Michael C. Grace
ABSTRACT
In recent years, there has been explosive growth in smartphone sales, which is accompanied with the availability of a huge number of smartphone applications (or simply apps). End users or consumers are attracted by the many interesting features offered by these devices and the associated apps. The developers of these apps are also benefited by the prospect of financial compensation, either by selling their apps directly or by embedding one of the many ad libraries available on smartphone platforms. In this paper, we focus on potential privacy and security risks posed by these embedded or in-app advertisement libraries (henceforth "ad libraries," for brevity). To this end, we study the popular Android platform and collect 100,000 apps from the official Android Market in March-May, 2011. Among these apps, we identify 100 representative in-app ad libraries (embedded in 52.1% of them) and further develop a system called AdRisk to systematically identify potential risks. In particular, we first decouple the embedded ad libraries from host apps and then apply our system to statically examine the ad libraries, ranging from whether they will upload privacy-sensitive information to remote (ad) servers or whether they will download untrusted code from remote servers. Our results show that most existing ad libraries collect private information: some of them may be used for legitimate targeting purposes (i.e., the user's location) while others are hard to justify by invasively collecting the information such as the user's call logs, phone number, browser bookmarks, or even the list of installed apps on the phone. Moreover, additional ones go a step further by making use of an unsafe mechanism to directly fetch and run code from the Internet, which immediately leads to serious security risks. Our investigation indicates the symbiotic relationship between embedded ad libraries and host apps is one main reason behind these exposed risks. These results clearly show the need for better regulating the way ad libraries are integrated in Android apps.
- Android Permission Protection Levels. http://developer.android.com/reference/android/R.styleable.html#Android/ManifestPermission_protectionLevel.Google Scholar
- Android Security and Permissions. http://developer.android.com/guide/topics/security/security.html.Google Scholar
- Baksmali: A Disassembler for Android's Dex Format. http://code.google.com/p/smali/.Google Scholar
- Dalvik. http://sites.google.com/site/io/dalvik-vm-internals/.Google Scholar
- Distmo Report: April, 2011 and May, 2011. http://www.distimo.com/publications.Google Scholar
- Gartner Says Sales of Mobile Devices in Second Quarter of 2011 Grew 16.5 Percent Year-on-Year. http://www.gartner.com/it/page.jsp?id=1764714.Google Scholar
- A. R. Beresford, A. Rice, N. Skehin, and R. Sohan. MockDroid: Trading Privacy for Application Functionality on Smartphones. In Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, HotMobile '11, May 2011. Google ScholarDigital Library
- L. Bindschaedler, M. Jadliwala, I. Bilogrevic, I. Aad, P. Ginzboorg, V. Niemi, and J.-P. Hubaux. Track Me If You Can: On the Effectiveness of Context-based Identifier Changes in Deployed Mobile Networks. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS '12, February 2012.Google Scholar
- S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards Taming Privilege-Escalation Attacks on Android. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS '12, February 2012.Google Scholar
- S. Bugiel, L. Davi, A. Dmitrienko, S. Heuser, A.-R. Sadeghi, and B. Shastry. Practical and Lightweight Domain Isolation on Android. In Proceedings of the 1st Workshop on Security and Privacy in Smartphones and Mobile Devices, CCS-SPSM'11, 2011. Google ScholarDigital Library
- M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. QUIRE: Lightweight Provenance for Smart Phone Operating Systems. In Proceedings of the 20th USENIX Security Symposium, August 2011. Google ScholarDigital Library
- M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS'11, February 2011.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, OSDI '10, pages 1--6, February 2010. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, August 2011. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. On Lightweight Mobile Phone Application Certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS '09, pages 235--245, October 2009. Google ScholarDigital Library
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demysti.ed. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, October 2011. Google ScholarDigital Library
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS '11), October 2011. Google ScholarDigital Library
- A. P. Felt, H. Wang, A. Moschuk, S. Hanna, and E. Chin. Permission Re-Delegation: Attacks and Defenses. In Proceedings of the 20th USENIX Security Symposium, August 2011. Google ScholarDigital Library
- A. P. Fuchs, A. Chaudhuri, and J. S. Foster. SCanDroid: Automated Security Certification of Android Applications. http://www.cs.umd.edu/ avik/papers/scandroidascaa.pdf.Google Scholar
- M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic Detection of Capability Leaks in Stock Android Smartphones. In Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS '12, February 2012.Google Scholar
- S. Guha, B. Cheng, and P. Francis. Privad: Practical Privacy in Online Advertising. In Proceedings of the 8th USENIX Conference on Networked Systems Design and Implementation, NSDI '11, March 2011. Google ScholarDigital Library
- H. Haddadi, P. Hui, and I. Brown. MobiAd: Private and Scalable Mobile Advertising. In Proceedings of the 5th ACM International Workshop on Mobility in the Evolving Internet Architecture, MobiArch '10, pages 33--38, September 2010. Google ScholarDigital Library
- N. Hardy. The Confused Deputy, or Why Capabilities Might Have Been Invented. In ACM Operating Systems Review, volume 22, pages 36--38, 1988. Google ScholarDigital Library
- P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. "These Aren't the Droids You're Looking For": Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS '11), October 2011. Google ScholarDigital Library
- IDC. Android Rises, Symbian 3 and Windows Phone 7 Launch as Worldwide Smartphone Shipments Increase 87.2% Year Over Year. http://www.idc.com/about/viewpressrelease.jsp?containerId=prUS22689111.Google Scholar
- C. Marforio, F. Aurélien, and S. Ĉapkun. Application collusion attack on the permission-based security model and its implications for modern smartphone systems. Technical Report 724, ETH Zurich, April 2011.Google Scholar
- M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328--332, April 2010. Google ScholarDigital Library
- M. Ongtang, S. E. McLaughlin, W. Enck, and P. D. McDaniel. Semantically Rich Application-Centric Security in Android. In Proceedings of the 25th Annual Computer Security Applications Conference, ACSAC '09, pages 340--349, December 2009. Google ScholarDigital Library
- R. A. Popa, A. J. Blumberg, H. Balakrishnan, and F. H. Li. Privacy and Accountability for Location-Based Aggregate Statistics. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS '11), October 2011. Google ScholarDigital Library
- A. Reznichenko, S. Guha, and P. Francis. Auctions in Do-Not-Track Compliant Internet Advertising. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS '11), October 2011. Google ScholarDigital Library
- R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS '11, pages 17--33, February 2011.Google Scholar
- V. Toubiana, H. Nissenbaum, A. Narayanan, S. Barocas, and D. Boneh. Adnostic: Privacy Preserving Targeted Advertising. In Proceedings of the 17th Annual Network and Distributed System Security Symposium, NDSS '10, February 2010.Google Scholar
- Y. Zhou, X. Zhang, X. Jiang, and V. Freeh. Taming Information-Stealing Smartphone Applications (on Android). In Proceedings of the 4th International Conference on Trust and Trustworthy Computing, TRUST '11, June 2011. Google ScholarDigital Library
Index Terms
- Unsafe exposure analysis of mobile in-app advertisements
Recommendations
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Is this app safe?: a large scale study on application permissions and risk signals
WWW '12: Proceedings of the 21st international conference on World Wide WebThird-party applications (apps) drive the attractiveness of web and mobile application platforms. Many of these platforms adopt a decentralized control strategy, relying on explicit user consent for granting permissions that the apps request. Users have ...
Android App Permission and Users’ Adoption: A Case Study of Mental Health Application
Human Aspects of Information Security, Privacy and TrustAbstractThe prevalent use of mobile devices makes mobile applications (apps) a promising approach to enhance mental healthcare. However, at the same time, users’ information privacy and security becomes a serious concern due to the ubiquitous data ...
Comments