2015. 6. 26 박 종 혁 [email protected] 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST). 2012

Investigating User Privacy in Android Ad Libraries

2015. 6. 26

박 종 혁[email protected]

컴퓨터 보안 및 운영체제 연구실

Workshop on Mobile Security Technologies (MoST). 2012

Computer Security & OS Lab.

ContentsContents

2

Introduction

Background

Unique Privacy Concern in Ad

Methodology

Permission

Private Data on the network Tracking User Potential Solution Conclusion


IntroductionIntroduction

3

Smart phone have Rapidly increased in popularity in recent years Many Developer release their applications for free and generate rev-

enue from ads

Advertisement Libraries Send information about the device and user to the ad server Growing concern about user privacy

In this paper Identify unique privacy concerns in Android app advertising Discover privacy threats resulting from these concerns Analyze popular Android ad libraries for these threats


BackgroundBackground

4

Android Linux-based smart phone operating system Require application to specify a list of permissions(manifest.xml) Permission access sensitive user information

Android Third-party Library Developer use libraries to parse a specific file format Communicate with a popular web applications or provide advertising functionality Libraries the same privileges as application code Allow to read application-specific private information or utilize functionality granted by any permission

the application declares

Unique Device Identifier(UDID) ANDROID_ID

• Random hex string that is generated during the first boot of device

IMEI, MEID, ESN• The telephony device ID of the Phone

Android.os.Build.SERIAL• Does not require a permission

MAC address• Phone’s Wifi or Bluetooth adapter



5

Online Advertising Refer to the Internet Advertising Bureau’s glossary of advertising terms

Advertiser Ad ProviderAd Provider

Ad Request

Users

Ad Server

Response with Advertisement

Publisher



6

Advertising on Android Android ad providers give developers a Software Development kit(SDK) library, which

provide an API for displaying advertisements


Unique Privacy Concern in AdUnique Privacy Concern in Ad

7

Consider three specific differences Between in-app advertising using an ad library and in-browser advertising

1. Lack of Privilege Separation Between Application and Ad Code Give ad provider the opportunity to run code on user’s device with the same permission

as the application that uses the library Allowing the ad provider to exfiltrate data from the device In-browser advertising

• Exfiltrating user information is difficult because of same origin policy

in-app advertising• Has specific permission which gives application the ability to access to user information

2. Detailed User Data On the user’s device may have more privileged access to the user’s data In-browser advertising

• Browser assume external code is untrusted and sandboxes

in-app advertising• Allow in-app advertising code to run in a very privileged state


Unique Privacy Concern in AdUnique Privacy Concern in Ad

8

Consistency of User Identifiers Ad provider to track the user’s behavior

• UDID can be sent with the ad request and allow the ad provider to track user behavior

In-browser advertising• IP addresses and cookies change over time may be reset by user

in-app advertising• Resetting the UDID values on Android either requires a factory rest or root permission on the phone


MethodologyMethodology

9

Examine the most Popular ad providers To gain the best insight into current Android ad provider

Combine ad provider list Determine the ad providers that are the most popular in terms of the

overall amount of ad traffic Ad traffic of mount is number of user using applications supported by

the ad provider Examining most prevalent ad providers in the top 500 applications on

the google play Market


MethodologyMethodology

10

Analyze the behavior of librarySigned up as a developer

• each ad provider downloaded a copy of the most recent library

Instrumented a sample application using library• Captured the data(ad request) sent over network• Determine the fields such as age or gender

Referenced the provider’s documentation • Determine how the fields were populated

Ensure fields are present in live traffic• Manually verified that ad request from each ad provider contained the

relevant fields


PermissionsPermissions

11

Permissions Classification Ad library cat take advantage of permissions to covertly access sensi-

tive data Kind of Permission in ad provider documentation

• Required permission• Optional permission

Stowaway• Detect Android framework API methods the application accesses • using an internal mapping between API methods and required permissions

Mannually investigated • Each of the undocumented permissions• Determine if they were being used


PermissionPermission

12

Permission misuse Conjecture actively collecting personal data using permission Most ad libraries require similar core set of permission

• INTERNET, ACCESS_LOCATION, ACCESS_NETWORK. READ_PHONE_STATE

Moblix library• Include four invasive permissions• READ CALENDAR, WRITE CALENDAR, READ CONTACTS, and WRITE CONTACTS• Contain contains read / write a user’s calendar and contacts databases

mOcean and lnmobi library• contain functionality to start phone calls• Add events to a user’s calendar without user interaction• mOcean can send SMS messages without user interaction



13

Permission misuse



14

JavaScript Interface Can be used to dynamically invoke other method during method Android documentation

• Specifically warns against running untrusted JavaScript Interface

Vulnerable Ad libraries• Confirm that four ad libraries will run external code within the Webview• User would be vulnerable to loss of personal data or other malicious action

Ad Libraries exfiltrate

Mobclix • Modify users’ calendar , contact , User’s audio and image file• On/off the camera LED

greystripe • Get and/or set user’s cookies

mOcean• Send SMS and email message, Start phone call, add calendar

entries• Get location make arbitrary network request

Lnmobi • Send SMS and email message, Start phone call, Modify the user calendar



15

JavaScript Interface Proof-of-Concept

• To demonstrate the significance of vulnerability• Set up a test environment • Attempted to exploit Mobclix and mOcean ad libraries• Used Samsung Galaxy Nexus as the victim device

To simulate the user’s vulnerable application• Perform a end-to-end attack to victim device from Mobclix and mOcean• Initiate a phone call to an arbitrary number with no user interaction


Private Data on the NetworkPrivate Data on the Network

16

Report what private user information Each ad library is capable of sending over the network

• Observed each library’s behavior both in emulated environment and live traffic• Determine how the fields were populated in ad request• Referenced the provider’s documentation about specified fields• Determine which fields the library would set automatically by observing the permission that

the ad library used


Tracking UsersTracking Users

17

Android UDID Never change or can only be changed with root privilege

Concerned with two primary treats Unscrupulous ad provider tracking users across several installed application A network sniffer tracking users across several ad provider

Ad provider consistently transmit The same UDID filed(hashed or unhashed UDID value) regardless of the appllica-

tion Network Sniffer that may track users across several libraries


Tracking UsersTracking Users

18


Potential SolutionPotential Solution

19

Failure to Protect the Contents of ad request Protecting sensitive information during transmission

• Need to encrypt their communication such as SSL• SSL is expensive and allow for concurrency on the server

Solution• Low overhead – minimal session stae• Lightweight – perferrably symmetric key

Mishandling of UDID User’s privacy must be protected against a network sniffer Solution

• hash(ad provider || package name || UDID)

Lack of ad and application privilege separation Ad libraries access to all of the sensitive data in application Solution

• Third party code should not be allow to access application-specific data• Permission not explicitly granted to ad code then any request that requires it is granted


ConclusionConclusion

20

No privilege separation between app and ad code Problem – Undocumented permission

Greater access to detailed user data Private user data on network

More persistent user identifiers User profile data over time

Documents

2015. 6. 26 박 종 혁 [email protected] 컴퓨터 보안 및 운영체제 연구실 Workshop on Mobile Security Technologies (MoST). 2012