1. Free for All! Assessing User Data Exposure to Advertising Libraries on Android
Campbell Foskin

2. Introduction
“What if advertising networks took full advantage of the information-sharing characteristics of the current Android architecture?”

3. Introduction
Many studies focused on detecting/measure security risks in app ad libraries
To fully assess the risk of ad libraries – all allowed behaviors must be explored..
Identifies four main attack channels and systematically explores their potential reach
Pluto framework:
Can be leveraged to analyze an app and discover what user data it exposes to opportunistic ad libraries
Uses NLP and machine learning algorithms

4. Background: Mobile advertising
Advertising services assist in matching ads to users to turn more impressions into conversions.
This is achieved with the use targeted data.
Advertisers collaborate with data brokers who collect user data and maintain user profiles, in order to target certain segments of the population.
Data brokers incorporate ad libraries into apps that can collect user attributes and interests

5. Background: Android protection mechanisms
Each app on is assigned a unique static UID when it is installed – can only access it’s own resources.
Ad libraries inherits the UID of the host app - shares privileges and permissions
DAC allows access the apps local files
Granted permissions allow access to other services on the device (e.g. GPS)

6. The Threat Model
A risk is the potential compromise of an asset (User targeted data) as a result of an exploit of a vulnerability (Attack channel) by a threat (Opportunistic ad library)
Out App:
Unprotected/public APIs
In App:
Using protected APIs
Access to host app’s local files
Observing user inputs into host app
Data points derived from attributes in FT calculator
e.g. Gender = data point
Male = data point value

7. In-App: Locally stored data
During lifetime apps produce local persistent files, provides SharedPreferences class to access and store retrieve app resources in UID protected directory.
Ad libraries inherit DAC privileges and SE Android MAC capabilities from host
As such can access and read app’s locally stored files – including any user data
Example: My Ovulation Calculator (1,000,000–5,000,000 downloads)
Headaches, pregnancy status, trimester etc. -> $$$

8. In-App: Protected APIs
Ad library uses same system identifier as host – both in static UID and dynamic PID
Thus library can use any permission-protected APIs the host is granted access too
E.g. account permissions, location etc.
Results of manual inspection of 262 apps

9. In-App: Observing user input
An ad library could use its position to peak on user input
Find UI elements in resource files corresponding to targeted data and monitor them
Example: Text Me! Free Texting & Call (10,000,000–50,000,000 downloads)
Could capture users gender, age and zip code.

10. Out-App: Public APIs
Public APIs considered harmless by AOSP and are unprotected.
Can be used without requesting permission
Can gather targeted data such as age and gender from installed applications.
12.54% of the examined apps (318/2535) incorporate ad libraries that these APIs to collect the app bundle of the user

11. The Pluto framework
Modular framework for estimating in-app and out-app targeted data exposure for a given app
In-App:
Local files that the app generates
App layout and string resource files
App manifest file
Out-App:
Installed app bundles

12. The Pluto framework: In-App
Dynamic Analysis Module:
Runs app on emulator and extracts files
Decompiles and extracts layout, resource and runtime generated files
File miners:
Uses a set of user attributes and interests as a matching goal.
Reaches matching goal if data point is found in a file
Context disambiguation layer uses similarity metrics to prune matching goals - driodLESK

13. The Pluto framework: Out-App
Given a set of installed apps, what data points can we derive?
Co-installation Pattern module (CIP)
Co-installation Pattern: Given an app, what is the probability of finding another set of apps
Dynamically updated records of install apps
FPM algorithms to discover associations between apps
Classifiers
Takes corpus of user attribute/interest and app bundle pairings to train classifier
Infer user attributes and interests from the CIP estimated app-bundles

14. Criticism and recommendations
Only four attack channels were explored. Pluto is modular – would recommend this be extended in future work if new attack channels covered.
Camera and microphone permissions not explored – ML can infer a lot from their info.
Android watches etc. – many possible avenues of attack omitted
File miner NLP only accounts for common conventions e.g. camelCase, snake_case
Recommend further investigation and possible methods to interpret more cases

15. Criticism and recommendations
Framework did not address complications that could arise from obfuscated code – simply omitted those that broke. Any apps that work with ad libraries to obscure their exposure would not be detected by Pluto. Recommend further inquiry into this area.
Exposure of sensitive information beyond user attributes/interests
E.g. details of financial records and data are not explored in the framework.
243 survey participants, resulted in 1985 distinct package names collected. Over 1.4 million apps on google play store.

16. Questions?