Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile advertisement security

Similar presentations


Presentation on theme: "Mobile advertisement security"— Presentation transcript:

1 Mobile advertisement security
Martin PAUTY Jonathan ROSS Fabien Bloume

2 A massive phenomenon 83 millions $ in 2017
win-win situation: app developers can profit from their work without charging the users. Quickly annoying -> Ad Blocks -> Need to personnalize

3 Table of Contents Mobile Advertisement Display Mechanism
How Much Do We Really Reveal? Facebook’s PII-Based Targeting 3.1 Background 3.2 Attacks 3.3 Defense

4 Online Advertisement RTB: Real-time Bidding
SSP: Supply-side Platform (OpenX) DSP: Demand-side Platform (MediaMath) The impressions (space seen by a user on a web-site (the publisher)) is sold on the ad-exchange by the SSP on the Ad exchange Platform (Doubleclick, Rubicon), where DSP are buying (at auctions) it for advertisers in order to put their ads.

5 Tracking On almost any website you receive cookies (text files)
Tracking companies use cookies to collect browsing history Resetting cookies or using private browsing can allow to avoid tracking But tracking companies now use evercookie or fingerprinting Ad Exchange are also tracking user by sending them cookies, Cookies are stored on the computer memory but are available from the browser evercookies are stored in different place of the memory fingerprinting involves generating an unique ID for each user on his browser, browsing history and computer

6 Cookie-matching To ensure their bid, DSP want to know users
But according to the Same Origin Policy, DSP can’t access to SSP’s cookies Cookie-matching allows to circumvent this obstacle Ad exchange or DSP create a mapping between their cookies So they know which user is behind a cookie that their are not supposed to know DSP are using this informations to maximize their gains, the most they know about users, the most secure is the investment. SOP means that a script on a web page can’t access to the information of another web page if they don’t have the same origin (protocol, host name and port number).

7 Specificity of Mobile environment
Android system can provide more information through cookies (app activities, app lists, device models, geolocation..) Moreover people link their accounts with their Google account, making all informations about us easily available More vicious and pervasive

8 How Much Do We Really Reveal ?

9 Ethics of Mobile Advertising - Motivation
Mobile ads are pivotal to the mobile device ecosystem Benefit both the consumer and the publisher Hidden costs? We become more intimate with mobile devices every day Privacy leakage is still a serious issue

10 The Mobile Advertising Ecosystem
Publishing Advertising Serving Targeting Topic Interest Demographic Mobile vs. Web Vulnerabilities Advertiser – the content provider and offer owner; Publisher – the traffic provider and the one who's responsible for the ad; Affiliate Network – an intermediary between Advertisers and Publishers.

11 Goals & Challenges How much information do ad networks actually know?
And how much do they use? Could personalized ads serve as a channel for information leakage? Artificial profile construction Doing so leads to invalid data Use real users instead Variable elimination Geolocation is important for serving ads -> use a VPN Different apps use different ad platforms -> create your own Does ad network know user’s gender? -> (We don’t know how it knows) -> Build artifical profiles for male and female -> Ads are not correlated to gender -> Ad network doesn’t know the user’s gender. But really??

12 Methodology for Collecting Data
Amazon MTurk - Human Intelligence Task Questionnaire on interests and demographics Use custom app to serve 100 Google AdMob ads 217/284 valid participant responses Serves AdMob only! Does not set any target attributes from API Collects installed apps with AdMob SDK attached Ads were split into 1 of 24 categories based on content

13 Interest Profiles Demographics could be skewed, but it shouldn’t matter in the grand scheme

14 Interest Profiles 695 unique ads 39,671 total ad impressions

15 Interest Personalization
Mobile ads heavily focus on ad personalization based on interests Google is actively personalizing ads for you, with stunning accuracy

16 Demographics The only demographic information
that AdMob can glean from your profile is: Age, Gender, Parental Status Extract from AdMob’s terms:

17 Demographics Personalization
Gender Parental Status Income Religion Non-important targeting factors Age, Education, Ethnicity Both interest profile based personalization and demographics based personalization were prevalent in mobile in-app advertising

18 Privacy Leakage The ability to observe personalized ads and the reason they are served opens up a new gateway to the loss of private information Demographics-based Machine Learning Classification Features Number of impressions given each ad category List of installed apps with Google AdMob SDK included Evaluation: Randomly distributed 5-fold cross validation Metric Mean of the cross-validated samples Adversary cannot have a better chance than simple random guessing

19 Privacy Leakage - Results
The classification algorithms all perform better than the simple randomly-guessing dummy algorithm User information can be exploited in this way

20 Leakage Countermeasures
We NEED to isolate the ads from the host app HTTPS will NOT solve the problem This must be stopped at the system level itself Steps that ad networks can take Make the personalized data fuzzy, add noise Make the personalized information less granular, i.e., more general targets Not all ad networks will follow this! After all, this is the way they make money faster. In Android, the host app can observe all the personalized ads. The ad nework may be inadvertently leaking its collected info to the app developer. In AdMob’s case, the information is age, gender, and parental status. This gives an adversary a non-trivial advantage to predict other aspects of the user’s demographics, such s religion or income based on the other ads they ae served. These features can be throoughly exploited and collected or sold to ad agencies in order to bolster their algorithms.

21 3. Facebook PII-Based targeting : Privacy risks and practical attacks

22 Mark Zuckerberg’s 5-hour hearing to clarify data privacy issues
Facebook One of the most mature and well-used advertising platform Facebook: 2 billion users ; 1.4 active everyday Social media‘s data : Facebook, Google > Data brokers Collected data serves ad mechanisms on billions of users worldwide Strong responsibility: a single breach or hack can potentially threaten the privacy of the users to great extent Mark Zuckerberg’s 5-hour hearing to clarify data privacy issues Data broker Company which collects many information about users from various sources, treat it and then sell it.

23 What’s Facebook’s knowledge on Data?
Knows most PIIs a social platform may know Analyze public content (posts, likes) as well as messaging content May know what you visit/visited through other mechanisms Facebook, instagram, whatsapp are owned by the same entity The most powerful advertising platform for advertisers How can an advertiser place an ad, how does it work? From name, birthday, to phone numbers for authentication, and locations under certain circumstances. While this is not uncommon, what can advertisers do with it is different

24 Facebook ad-mechanism and advertisers’ abilities (1)
Create custom audience using 15 different type of user information Names, , Phone number, Mobile ad ID, Date of birth,Year, Age, Gender, Address(city, state, postal code, country), Facebook App/Page user ID Requirements : at least 20 users + Bold information can be used alone While Facebook works hard to address data and privacy issues in an ethic way,

25 Seductive attributes for advertisers
Advertisers upload user attributes to create a custom/targeted audience. A small business can target users with direct advertising, just by knowing the address. Min_size >= 20 A researcher team from the US and France took a deeper look at how advertisers can target their audience using social medias. Facebook owns Instagram as well as Whatsapp.

26 Facebook ad-mechanism and advertisers’ abilities (2)
Create tracking pixel audience Include a tracking pixel on an external website containing Javascript code provided by Facebook. Audience is usable starting 20 individuals.

27 Facebook ad-mechanism and advertisers’ abilities (3)
Obtaining potential reach Active users matching the audience targeting parameters Place an ad to an existing audience, group audiences. Include/exclude users from selected audiences Benefits : Avoid the advertiser to submit multiple ads Exclude users to end up to less than 20 users in the potential reach audience

28 Facebook ad-mechanism and advertisers’ abilities (4)
Audience comparison page to help the advertisers to target the audience they are aiming at overlaps between audiences, audience intersection size Operations such as intersection ∩ are done between selected audiences. Researchers found that the intersection’s size audience is around 5% of the smallest of the two custom audience. It is blurred but predictable if studied closely. Requirement: Audience size of at least 1000

29 Attack number 1 : De-anonymize a website visitor
Requirement: being an active user, knowing a single PII Step 1 : The user is targetable only if he is an active user Upload a set of random lists Ai of at least 1000 information to facebook’s ad platform. Upload V a custom audience containing the targeted user Ask facebook for the potential reach of one of these list (Ai U V) We compare lists with and without that person, and we see if the user in V makes the score increase or not If it increases, user is active and therefore targetable

30 Attack number 1 : De-anonymize a website visitor
Step 2 : Upload the tracking pixel audience P from our website. Combine it with a list big enough to reach the necessary threshold Ask facebook for the potential reach score Last step : Exclude list V with the targeted user from the combined lists Ai U P \V If the score drops down, we know this user visited our website

31 Attack number 2 : From email to phone number
Requirement: address Two lists R and J big enough that doesn’t contain any similar user attributes. 1,949 records and 200 respectively for the experiment We compute the score

32 Attack number 2 : From email to phone number
Create lists of all possible phone numbers, for a fix digit at a time Compare the list with the two previous ones When the score increases with the list, it means one digit is correct. We iterate till we get all digits Phone number found! Cost: a few hours, uploading is the most expensive part, creating lists. 0RMB

33 Defense mechanisms proposed
Limit queries, detection of anomaly or suspicious behaviour Could be bypassed using multiple accounts Financial disincentives Big companies with large amounts of data wouldn’t like it

34 Conclusion Facebook Very strict answer following this paper and foundings Can’t collide lists which contains different kinds of PII anymore Complexity of balance: relevant statistics for advertisers and data safety An adversary can find a malicious way to obtain private data if he puts the necessary efforts into it to figure how it works and the potential weaknesses.

35 Thank you for your attention !
Bibliography The Price of Free: Privacy Leakage in Personalized Mobile In-Apps Ads, NDSS’16 Tracing Information Flows Between Ad Exchanges Using Retargeted Ads, Usenix Security'16 Privacy Risks with Facebook's PII-based Targeting: Auditing a Data Broker's Advertising Interface. S&P’18 Thank you for your attention ! We have seen that mobile advertisement give to advertiser many possibilities, but they have to be controlled


Download ppt "Mobile advertisement security"

Similar presentations


Ads by Google