name || UDID) Lack of ad and application privilege separation Ad libraries access to all of the sensitive data in application Solution Third party code should not be allow to access application-specific data Permission not explicitly granted to ad code then any request that requires it is granted
Computer Security & OS Lab. ConclusionConclusion 20 No privilege separation between app and ad code Problem – Undocumented permission Greater access to detailed user data Private user data on network More persistent user identifiers User profile data over time