What Mobile Ads Know About Mobile Users Sooel Son joint work with Daehyeok Kim and Vitaly Shma<kov 1
Overview • Background – Mobile adver<sing library – ACack model: malicious adver<ser • Informa<on available to the aCacker – Local file resources in Android devices • Inference a)ack via local resource oracle • Direct informa0on leakage a)ack • Proposed defenses – User trajectories • Summary 2
1.8 million apps in Google Play Store source: AppBrain 41% include at least one mobile adver<sing library source: AppBrain Every third ad-supported app includes mul<ple adver<sing libraries source: Shekhar et al. (USENIX Security 2012) 3
!+(% &'()*+% ,-%*)(4#49% &'()*+%#LL% !+(%(4'1.+4% O %
&'()*+% ,-%*)(4#49% &'()*+%#LL% Y %
9:(-'&("'/(1,&,.85'(6;$%05$%5'1$(%"' (<.8-'/.<,1$'85$%5=' 78%'#.&85' M4#A+%+$%#*J%Z!)5+A%IV>I[% 5$+=+0.%+$%#*J%Z&'5\%IV>I[% N4)'4%4+.+#4A"% @''7%+$%#*J%Z&'5\%IV>X[% 5"+7#4%+$%#*J%Z3.+0)]%IV>I[% _ % ^J%
>6;$%05,"2'5$%;,&$5' >6;$%05$%5' • ! G#4B+%(2.)0+..+.% • ! G'$.%'F%c9R(9R0)B"$% 'L+4#$'4.% – ! ,-&'(%SM''B*+W`%% %%%%%&'L2(%S\1)C+4W`% • ! ,-.%4+.'*-%=)#%#2A<'0.`% (4'7+4.`%+]A"#0B+.% %%%%%,)4N2."`%:#09%'$"+4.% • ! N4'=)-+% >6?+@'1,<%(%,$5' • ! T'%4+L2$#<'0%#$%.$#7+`% 0'%#AA'20$#()*)$9% %%%%$'%>VV`VVV.%'F%-+=+*'L+4.% • ! 890#:)A%H*$+4)0B%#0-% • ! &)**)'0.%'F%a%)0%4+=+02+% .#0)<d#<'0%#4+%"#4-% • ! b+L2$#<'0%#$%.$#7+% ,-%*)(4#4)+.%:2.$%L4'$+A$%2.+4.% F4':%:#*)A)'2.%#-=+4<.)0B % e %
,0-4')-%,-58/%5'f1#4+%5$#A7% • ! ,LL%-+=+*'L+4.%)0A*2-+%,-58/.`%#--% L+4:)..)'0.%F'4%,-58/.`%4+L#A7#B+%#LL.%% >44'("6'>6?+@'5:(%$'-:$' 5(/$'4%,;,1$2$5' >44 ' ' >6?+@ >44'("6'>6'5:.816'A7B' >6 ' 5:(%$'-:$'5(/$'4%,;,1$2$5' K %
&'()*+%#-%):L4+..)'0.%#4+ % .#0-(']+-%)0.)-+%!+(;)+1 % g %
5$#0-#4-%!+(%.#:+%'4)B)0%L'*)A9D% h#=#5A4)L$%)0%#%:'()*+%#-%A#00'$%4+#-% '4%14)$+%A'0$+0$%F4':%'$"+4%'4)B)0.% ^%A#0%*'#-%S(2$%0'$%4+#-iW% H*+.%F4':%+]$+40#*%.$'4#B+% >V %
,0-4')-%Q]$+40#*%5$'4#B+% • ! j#0%(+%4+#-%(9%#09%#LL% %%%%1)$"%#LL4'L4)#$+%L+4:)..)'0.% • ! &+-)#R4)A"%:'()*+%#-.%4+k2)4+%% %%%%#AA+..%$'%+]$+40#*%.$'4#B+%% %%%%$'%A#A"+%):#B+.`%=)-+'% • ! ;+49%1+#7%#AA+..%A'0$4'*%F'4%+]$+40#*%.$'4#B+% – ! ,09%#LL%A#0%4+#-%#09%'$"+4%#LLl.%H*+.%% – ! @2$%:'()*+%#-.%#4+%0'$%#LL.J%% ?(/$'.%,2,"'4.1,&C'D' 8"-%85-$6'E(;(?&%,4-'&("".-'%$(6'$F-G5-.%(2$'H1$5' I'<8-'&("'()$/4-'-.'1.(6'-:$/ % >> %
,C#A7%&'-+*% &#*)A)'2.%#-=+4<.+4% • ! j#00'$%)0.$#**%#LL.% • ! j#00'$%'(.+4=+% !"#$%A#0%$"+%#C#A7+4%*+#40% 2.+4l.%0+$1'47%$4#mA% F4':%2.+4l.%-+=)A+n% • ! ?0*9%L#9*'#-D%,-.% >I %
>R()$%o*'A#*%4+.'24A+%'4#A*+pD% -'+.%#%H*+%1)$"%#%B)=+0%0#:+% +]).$%)0%$"+%-+=)A+l.%+]$+40#*% .$'4#B+n% >X %
,LL%F'4%H0-)0B%L"#4:#A)+.`%A':L#4)0B%-42B%L4)A+.% S>%$'%Y%:)**)'0%)0.$#**.%)0%M''B*+%N*#9%5$'4+W% @''7:#47%F20A<'0#*)$9D% % % $"2:(0#)*%):#B+.%'F%-42B.% $"#$%$"+%2.+4%.+#4A"+-%F'4% A#A"+-%)0%+]$+40#*%.$'4#B+% >O %
,09%#-%-).L*#9+-%)0%#09%'$"+4%#LL% '0%$"+%.#:+%-+=)A+%A#0%)0F+4% 1")A"%-42B.%$"+%2.+4%).%$#7)0B% 8'+.%$").%H*+%+]).$n% H*+Dqq.-A#4-q,0-4')-q-#$#q A':JB''-4]qA#A"+q2)*R):#B+.q OYeVOKXe% >Y %
^%(2$%#-.%."'10%)0%#09%#LL% '0%$"+%.#:+%-+=)A+%A#0%2.+% $"+%L4+.+0A+%'F%)$.%A#A"+-% \").%#LL%-'+.%0'$% H*+.%$'%)0F+4%2.+4l.%.+A4+$.% )0A*2-+%#-=+4<.)0B^% +.$5'".-' ;,.1(-$'5(/$' .%,2,"'4.1,&C ' >_ %
Why this Inference is Possible? • Read vs. Load resources from different origins in JavaScript – Read : accessing actual contents of a resource. – Load : aCaching a resource to the DOM object, not accessing its content. • SOP prevents JavaScript in Ads from reading a cross-origin resource. • However, loading a cross-origin resource is not prohibited.
8'*L")0%:'()*+%(4'1.+4% SYV%$'%>VV%:)**)'0%)0.$#**.%)0%M''B*+%N*#9%5$'4+W% \'%4+-2A+%(#0-1)-$"% % 2.#B+%#0-%4+.L'0.+%<:+`% A#A"+.%F+$A"+-%):#B+.`% s\&G`%#0-%h#=#5A4)L$%)0% +]$+40#*%.$'4#B+% >K %
,09%#-%-).L*#9+-%)0%#09%'$"+4%#LL% '0%$"+%.#:+%-+=)A+%A#0%)0F+4% 1")A"%.)$+.%2.+4%=).)$+-%4+A+0$*9% j#A"+-%1+(L#B+.% >g %
Direct Informa<on Leakage • Malicious adver<ser can read (not just load) all resources in external storage • SetAllowUniversalAccessFromFileURLs • SetAllowFileAccessFromFromURLs – Default is false since Android 4.0 – Once enabled, it allows reading local resources from any file scheme URL • D.Wu and R.Chang [ISC 2014, MoST 2015] 20
?24%5$2-9% • ! 5+=+4#*%:#6'4%,0-4')-%#-=+4<.)0B%*)(4#4)+.% • ! oG'A#*%4+.'24A+%'4#A*+p%L4+.+0$%)0%#**%'F%$"+:% • ! ,**%#A70'1*+-B+-%$"+%)..2+`%% %%%%.+=+4#*%H]+-%)0%$"+)4%*#$+.$%,-58/%4+*+#.+.% I> %
Defenses for AdSDK developers • Blocking any file access – WebSeungs.SetAllowFileAccess( false ) – Limit direct access to files 22
Defenses for AdSDK developers (2) • Implement home-brewed ACLs public WebResourceResponse shouldInterceptRequest ( WebView view, String Url) { Uri givenUri = Uri.parse(Url); string givenPath = givenUri.getPath(); if (givenPath.starsWith(JAIL_PREFIX)) { // If givenUrl is a subdirectory of JAIL_PREFIX, request is granted … } } – ACLs based on file paths – Do not block other links to local resources 23
\4#A7)0B%)0%,0-4')-% %%%%%%%%%%%%%%%%%%%%%%%j''7)+.%-'%0'$%.+4=+%$"+)4%L24L'.+% % • ! N+4:#0+0$%E8D%,0-4')-%E8`%&#A%#--4+..`%E&QE`% E&5E%#0-%'$"+4.%% • ! N.+2-'09:'2.%E8D%M''B*+%,-=+4<.)0B%E8%SM,E8W% • ! G'A#<'0%-#$#D%EN%#--4+..`%A'#4.+R%'4%H0+RB4#)0+-% MN5%-#$#% IO % %
Loca<on Data Paired with IDs • Can infer par<al user trajectory – Adver0ng service providers – Adver0sers? 25
s'1%-'+.%*'A#<'0% )0F'4:#<'0%#('2$%$"+% 2.+4%c'1%F4':%,-58/%$'% #-=+4<.+4.n% I_ %
X>6'!+W'H"$'2%(,"$6'1.&(0."W'0/$YZ' X>6'!+W'H"$'2%(,"$6'1.&(0."W'0/$[Z' 'INNNN' ''' K.&(0."'-%(\$&-.%,$5'(%$'5-%."2'5,2"(15' -.',6$"0#C',"6,;,68(15 ' Ie %
Summary • First study of how Android adver<sing services protect users from malicious adver<sing • Standard Web same origin policy is no longer secure in the mobile context – Mere existence of a certain file in external storage can reveal sensi<ve informa<on about the user – Direct informa<on leakage • Malicious adver<sers may access trajectories, privacy-sensi<ve info and infer the iden<<es. 28
Thank you. 29
% • ! \+.$+-%O%L'L2*#4%,-58/.%(9%F'**'1)0B%$"+%-+F#2*$% B2)-+%*)0+%1)$"%tETQzG?j,\E?T%L+4:)..)'0J%% • ! E0A'0.).$+0$%)0F'4:#<'0%#=#)*#()*)$9%(+$1++0% ,-58/%L4'=)-+4.%#0-%#-=+4<.+4.%#A4'..%-)r+4+0$% =+0-'4.J%% XV %
Flow of User’s Loca<on in MoPub 31
Recommend
More recommend