free for all assessing user data exposure to advertising
play

Free for All! Assessing User Data Exposure to Advertising Libraries - PowerPoint PPT Presentation

Nov 01, 2023 •109 likes •396 views

Free for All! Assessing User Data Exposure to Advertising Libraries on Android Soteris Demetriou, Whitney Merrill, Wei Yang, Aston Zhang, Carl Gunter University of Illinois at Urbana - Champaign Approach Approach GOAL: Assess the RISK of

  1. Free for All! Assessing User Data Exposure to Advertising Libraries on Android Soteris Demetriou, Whitney Merrill, Wei Yang, Aston Zhang, Carl Gunter University of Illinois at Urbana - Champaign

  2. Approach

  3. Approach • GOAL: Assess the RISK of integrating advertising libraries in Android apps • RISK: Potential compromise of an asset as a result of an exploit of a vulnerability by a threat . All the different ways an ad library can access private user Private User Data data Ad Library

  4. Approach OUT-APP IN-APP EXPOSURE EXPOSURE Host app API API FILES Ad Library

  5. Is there any interesting information in local files? FILES

  6. Motivation: in-app FILES I’m Pregnant / Pregnancy App • Weight • Symptoms (headaches, backache, cons9pa9on) • Height • Events (date of intercourse) • Pregnancy month and day • Outcomes (miscarriage, birth date)

  7. Motivation: in-app FILES Diabetes Journal • Birth date • Weight • Gender • Height • First name • Blood glucose levels • Last name • Workout ac9vi9es

  8. Motivation: in-app FILES Diabetes Journal • There is a plethora of private user information in app local files. • It is trivial for ad libraries to access such information. • Birth date • Weight • Gender • Height • First name • Blood glucose levels • Last name • Workout ac9vi9es

  9. Are ad libraries interested in app bundles?

  10. Motivation: out-app API METHODOLOGY RESULTS • Call graphs on 2700 Google Play apps • 2535 unique apps • getInstalledPackages (gIP) • 27.5% contain at least one invocation of gIP or gIA • getInstalledApplications (gIA) • 12.54% contain an ad library that invokes gIP • Manual analysis of packages containing gIP or gIA and gIA • 28 unique ad libraries

  11. Motivation: out-app API METHODOLOGY RESULTS • Call graphs on 2700 Google Play apps • 2535 unique apps Ad Libraries are increasingly collecting app bundles from • getInstalledPackages (gIP) • 27.5% contain at least one invocation of gIP or gIA user devices. • getInstalledApplications (gIA) • 12.54% contain an ad library that invokes gIP • Manual analysis of packages containing gIP or gIA and gIA • 28 unique ad libraries

  12. What can ad libraries learn from app bundles?

  13. Motivation: out-app Ground Truth collection: Private User Data Question 1 • Question 2 • … • Random ID

  14. Motivation: out-app Ground Truth collection: Private User Data Question 1 • Question 2 • … • 243 approved users Random ID 1985 distinct apps

  15. Evaluation: out-app AGE MARITAL STATUS SEX P (%) R (%) P (%) R (%) P (%) R (%) Random 88.6 88.6 95.0 93.8 93.8 92.9 Forest SVM 44.8 35.4 66.9 50.5 80.9 70.1 KNN 85.7 83.6 92.5 91.2 91.6 89.9 P: Precision R: Recall

  16. Pluto Risk Assessment Framework

  17. Pluto Design PURPOSE: “offline” estimation of the private user data a target app can expose to an embedded ad library that utilizes: • in-app attack channels • out-app attack channels [please see the paper for details]

  18. Pluto Design: in-app exposure discovery MONKEY DB DB XML XML JSON U GENERIC MANIFEST Layout Strings DECOMPILER MANIFEST Miners Matching Dynamic Analysis Module Goals

  19. Evaluation

  20. Evaluation Ground Truth collection: Data Points

  21. Evaluation: in-app Ground Truth collection: Manual construction of L1 and L2 Name Number Description Unique apps collected from the 27 Google Play Full Dataset (FD) 2535 categories Level 1 Dataset (L1) 262 Apps randomly selected from FD Level 2 Dataset (L2) 35 Apps purposively selected from L1

  22. Evaluation: in-app AGE GENDER 1" 1" 0.9" 0.9" 0.8" 0.8" 0.7" 0.7" 0.6" 0.6" L1" L1" 0.5" 0.5" L2" L2" 0.4" 0.4" 0.3" 0.3" 0.2" 0.2" 0.1" 0.1" 0" 0" PRECISION" RECALL" PRECISION" RECALL" WORKOUT ADDRESS 1" 1" 0.9" 0.9" 0.8" 0.8" 0.7" 0.7" L1" 0.6" 0.6" L1" L1:MMiner" 0.5" 0.5" L2" L2" 0.4" 0.4" 0.3" 0.3" L2:Mminer" 0.2" 0.2" 0.1" 0.1" 0" 0" PRECISION" RECALL" PRECISION" RECALL"

  23. Privacy Risk App Ranking

  24. Utility: assessing the risk with Pluto • D: set of data points in cost model (e.g. Financial Times) • X: set of data point weights in the cost model • |D| = |X| = n • α : target app • x α : sum of all weights of data points exposed by α risk score:

  25. Utility: assessing the risk with Pluto RISK SCORE CATEGORY APP TITLE AVG # INSTALLS [ 0 - 10 ] MEDICAL Depression CBT Self-Help Guide 100K - 500K 8.14 MEDICAL Prognosis: Your Diagnosis 500K - 1M 6.31 HEALTH & Dream Body Workout Plan 100K - 500K 7.33 FITNESS HEALTH & myCigna 100K - 500K 5.62 FITNESS

  26. Utility: assessing the risk with Pluto RISK SCORE CATEGORY APP TITLE AVG # INSTALLS [ 0 - 10 ] MEDICAL Depression CBT Self-Help Guide 100K - 500K 8.14 MEDICAL Prognosis: Your Diagnosis 500K - 1M 6.31 HEALTH & Dream Body Workout Plan 100K - 500K 7.33 FITNESS HEALTH & exposes 16 data points myCigna 100K - 500K 5.62 FITNESS depression, headache, pregnancy,…

  27. Summary • Apps store an abundance of private user data in local files. • Revealed a trend of aggressive collection of app bundles. • New techniques for assessing user sensitive information exposure to libraries. [not covered in this talk] • Designed a tool (Pluto) to automatically assess the data exposure risk to third-party libraries by apps at scale. • Pluto is evaluated on real world apps and user data and evidently achieves good prediction performance.

  28. Thank You! Source code is available online at: https://github.com/soteris/android- advertising-pluto

Recommend

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted insecurely Failure to protect all sensitive data Usernames, passwords, password hashes, credit-card information, identity info Session

415 views • 17 slides
Assessing the impact of a health intervention via

Assessing the impact of a health intervention via

Assessing the impact of a health intervention via user-generated Internet data Data Mining and Knowledge Discovery 29(5), pp. 14341457, 2015 Vasileios Lampos

449 views • 42 slides
Expanding HIV Pre-Exposure Prophylaxis Presented by: care delivery through assessing knowledge,

Expanding HIV Pre-Exposure Prophylaxis Presented by: care delivery through assessing knowledge,

Southcentral Foundation; Anchorage, Alaska Expanding HIV Pre-Exposure Prophylaxis Presented by: care delivery through assessing knowledge, Nikolina Golob, Pharm.D., MBA attitudes, and barriers from providers, nurse case managers, and

383 views • 15 slides
Monitor for detecting and assessing exposure to airborne nanoparticles Johan Marra 1 , Matthias

Monitor for detecting and assessing exposure to airborne nanoparticles Johan Marra 1 , Matthias

Monitor for detecting and assessing exposure to airborne nanoparticles Johan Marra 1 , Matthias Voetz 2 , Heinz-Jrgen Kiesling 2 1 Philips Research Laboratories; Eindhoven 2 Bayer Technology Services; Leverkusen 4 November, 2008 Current

541 views • 15 slides
Formative Research for Assessing Exposure and Effectiveness of IEC/SBCC Interventions Implemented

Formative Research for Assessing Exposure and Effectiveness of IEC/SBCC Interventions Implemented

Dissemination Seminar of the Study Findings on Formative Research for Assessing Exposure and Effectiveness of IEC/SBCC Interventions Implemented by IEM Unit of DGFP Study Conducted by Department of Population Sciences University of Dhaka,

721 views • 60 slides
Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk

Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk

Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk Kevin&Lindsay Deputy&Head&of&Financial&Crime&Group

374 views • 10 slides
Assessing exposure to occupational chemicals in large-scale epidemiological studies on

Assessing exposure to occupational chemicals in large-scale epidemiological studies on

Assessing exposure to occupational chemicals in large-scale epidemiological studies on occupational cancers Hans Kromhout Institute for Risk Assessment Sciences Utrecht University, Utrecht, the Netherlands Industrial Cohort Study European

842 views • 45 slides
Assessing Occupational Exposure in Black Hair Salons Co-Investigators: Anna M. Abrams Allison

Assessing Occupational Exposure in Black Hair Salons Co-Investigators: Anna M. Abrams Allison

Assessing Occupational Exposure in Black Hair Salons Co-Investigators: Anna M. Abrams Allison F. Marill Alexis J. Cooper Ramya B. Ramakrishna Jay D. Feinstein Teleah I. Slater Annie E. Fortnow Cassidy L. Tatun Omkar A. Kulkarni Raymond

657 views • 24 slides
An overview of a simulation approach to assessing environmental risk of sound exposure to marine

An overview of a simulation approach to assessing environmental risk of sound exposure to marine

An overview of a simulation approach to assessing environmental risk of sound exposure to marine mammals. Dr. C. Donovan [C. Harris, L. Marshall, L. Milazzo, R. Williams & J. Harwood] Centre for Research into Ecological and Environmental

433 views • 27 slides
(ADVERTISING AND PRICE COMPETITION, ADVERTISING INTENSITY, UNCERTAINTY IN ADVERTISING)

(ADVERTISING AND PRICE COMPETITION, ADVERTISING INTENSITY, UNCERTAINTY IN ADVERTISING)

LECTURE 11. BUSINESS STRATEGY-ADVERTISING (ADVERTISING AND PRICE COMPETITION, ADVERTISING INTENSITY, UNCERTAINTY IN ADVERTISING) Konstantinos Kounetas School of Business Administration Department of Economics Master of Science in Applied

374 views • 25 slides
Assessing the utility of electronic health records and health care claims data to determine

Assessing the utility of electronic health records and health care claims data to determine

Assessing the utility of electronic health records and health care claims data to determine potential health impacts associated with opportunities for exposure to environmental contaminants NAHDO 2020 35 th Annual Conference August 25 th , 2020

172 views • 13 slides
Back to Basics Exposure and Depth of Field Woodley PC Members Evening 16 September 2019 Bob

Back to Basics Exposure and Depth of Field Woodley PC Members Evening 16 September 2019 Bob

Back to Basics Exposure and Depth of Field Woodley PC Members Evening 16 September 2019 Bob Collis Correct An exposure that achieves the desired effect ! Exposure: Taking Control of Exposure A S Camera uses factory User sets ISO and

439 views • 21 slides
USER IDENTIFICATION PROBLEMS ON DSP SIDE IN TERMS OF ADVERTISING RTB AUCTIONS B. F. Trofimov, .

USER IDENTIFICATION PROBLEMS ON DSP SIDE IN TERMS OF ADVERTISING RTB AUCTIONS B. F. Trofimov, .

USER IDENTIFICATION PROBLEMS ON DSP SIDE IN TERMS OF ADVERTISING RTB AUCTIONS B. F. Trofimov, . V. Arsiriy, . . rsiriy AGENDA Introduction Informational technology of AD delivery for RTB User identification on DSP side

145 views • 12 slides
Digital Advertising (PPC/SEM) Course Digital Advertising (PPC/SEM) Equinet 1 Academy Digital

Digital Advertising (PPC/SEM) Course Digital Advertising (PPC/SEM) Equinet 1 Academy Digital

Equinet Academy Digital Advertising (PPC/SEM) Course Digital Advertising (PPC/SEM) Equinet 1 Academy Digital Advertising Framework Determine Campaign Analyse & Digital Setup & Gather Data Optimise Define Marketing

1.6k views • 110 slides
UC San Diego 1 Many Web services today are free/open access Supported by advertising

UC San Diego 1 Many Web services today are free/open access Supported by advertising

Marti Motoyama, Damon McCoy, Kirill Levchenko, Stefan Savage, and Geoffrey M. Voelker UC San Diego 1 Many Web services today are free/open access Supported by advertising revenue Reaching critical mass requires low barrier to entry

443 views • 41 slides
Advertising Showcase The Advertising Space Fantastic Transit Advertising Opportunity! There is

Advertising Showcase The Advertising Space Fantastic Transit Advertising Opportunity! There is

THE ROLLING GEEKS TOUR Advertising Showcase The Advertising Space Fantastic Transit Advertising Opportunity! There is an exciting new business starting up in Maltas historical harbour area, covering Senglea, Vittoriosa, Cospicua and Kalkara.

253 views • 8 slides
CS 277, Data Mining Web Data Analysis: Part 2, Advertising Padhraic Smyth Department of Computer

CS 277, Data Mining Web Data Analysis: Part 2, Advertising Padhraic Smyth Department of Computer

CS 277, Data Mining Web Data Analysis: Part 2, Advertising Padhraic Smyth Department of Computer Science Bren School of Information and Computer Sciences University of California, Irvine 3 Internet Advertising, Bids, and Auctions Padhraic

1.31k views • 82 slides
No Safe Level of Exposure: EPAs Human Experiments With Par=culate Ma@er Presenta(on to

No Safe Level of Exposure: EPAs Human Experiments With Par=culate Ma@er Presenta(on to

No Safe Level of Exposure: EPAs Human Experiments With Par=culate Ma@er Presenta(on to the Na(onal Academy of Sciences Commi7ee on Assessing Toxicologic Risks to Human Subjects Used in Controlled Exposure Studies of Environmental

849 views • 70 slides
IMC and Advertising Discussion Results How can we measure the success of a marketing

IMC and Advertising Discussion Results How can we measure the success of a marketing

IMC and Advertising Discussion Results How can we measure the success of a marketing communication strategy? Traditional media Frequency of exposure Reach (% target population exposed) Gross Rating Points (GRP) E.g., 7 Ads in

572 views • 24 slides
Diffusion of User Tracking Data in the Online Advertising Ecosystem Muhammad Ahmad Bashir and

Diffusion of User Tracking Data in the Online Advertising Ecosystem Muhammad Ahmad Bashir and

Diffusion of User Tracking Data in the Online Advertising Ecosystem Muhammad Ahmad Bashir and Christo Wilson Your Digital Privacy Footprint 2 Your Digital Privacy Footprint 2 Your Digital Privacy Footprint 2 Your Digital Privacy

1.13k views • 112 slides
Exposure Routes Internal and External Exposure External exposure Internal exposure Body surface

Exposure Routes Internal and External Exposure External exposure Internal exposure Body surface

Exposure Routes Internal and External Exposure External exposure Internal exposure Body surface From outer space contamination and the sun Inhalation Suspended Food and drink matters consumption Lungs From a radiation generator

180 views • 5 slides
Exposure Assessment in Personal Injury Litigation: Challenging the Data however, it is probably

Exposure Assessment in Personal Injury Litigation: Challenging the Data however, it is probably

9 real conclusion as to what level of exposure the person experienced. Although might be established. ExPOSURE ASSESSMENT METHODOLOGIES Personal testimony. A plaintiff may simply say, I ate it, I drank it, or I breathed it.

264 views • 4 slides
Breaking for Commercials: Characterizing Mobile Advertising Yejin Li Electrical and Computer

Breaking for Commercials: Characterizing Mobile Advertising Yejin Li Electrical and Computer

Breaking for Commercials: Characterizing Mobile Advertising Yejin Li Electrical and Computer Engineering Dept. Worcester Polytechnic Institute (WPI) Mobile Phone Advertising FREE Apps always come with different ads, which can be really annoying

551 views • 17 slides
Research Fro rontier of f Real-Time Bid idding based Dis ispla lay Advertising Weinan Zhang

Research Fro rontier of f Real-Time Bid idding based Dis ispla lay Advertising Weinan Zhang

Research Fro rontier of f Real-Time Bid idding based Dis ispla lay Advertising Weinan Zhang University College London w.zhang@cs.ucl.ac.uk http://www0.cs.ucl.ac.uk/staff/w.zhang August 2015 Bas asic RTB Pro rocess Data User

941 views • 47 slides

More recommend