a global study of the mobile tracking ecosystem ndss18
play

A Global Study of the Mobile Tracking Ecosystem (NDSS18) Abbas - PowerPoint PPT Presentation

Apr 20, 2023 •368 likes •751 views

A Global Study of the Mobile Tracking Ecosystem (NDSS18) Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, Phillipa Gill Presenter: Xueqing Liu 1 Mobile Tracking 2 Mobile

  1. A Global Study of the Mobile Tracking Ecosystem (NDSS18) Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, Phillipa Gill Presenter: Xueqing Liu 1

  2. Mobile Tracking 2

  3. Mobile Tracking 3

  4. How Are Users Tracked by Third-Party Services ? Advertising and Tracking Services Advertising and Tracking (ATS) Services - capable (ATS-c) 4

  5. Monetization with Advertising ● 94% free apps 33 billion 5

  6. Violation of Least-Privileged Principle Opacity to user: Permission Permission Permission ● Which 3rd party services 1 2 3 ● How sensitive data are App 1 yes yes handled Bring Transparency to the Ecosystem! ● Whether eventually shared with a 4th party App 2 yes yes 6

  7. Part 1: Data Collection through Crowdsourcing 7

  8. ● Leverage Android VPN ● Send summarized and ● Intercept traffic via TLS permission anonymized data proxy with user consent ● Route packages to local device ● 11,384 users from 100+ countries ● 14,599 apps ● 40,533 domains Correlate Information Flow with Contextual Info: Identify PII in payload ● Identity ● Location ● Contact list, SMS, call logs 8

  9. Ethical Consideration ● IRB approved ○ Not involving human subject, analyzing software, not users ● Informed consent on interception ● Allow to disable interception at any time ● Summarized and anonymized 9

  10. Discussion ● Is there any ethical problem with their approach? 10

  11. Comparison with Similar Studies Static Analysis: Recon: Lumen: Dynamic analysis: ● False positive ● Sending all device traffic ● Not real user engagement ● Capture user data locally on ● Scalability to a proxy server device ● Low coverage with automated ● Intercept at the server ● Correlate contextual ● Obfuscation UI execution tool side information (e.g., process ID) with flows Higher precision “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale ReCon: Revealing and Controlling PII Leaks in Mobile Network Systems 11

  12. Discussion ● What do you think of ReCon vs. this paper? Precision? 12

  13. Part 2: Classification on Third-party Domains 13

  14. Classifying the Destination Domain Baseline: leveraging publicly Their three-step approach available services/list ● Identifying third-party domain ● e.g., EasyList, OpenDNS by comparing TLS certificate domain tagger ● Identifying ATS domains with http://googleadsservices.com -> machine learning “Advertising” ● Identifying ATS-c from the rest Deficiency: low coverage which UID is sent to 14

  15. First Step: Identifying Third-Party Domains com.spotify.music com.accuweather.android com.facebook.katana com.htc.sense.hsp accuweather.com scorecardresearch.com graph.facebook.com crashlytics.com 15

  16. Second Step: Classifying ATS-domains ● Train an SVM classifier: ○ Feature ■ Front page content of the domain ■ Text scrapped from DuckDuckGo ● ○ Label ■ ATS: random samples from EasyList ■ non-ATS: random samples from alexa Top ● Added domains from service/lists, e.g., EasyList ● Evaluation: 200 predicted ATS, 100 predicted non-ATS ● 4% false positive, 10% false negative 16

  17. Discussion ● Identifying ATS-domains: ○ Data noise -> low precision? ■ Topic ATS: “ads”, “analytics”, “services” ■ Topic non-ATS: anything 17

  18. Third Step: Identifying ATS-c Domain ● Classify a domain as ATS-c if: ○ It is not ATS ○ Some user identifiers are sent to the domain 18

  19. Evaluation on Coverage 233 domains not covered by any list/service 19

  20. Part 3: Basic Analysis on ATS data 20

  21. UID harvesting ● 3rd party domain = 20% of all domains ● But they are responsible for 40% of UID harvesting ● Only 14.4% of all ATSes harvest UID from the device => other tracking e.g., HTTP headers, cookies ● Most commonly harvested data is Android ID ● Android ID should not be associated with any other PII in 34% cases 21

  22. Which Companies Own the Most ATSes? ● Map domains to parent company: 31% ○ D&B Hoovers, Crunchbase 0.35% Facebook Graph API 22

  23. Does Paid Apps Free You from Being Tracked? ● 82% apps connects to at least 1 ATS ● 29% apps connects to at least 5 ATSs ● Free apps: 2 ATSs, 1 ATS-c ● Paid apps: 1 ATS, 1 ATS-c ● Apps with In-app Purchase: 3 ATSs, 2 ATS-c 23

  24. Who Tracks You on Both Mobile and Web? ● Collect website tracking statistics from Alexa Top 1,000 ● Both mobile and web: ○ pagead2.googlesyndication.com ○ Googleads,g,doubleclick.net ● Web >> mobile: ○ www.youtube.com ○ www.google.com 24

  25. Where Did The Data Go Eventually? ● Privacy policy statement about data sharing 25

  26. Part 4: Analysis regarding Regulation Compliance 26

  27. General Data Protection Regulation ● European Union data protection law ● Protection of the data belonging to European users (EU) and European Economic Area (EEA) ● In effect since May 25, 2018 ● “Data protection by design and by default” (Article 25) 27

  28. GDPR Content Related to Mobile Security ● Explicit consent: ○ Must explicitly request user consent for accessing data (opt-in) ○ Explain the purpose with plain words ● Right to access/erasure: ○ Data processor must provide a copy of accessed user data ○ User can opt-out and require to erase the data at any time ● Transfer data outside Europe: ○ Strictly prohibited 28

  29. A Geographical View of Data Flow Germany Italy Spain Canada USA India Location of Lumen user ATS-related IP address USA 29

  30. Cross-Continent Flow Germany Spain Netherland 30

  31. A Different Measurement Result ● Browser information flow ● “Inaccurate geolocation on IP“ ○ Physical location of Google server -> Mountain View ○ Use Improved IP mapping ○ RIPE IPmap EU users are fine! Tracing Cross Border Web Tracking, IMC 2018 31

  32. GDPR Reception 32

  33. Google Ads Consent SDK 33

  34. Compliance to COPPA ● 88% Game & educational apps are under 13 ● Do not use less ATS/ATS-c 34

  35. Insights on Regulation Compliance ● Due to the opacity of ATS, it is difficult to uncover how organizations collect, store and share the data ● The clarity of GDPR needs further improvement ○ How consent must be obtained? Install-time permission OK? ○ How exact to withdraw the consent? Uninstall enough? ● User has no control of who has access to their data 35

  36. Future Work ● What is the impact of GDPR on ATS tracking? ● Do apps behave the same after opt-out? 36

  37. Takeaway ● ATS tracking are pervasive ● Big companies are the biggest data brokers ● You can get somewhat less tracking by paying for it ● Difficult to strictly enforce GDPR on ATS ● Would not judge individual compliance 37

  38. Questions? 38

Recommend

Exploring the Eastern Frontier: A First Look at Mobile App Tracking in China Zhaohua Wang

Exploring the Eastern Frontier: A First Look at Mobile App Tracking in China Zhaohua Wang

Exploring the Eastern Frontier: A First Look at Mobile App Tracking in China Zhaohua Wang Zhenyu Li Minhui Xue Gareth Tyson Table of contents Why study the mobile app tracking in China? Dataset and methodology How

585 views • 26 slides
Thomas Cook Money 1 1 Ferratums Mobile Bank ecosystem Global scalability beyond White Label

Thomas Cook Money 1 1 Ferratums Mobile Bank ecosystem Global scalability beyond White Label

Strategic partnership with Thomas Cook Money 1 1 Ferratums Mobile Bank ecosystem Global scalability beyond White Label Ferratums balance sheet Partners Ferratums technology and licence platform enables consumer- Mobile Financial

247 views • 9 slides
2 The Mobile Ecosystem and Java 2 Micro Edition F. Ricci 2010/2011 Content Mobile

2 The Mobile Ecosystem and Java 2 Micro Edition F. Ricci 2010/2011 Content Mobile

Internet and Mobile Services 2 The Mobile Ecosystem and Java 2 Micro Edition F. Ricci 2010/2011 Content Mobile Ecosystem Mobile application frameworks Java 2 Micro Edition Configurations and profiles Optional packages

1.17k views • 79 slides
5 6 6 th Mobile IoT Summit Graham Trickey GSMA 6 th Mobile IoT Summit Scaling Global Deployment

5 6 6 th Mobile IoT Summit Graham Trickey GSMA 6 th Mobile IoT Summit Scaling Global Deployment

5 6 6 th Mobile IoT Summit Graham Trickey GSMA 6 th Mobile IoT Summit Scaling Global Deployment Gr Graham Trickey Head of Internet of Things - GSMA MOBILE IoT FAST AND STRONG GROWTH COMMERCIAL First 3GPP Rel13 ECOSYSTEM 41

514 views • 8 slides
THE YEAR AHEAD Mobile Content and Commerce Trends 2014 Global trade association representing

THE YEAR AHEAD Mobile Content and Commerce Trends 2014 Global trade association representing

THE YEAR AHEAD Mobile Content and Commerce Trends 2014 Global trade association representing companies from across the mobile ecosystem To advance, protect and champion mobile as an entertainment, engagement and commerce platform

300 views • 11 slides
Mobile Device Integration Enhances Geo-Spatial Tracking | Salient CRGT Proprietary |

Mobile Device Integration Enhances Geo-Spatial Tracking | Salient CRGT Proprietary |

Mobile Device Integration Enhances Geo-Spatial Tracking | Salient CRGT Proprietary | www.SalientCRGT.com | 1 Customer Challenge Managing the work of a mobile, highly distributed workforce Controlling and tracking field operations

544 views • 5 slides
Tracking E-learning: Mobile Devices Dispelling the myth Key terms Models and examples Q & A

Tracking E-learning: Mobile Devices Dispelling the myth Key terms Models and examples Q & A

Tracking E-learning: Mobile Devices Interactive Advantage Corporation Tracking E-learning: Mobile Devices Dispelling the myth Key terms Models and examples Q & A Content | Integration | Consulting |Training | Support Tracking E-learning:

439 views • 8 slides
The NAI Mobile Application Code: Extending Third-Party Compliance into the Mobile Ecosystem Why

The NAI Mobile Application Code: Extending Third-Party Compliance into the Mobile Ecosystem Why

The NAI Mobile Application Code: Extending Third-Party Compliance into the Mobile Ecosystem Why a Mobile Application Code? Extend the NAI compliance program into the mobile application space Provide extra flexibility for this rapidly

319 views • 18 slides
Mobility DNA AN ENTERPRISE MOBILITY ECOSYSTEM EMC Global Marketing April, 2015 THE REALITY OF

Mobility DNA AN ENTERPRISE MOBILITY ECOSYSTEM EMC Global Marketing April, 2015 THE REALITY OF

Mobility DNA AN ENTERPRISE MOBILITY ECOSYSTEM EMC Global Marketing April, 2015 THE REALITY OF MOBILITY The productivity and profitability of a company relies on the functionality of its mobile solution. 2 Zebra Confidential: For

700 views • 10 slides
NoMoATS: Towards Automatic Detection of Mobile Tracking Abstract: Todays mobile apps employ

NoMoATS: Towards Automatic Detection of Mobile Tracking Abstract: Todays mobile apps employ

Proceedings on Privacy Enhancing Technologies ; 2020 (2):4566 Anastasia Shuba* and Athina Markopoulou NoMoATS: Towards Automatic Detection of Mobile Tracking Abstract: Todays mobile apps employ third-party ad- 1 Introduction vertising and

373 views • 22 slides
The Mobile Learning Ecosystem Dr. Agnieszka (Aga) Palalas October 2013 Mobile Learning Defined

The Mobile Learning Ecosystem Dr. Agnieszka (Aga) Palalas October 2013 Mobile Learning Defined

The Mobile Learning Ecosystem Dr. Agnieszka (Aga) Palalas October 2013 Mobile Learning Defined Learning or training: knowledge construction, skill development and performance support Learners participate across locations, times and

398 views • 11 slides
CS 528 Mobile and Ubiquitous Computing Lecture 6: Tracking Location, Maps, Services, Audio/Video

CS 528 Mobile and Ubiquitous Computing Lecture 6: Tracking Location, Maps, Services, Audio/Video

CS 528 Mobile and Ubiquitous Computing Lecture 6: Tracking Location, Maps, Services, Audio/Video Playback, Presentation/Critique Guidelines Emmanuel Agu Tracking the Devices Location Location Tracking Outdoors: Uses GPS (More accurate)

955 views • 71 slides
CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International Data Tracking 2 http://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found Two Main Attack

986 views • 63 slides
Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS

Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS

New Zealand Pilot Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS What are the ecosystem services that our Auckland water Clients impact on and depended on ? What risks and opportunities arise to

256 views • 9 slides
Mobility Collector Battery Conscious Mobile Tracking Adrian C. Prelipcean , Gyz Gidfalvi

Mobility Collector Battery Conscious Mobile Tracking Adrian C. Prelipcean , Gyz Gidfalvi

Mobility Collector Battery Conscious Mobile Tracking Adrian C. Prelipcean , Gyz Gidfalvi Geoinformatics, Royal Institute of Technology KTH, Sweden Outline Spatial and temporal granularity in Location tracking location-dependant data

669 views • 51 slides
Metro Atlanta Becoming a Global Hub for Mobility GSMA-Smart Cities North America February 27,

Metro Atlanta Becoming a Global Hub for Mobility GSMA-Smart Cities North America February 27,

Metro Atlanta Becoming a Global Hub for Mobility GSMA-Smart Cities North America February 27, 2014 Agenda About Atlanta Mobile Atlanta -On Our Way to Becoming Global Smart City for Mobile by Mobilizing our ecosystem Strategic

444 views • 20 slides
Energy-efficient Trajectory Tracking for Mobile Devices Based on "Energy-efficient

Energy-efficient Trajectory Tracking for Mobile Devices Based on "Energy-efficient

Energy-efficient Trajectory Tracking for Mobile Devices Based on "Energy-efficient Trajectory Tracking for Mobile Devices" by M. B. Kjrgaard, Sourav Bhattacharya, Henrik Blunck, Petteri Nurmi Krzysztof Winiewski Trajectory

429 views • 40 slides
Ecosystem Restoration Kei Kabaya Institute for Global Environmental Strategies (IGES) 1

Ecosystem Restoration Kei Kabaya Institute for Global Environmental Strategies (IGES) 1

TEEB : Key Findings for Local Policy and Business Friday, 22 October 2010 Portfolio Analysis for Investment on Ecosystem Restoration Kei Kabaya Institute for Global Environmental Strategies (IGES) 1 Investment on Ecosystem and Modern

186 views • 6 slides
Group-IB Security Ecosystem Portfolio update Tim Bobak APAC Sales Director Group-IB Moneytaker

Group-IB Security Ecosystem Portfolio update Tim Bobak APAC Sales Director Group-IB Moneytaker

Group-IB Security Ecosystem Portfolio update Tim Bobak APAC Sales Director Group-IB Moneytaker Case Study Moneytaker Investigation Tracking started in Autumn of 2016 after first Russian Incident What happened after the breaches? Thefts from

765 views • 32 slides
Tracking Groups in Mobile Network Traces Kun Tu*, Bruno Ribeiro**, Ananthram Swami***, Don

Tracking Groups in Mobile Network Traces Kun Tu*, Bruno Ribeiro**, Ananthram Swami***, Don

Tracking Groups in Mobile Network Traces Kun Tu*, Bruno Ribeiro**, Ananthram Swami***, Don Towsley* *University of Massachusetts, Amherst **Purdue University ***Army Research Lab Presented by Gayane Vardoyan Groups in Mobile Network Trace

507 views • 23 slides
We now have a global tracking framework for SE4ALL Process of consensus building among 15

We now have a global tracking framework for SE4ALL Process of consensus building among 15

We now have a global tracking framework for SE4ALL Process of consensus building among 15 partner agencies and 100+ stakeholders in two rounds of public consultation Data platform 180+ countries covering 98% of global population 20

338 views • 30 slides
Ocean ecosystem conservation and seafood security for future generation A case study of

Ocean ecosystem conservation and seafood security for future generation A case study of

Ocean ecosystem conservation and seafood security for future generation A case study of ecosystem g y y approach to fisheries and the adaptive management of the Shiretoko World Natural Heritage Site g

950 views • 37 slides
ECOSYSTEM PRODUCTS FUTURE THE ECOSYSTEM TIZEN 2.1 ADDITIONAL HTML5 APIs RICH HOME

ECOSYSTEM PRODUCTS FUTURE THE ECOSYSTEM TIZEN 2.1 ADDITIONAL HTML5 APIs RICH HOME

ECOSYSTEM PRODUCTS FUTURE THE ECOSYSTEM TIZEN 2.1 ADDITIONAL HTML5 APIs RICH HOME SCREEN EXPERIENCE PERFORMANCE OPTIMIZATION MOBILE Tizen 2 New Major Features [Web] WebKit2 based web framework [Web] State-of-the-art

573 views • 35 slides
LERS: The Past, Present, and Future of the Global SER Network on Ecosystem and Landscape-Scale

LERS: The Past, Present, and Future of the Global SER Network on Ecosystem and Landscape-Scale

LERS: The Past, Present, and Future of the Global SER Network on Ecosystem and Landscape-Scale Restoration August 28, 2018 The Foundation of LERS Initiated in 2013 to be the connection between the National Conference on Ecosystem

213 views • 10 slides

More recommend