Presentation is loading. Please wait.

Presentation is loading. Please wait.

What Mobile Ads Know About Mobile Users

Published byJunior Smith Modified over 6 years ago

Similar presentations

Presentation on theme: "What Mobile Ads Know About Mobile Users"— Presentation transcript:

1 What Mobile Ads Know About Mobile Users
By Sooel Son (Google), Daehyeok Kim (KAIST), and Vitaly Shmatikov (Cornell Tech) Presented by Rebecca Lee

2 Introduction Mobile Apps rely on advertising for most of their income
Apps use advertising libraries (AdSDKs) to deliver ads 41% of Apps in the Google Play Store uses at least one mobile advertising library AdSDKs fetch ads from its servers and displays it to users Redirection, obfuscation, and proliferation of ads makes it difficult to check they are safe This study focuses on the idea of malicious advertisers Introduction

3 Background Focused on 4 popular Android AdSDKs AdMob MoPub AirPush
AdMarvel External storage in a modern Android device is shared Some apps cache files with very predictable names Easier for malicious advertisers to have their ads displayed Each Creative (Ad) displayed on a mobile device is called an Advertising Impression Background

4 The Threat AdSDKs need access to geolocation and external storage
Permission requested by the app is for AdSDK or app? Users cannot determine Critical for AdSDK to reduce latency, thus need cached files From Android 4.4, permission is needed to access external storage READ_EXTERNAL_STORAGE permission is implicitly granted by the WRITE_EXTERNAL_STORAGE permission MoPub, AirPush, and AdMarvel all ask for the Write permission The Threat

5 Integrate each AdSDK into an Android test app and use a proxy server to analyse advertising requests
Target app creates the local files that contain sensitive information Attack-vector app is the ad- supporting app that happens to show a malicious creative Experiment & Results

6

7 Sensitive Information
Medications Gender preferences for dating partners Browsing history Social graph User trajectories Sensitive Information

8 Attack Mechanism Reading local files
User downloads an HTML page that holds malicious payload (unintentionally) Attacker’s ad invokes the payload, Javascript in the payload can steal local files Javascript code may seem harmless in Web Context , when translated into Mobile context, causes privacy issues Attack Mechanism

9 The Defence Developers have few options to protect their users
No way for app developers to restrict privileges of the AdSDKs they include Apps cannot confine WebView modules to subspace of external storage, not supported by Android AdSDK providers can Ban scripts -> Impractical “Jail” the WebView instance *Proposed defence is designed against malicious advertisers. Not effective against malicious apps The Defence

10 Opinions Not many experiments The Experiment Assumptions Proxy servers
Phones tested Android versions tested Apps tested Opinions

11 After thoughts Expectations What other ways of attacking?
What can users do? IOS? After thoughts

Download ppt "What Mobile Ads Know About Mobile Users"

Similar presentations

Attie Naude 14 May 2013 Windows Azure Mobile Services.

Attie Naude 14 May 2013 Windows Azure Mobile Services.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.

CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.
Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Building Mobile Apps in the Cloud – Comparing Approaches.

Building Mobile Apps in the Cloud – Comparing Approaches.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Cross Platform Mobile application development HTML5 and JavaScript Chris Connor.

Cross Platform Mobile application development HTML5 and JavaScript Chris Connor.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Presentation By Deepak Katta

Presentation By Deepak Katta
Presented by…. Group 2 1. Programming language 2Introduction.

Presented by…. Group 2 1. Programming language 2Introduction.
SANS Technology Institute - Candidate for Master of Science Degree

SANS Technology Institute - Candidate for Master of Science Degree
2015. 6. 26 박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST). 2012.

박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST)
INTRODUCTION TO HTML5 Geolocation. Display a Specific Location with Google Maps  You can use the Google Maps API to display a custom map on your own.

INTRODUCTION TO HTML5 Geolocation. Display a Specific Location with Google Maps  You can use the Google Maps API to display a custom map on your own.
CRITICAL DESIGN REVIEW Gregory LaFlash Patrick O’Loughlin Zachary Snell Joshua Howell Hao Sun Kira Jones THAT ONE SPECIAL SHOT TOSS www.toss.myphotos.cc.

CRITICAL DESIGN REVIEW Gregory LaFlash Patrick O’Loughlin Zachary Snell Joshua Howell Hao Sun Kira Jones THAT ONE SPECIAL SHOT TOSS

Similar presentations

Ads by Google