Presentation is loading. Please wait.

Presentation is loading. Please wait.

2015. 6. 26 박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST). 2012.

Published byPhillip Reynolds Modified over 9 years ago

Similar presentations

Presentation on theme: "2015. 6. 26 박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST). 2012."— Presentation transcript:

1 2015. 6. 26 박 종 혁 pjh61014@dankook.ac.kr 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST). 2012

2 Computer Security & OS Lab. ContentsContents 2  Introduction  Background  Unique Privacy Concern in Ad  Methodology  Permission  Private Data on the network  Tracking User  Potential Solution  Conclusion

3 Computer Security & OS Lab. IntroductionIntroduction 3  Smart phone have Rapidly increased in popularity in recent years Many Developer release their applications for free and generate revenue from ads  Advertisement Libraries Send information about the device and user to the ad server Growing concern about user privacy  In this paper Identify unique privacy concerns in Android app advertising Discover privacy threats resulting from these concerns Analyze popular Android ad libraries for these threats

4 Computer Security & OS Lab. BackgroundBackground 4  Android Linux-based smart phone operating system Require application to specify a list of permissions(manifest.xml) Permission access sensitive user information  Android Third-party Library Developer use libraries to parse a specific file format Communicate with a popular web applications or provide advertising functionality Libraries the same privileges as application code Allow to read application-specific private information or utilize functionality granted by any permission the application declares  Unique Device Identifier(UDID) ANDROID_ID Random hex string that is generated during the first boot of device IMEI, MEID, ESN The telephony device ID of the Phone Android.os.Build.SERIAL Does not require a permission MAC address Phone’s Wifi or Bluetooth adapter

5 Computer Security & OS Lab. BackgroundBackground 5  Online Advertising Refer to the Internet Advertising Bureau’s glossary of advertising terms AdvertiserAd Provider  Ad Request Users Ad Server Response with Advertisement  Publisher

6 Computer Security & OS Lab. BackgroundBackground 6  Advertising on Android Android ad providers give developers a Software Development kit(SDK) library, which provide an API for displaying advertisements

7 Computer Security & OS Lab. Unique Privacy Concern in Ad 7  Consider three specific differences Between in-app advertising using an ad library and in-browser advertising  1. Lack of Privilege Separation Between Application and Ad Code Give ad provider the opportunity to run code on user’s device with the same permission as the application that uses the library Allowing the ad provider to exfiltrate data from the device In-browser advertising Exfiltrating user information is difficult because of same origin policy in-app advertising Has specific permission which gives application the ability to access to user information  2. Detailed User Data On the user’s device may have more privileged access to the user’s data In-browser advertising Browser assume external code is untrusted and sandboxes in-app advertising Allow in-app advertising code to run in a very privileged state

8 Computer Security & OS Lab. Unique Privacy Concern in Ad 8  Consistency of User Identifiers Ad provider to track the user’s behavior UDID can be sent with the ad request and allow the ad provider to track user behavior In-browser advertising IP addresses and cookies change over time may be reset by user in-app advertising Resetting the UDID values on Android either requires a factory rest or root permission on the phone

9 Computer Security & OS Lab. MethodologyMethodology 9  Examine the most Popular ad providers To gain the best insight into current Android ad provider  Combine ad provider list Determine the ad providers that are the most popular in terms of the overall amount of ad traffic Ad traffic of mount is number of user using applications supported by the ad provider Examining most prevalent ad providers in the top 500 applications on the google play Market

10 Computer Security & OS Lab. MethodologyMethodology 10  Analyze the behavior of library Signed up as a developer each ad provider downloaded a copy of the most recent library Instrumented a sample application using library Captured the data(ad request) sent over network Determine the fields such as age or gender Referenced the provider’s documentation Determine how the fields were populated Ensure fields are present in live traffic Manually verified that ad request from each ad provider contained the relevant fields

11 Computer Security & OS Lab. PermissionsPermissions 11  Permissions Classification Ad library cat take advantage of permissions to covertly access sensitive data Kind of Permission in ad provider documentation Required permission Optional permission Stowaway Detect Android framework API methods the application accesses using an internal mapping between API methods and required permissions Mannually investigated Each of the undocumented permissions Determine if they were being used

12 Computer Security & OS Lab. PermissionPermission 12  Permission misuse Conjecture actively collecting personal data using permission Most ad libraries require similar core set of permission INTERNET, ACCESS_LOCATION, ACCESS_NETWORK. READ_PHONE_STATE Moblix library Include four invasive permissions READ CALENDAR, WRITE CALENDAR, READ CONTACTS, and WRITE CONTACTS Contain contains read / write a user’s calendar and contacts databases mOcean and lnmobi library contain functionality to start phone calls Add events to a user’s calendar without user interaction mOcean can send SMS messages without user interaction

13 Computer Security & OS Lab. PermissionPermission 13  Permission misuse

14 Computer Security & OS Lab. PermissionPermission 14  JavaScript Interface Can be used to dynamically invoke other method during method Android documentation Specifically warns against running untrusted JavaScript Interface Vulnerable Ad libraries Confirm that four ad libraries will run external code within the Webview User would be vulnerable to loss of personal data or other malicious action Ad Libraries exfiltrate Mobclix Modify users’ calendar, contact, User’s audio and image file On/off the camera LED greystripe Get and/or set user’s cookies mOcean Send SMS and email message, Start phone call, add calendar entries Get location make arbitrary network request Lnmobi Send SMS and email message, Start phone call, Modify the user calendar

15 Computer Security & OS Lab. PermissionPermission 15  JavaScript Interface Proof-of-Concept To demonstrate the significance of vulnerability Set up a test environment Attempted to exploit Mobclix and mOcean ad libraries Used Samsung Galaxy Nexus as the victim device To simulate the user’s vulnerable application Perform a end-to-end attack to victim device from Mobclix and mOcean Initiate a phone call to an arbitrary number with no user interaction

16 Computer Security & OS Lab. Private Data on the Network 16  Report what private user information Each ad library is capable of sending over the network Observed each library’s behavior both in emulated environment and live traffic Determine how the fields were populated in ad request Referenced the provider’s documentation about specified fields Determine which fields the library would set automatically by observing the permission that the ad library used

17 Computer Security & OS Lab. Tracking Users 17  Android UDID Never change or can only be changed with root privilege  Concerned with two primary treats Unscrupulous ad provider tracking users across several installed application A network sniffer tracking users across several ad provider  Ad provider consistently transmit The same UDID filed(hashed or unhashed UDID value) regardless of the appllication Network Sniffer that may track users across several libraries

18 Computer Security & OS Lab. Tracking Users 18

19 Computer Security & OS Lab. Potential Solution 19  Failure to Protect the Contents of ad request Protecting sensitive information during transmission Need to encrypt their communication such as SSL SSL is expensive and allow for concurrency on the server Solution Low overhead – minimal session stae Lightweight – perferrably symmetric key  Mishandling of UDID User’s privacy must be protected against a network sniffer Solution hash(ad provider || package name || UDID)  Lack of ad and application privilege separation Ad libraries access to all of the sensitive data in application Solution Third party code should not be allow to access application-specific data Permission not explicitly granted to ad code then any request that requires it is granted

20 Computer Security & OS Lab. ConclusionConclusion 20  No privilege separation between app and ad code Problem – Undocumented permission  Greater access to detailed user data Private user data on network  More persistent user identifiers User profile data over time

Download ppt "2015. 6. 26 박 종 혁 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST). 2012."

Similar presentations

Service Oriented Architecture for Mobile Applications Swarupsingh Baran University of North Carolina Charlotte.

Service Oriented Architecture for Mobile Applications Swarupsingh Baran University of North Carolina Charlotte.
Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.

UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.
IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.

IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.
Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.

Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Presentation By Deepak Katta

Presentation By Deepak Katta
Unsafe Exposure Analysis of Mobile In-App Advertisements Offense: Rachel Stonehirsch.

Unsafe Exposure Analysis of Mobile In-App Advertisements Offense: Rachel Stonehirsch.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Introduction Our Topic: Mobile Security Why is mobile security important?

Introduction Our Topic: Mobile Security Why is mobile security important?

Similar presentations

Ads by Google