Presentation is loading. Please wait.

Presentation is loading. Please wait.

What mobile ads know about mobile users

Published byGwen Rose Modified over 7 years ago

Similar presentations

Presentation on theme: "What mobile ads know about mobile users"— Presentation transcript:

1 What mobile ads know about mobile users
Sooel Son – Google, Daehyeok Kim – KAIST, Vitaly Shmatikov – Cornell Tech Presented by Isabel Zhuang

2 introduction Mobile advertising allows many mobile applications to obtain revenue without directly charging users May incorporate ad libraries called AdSDKs to support advertising To increase user response, demand for modern AdSDKs to support media rich content with active JavaScript, images and videos AdSDKs need to provide caching of ad content and access to external storage

3 Problem Why is this a problem?
Ads are fetched dynamically They originate from other advertising networks Ad content can be redirected and obfuscated Difficult for AdSDKs to analyse or sanitize their ads They could be untrusted and damage the user’s device or extract private information Ad isolation required

4 Motivation Mobile advertising is very popular
More opportunities for an attacker Greater chance of creatives to be displayed on user devices Do not have to evade app store filters (eg, Google Bouncer) as seen with applications Realistic threat in mobile advertising ecosystem The question: What can an advertisement learn about the user of the device they are displayed on?

5 Key Words Creative Advertising impression AdSDK
An image that can be rendered as an advertisement on an ad serving platform Advertising impression A creative that is delivered and displayed on a mobile device AdSDK An advertising library developers can use to integrate ads into their application Fetches and displays ads when the application is running

6 Experiment set up Assumptions: Environment: Application is benign
AdSDK is benign Advertisers untrusted Impressions contain malicious content Environment: Ads shown in a embedded WebView browser that prevents JavaScript reading content from other origins Different permissions to host app and AdSDK

7 Experiment set up Cont. 4 popular AdSDKs: 4 Target Apps
AdMob - Google MoPub - Twitter AirPush - Private AdMarvel – Opera Software 4 Target Apps Applications that create files in external storage on a user’s device (Do not need to use AdSDKs) 4 Attack-Vector Apps Any ad-supporting application using one of the AdSDKs previously mentioned to show malicious ads

8 Mobile advertising ecosystem
Experiment Aim: To determine what information AdSDKs sent to AdSDK Providers and make available to advertisers Method: Integrate AdSDKs into android test apps Use proxy server to analyse ad requests sent by AdSDK Mobile advertising ecosystem

9 Inference Attacks Data mining technique to infer sensitive information about users As a result, can allow advertisers to target users with ads based on user profiles In this context, achieved by reading or inferring existence of local resource files to find out information about the user

10 Simulating Malicious Advertisers
Intercept creatives sent to mobile devices Add a script element to fetch another JavaScript file Fetched file runs in context of advertising creative to attempt to collect or infer sensitive information

11 Results Successfully determine drugs user searched for
Means that an app using that AdSDK, displays the attack ad which can find out which medications the user shopped for Results Successfully determine drugs user searched for Can infer gender preference Correctly identified all site visited by Dolphin Identified presence and absence of friends thumbnail images

12 Defence Developer No way to restrict privileges of AdSDK
Isolation of external storage subspace not supported in Android OS AdSDK Provider Ban scripts in creatives – impractical / contradicts trend towards richer interactive ads Scan creatives - evasion of malicious code detection by obfuscation Block local resource loading – unnecessary mobile data usage Mobile OS Designers Add facilitates to restrict WebView to dedicated storage subspace Provide built in “jail” functionality invoked via API call

13 Issues and improvements
Good focus on capabilities of malicious advertisers Addresses defence for AdSDK Providers and Mobile OS Designer More information for defence for users Provide Adblockers similar to online browsers? Play Store to explicitly state which permissions required by app and AdSDK? – Allow the user to be informed and choose whether to download app Comparison of different OS Repeat for IOS or Windows devices and compare the effectiveness inference attacks Use more popular applications as target apps Users more likely to have these apps on their devices – assess what kind of information attack vector apps can infer

14 Thank you for listening
Presented by Isabel Zhuang

Download ppt "What mobile ads know about mobile users"

Similar presentations

Silverlight is a cross-browser, cross-platform plug-in* * An auxiliary program that works with a software package to enhance its capability. For example,

Silverlight is a cross-browser, cross-platform plug-in* * An auxiliary program that works with a software package to enhance its capability. For example,
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Presented by…. Group 2 1. Programming language 2Introduction.

Presented by…. Group 2 1. Programming language 2Introduction.
HTTP: cookies and advertising Concepts to cover:  web page content (including ads) from multiple site: composition at client  cookies  third-party cookies:

HTTP: cookies and advertising Concepts to cover:  web page content (including ads) from multiple site: composition at client  cookies  third-party cookies:
CAEL 5012 Rich Internet Applications. What you need For this part of the course you will need access to a server with PHP and MYSQL which will be supplied.

CAEL 5012 Rich Internet Applications. What you need For this part of the course you will need access to a server with PHP and MYSQL which will be supplied.
SANS Technology Institute - Candidate for Master of Science Degree

SANS Technology Institute - Candidate for Master of Science Degree
2015. 6. 26 박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST). 2012.

박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST)
Badvertisements: Stealthy Click-Fraud with Unwitting Accessories Mona Gandhi Markus Jakobsson Jacob Ratkiewicz Indiana University at Bloomington Presented.

Badvertisements: Stealthy Click-Fraud with Unwitting Accessories Mona Gandhi Markus Jakobsson Jacob Ratkiewicz Indiana University at Bloomington Presented.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
CSCE 201 Web Browser Security Fall 2015. CSCE 201 - Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Microsoft Silverlight An Introduction. Silverlight is a cross-browser, cross-platform plug-in* * An auxiliary program that works with a software package.

Microsoft Silverlight An Introduction. Silverlight is a cross-browser, cross-platform plug-in* * An auxiliary program that works with a software package.
By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.
ON THE SECURITY OF ANDROID COMMUNICATION APPS September 2015 By Shasi Pokharel Bachelor Of Information Technology (Honours) Supervisors: Dr. Raymond Choo,

ON THE SECURITY OF ANDROID COMMUNICATION APPS September 2015 By Shasi Pokharel Bachelor Of Information Technology (Honours) Supervisors: Dr. Raymond Choo,
Title of Presentation DD/MM/YYYY © 2015 Skycure 1 1 1 Why Are Hackers Winning the Mobile Malware Battle.

Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
Search Engine using Web Mining COMS E6125.001 Web Enhanced Information Mgmt Prof. Gail Kaiser Presented By: Rupal Shah (UNI: rrs2146)

Search Engine using Web Mining COMS E Web Enhanced Information Mgmt Prof. Gail Kaiser Presented By: Rupal Shah (UNI: rrs2146)
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

Similar presentations

Ads by Google