a global study of the mobile tracking ecosystem ndss18
play

A Global Study of the Mobile Tracking Ecosystem (NDSS18) Abbas - PowerPoint PPT Presentation

Apr 20, 2023 •368 likes •751 views

A Global Study of the Mobile Tracking Ecosystem (NDSS18) Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, Phillipa Gill Presenter: Xueqing Liu 1 Mobile Tracking 2 Mobile

  1. A Global Study of the Mobile Tracking Ecosystem (NDSS18) Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, Phillipa Gill Presenter: Xueqing Liu 1

  2. Mobile Tracking 2

  3. Mobile Tracking 3

  4. How Are Users Tracked by Third-Party Services ? Advertising and Tracking Services Advertising and Tracking (ATS) Services - capable (ATS-c) 4

  5. Monetization with Advertising ● 94% free apps 33 billion 5

  6. Violation of Least-Privileged Principle Opacity to user: Permission Permission Permission ● Which 3rd party services 1 2 3 ● How sensitive data are App 1 yes yes handled Bring Transparency to the Ecosystem! ● Whether eventually shared with a 4th party App 2 yes yes 6

  7. Part 1: Data Collection through Crowdsourcing 7

  8. ● Leverage Android VPN ● Send summarized and ● Intercept traffic via TLS permission anonymized data proxy with user consent ● Route packages to local device ● 11,384 users from 100+ countries ● 14,599 apps ● 40,533 domains Correlate Information Flow with Contextual Info: Identify PII in payload ● Identity ● Location ● Contact list, SMS, call logs 8

  9. Ethical Consideration ● IRB approved ○ Not involving human subject, analyzing software, not users ● Informed consent on interception ● Allow to disable interception at any time ● Summarized and anonymized 9

  10. Discussion ● Is there any ethical problem with their approach? 10

  11. Comparison with Similar Studies Static Analysis: Recon: Lumen: Dynamic analysis: ● False positive ● Sending all device traffic ● Not real user engagement ● Capture user data locally on ● Scalability to a proxy server device ● Low coverage with automated ● Intercept at the server ● Correlate contextual ● Obfuscation UI execution tool side information (e.g., process ID) with flows Higher precision “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale ReCon: Revealing and Controlling PII Leaks in Mobile Network Systems 11

  12. Discussion ● What do you think of ReCon vs. this paper? Precision? 12

  13. Part 2: Classification on Third-party Domains 13

  14. Classifying the Destination Domain Baseline: leveraging publicly Their three-step approach available services/list ● Identifying third-party domain ● e.g., EasyList, OpenDNS by comparing TLS certificate domain tagger ● Identifying ATS domains with http://googleadsservices.com -> machine learning “Advertising” ● Identifying ATS-c from the rest Deficiency: low coverage which UID is sent to 14

  15. First Step: Identifying Third-Party Domains com.spotify.music com.accuweather.android com.facebook.katana com.htc.sense.hsp accuweather.com scorecardresearch.com graph.facebook.com crashlytics.com 15

  16. Second Step: Classifying ATS-domains ● Train an SVM classifier: ○ Feature ■ Front page content of the domain ■ Text scrapped from DuckDuckGo ● ○ Label ■ ATS: random samples from EasyList ■ non-ATS: random samples from alexa Top ● Added domains from service/lists, e.g., EasyList ● Evaluation: 200 predicted ATS, 100 predicted non-ATS ● 4% false positive, 10% false negative 16

  17. Discussion ● Identifying ATS-domains: ○ Data noise -> low precision? ■ Topic ATS: “ads”, “analytics”, “services” ■ Topic non-ATS: anything 17

  18. Third Step: Identifying ATS-c Domain ● Classify a domain as ATS-c if: ○ It is not ATS ○ Some user identifiers are sent to the domain 18

  19. Evaluation on Coverage 233 domains not covered by any list/service 19

  20. Part 3: Basic Analysis on ATS data 20

  21. UID harvesting ● 3rd party domain = 20% of all domains ● But they are responsible for 40% of UID harvesting ● Only 14.4% of all ATSes harvest UID from the device => other tracking e.g., HTTP headers, cookies ● Most commonly harvested data is Android ID ● Android ID should not be associated with any other PII in 34% cases 21

  22. Which Companies Own the Most ATSes? ● Map domains to parent company: 31% ○ D&B Hoovers, Crunchbase 0.35% Facebook Graph API 22

  23. Does Paid Apps Free You from Being Tracked? ● 82% apps connects to at least 1 ATS ● 29% apps connects to at least 5 ATSs ● Free apps: 2 ATSs, 1 ATS-c ● Paid apps: 1 ATS, 1 ATS-c ● Apps with In-app Purchase: 3 ATSs, 2 ATS-c 23

  24. Who Tracks You on Both Mobile and Web? ● Collect website tracking statistics from Alexa Top 1,000 ● Both mobile and web: ○ pagead2.googlesyndication.com ○ Googleads,g,doubleclick.net ● Web >> mobile: ○ www.youtube.com ○ www.google.com 24

  25. Where Did The Data Go Eventually? ● Privacy policy statement about data sharing 25

  26. Part 4: Analysis regarding Regulation Compliance 26

  27. General Data Protection Regulation ● European Union data protection law ● Protection of the data belonging to European users (EU) and European Economic Area (EEA) ● In effect since May 25, 2018 ● “Data protection by design and by default” (Article 25) 27

  28. GDPR Content Related to Mobile Security ● Explicit consent: ○ Must explicitly request user consent for accessing data (opt-in) ○ Explain the purpose with plain words ● Right to access/erasure: ○ Data processor must provide a copy of accessed user data ○ User can opt-out and require to erase the data at any time ● Transfer data outside Europe: ○ Strictly prohibited 28

  29. A Geographical View of Data Flow Germany Italy Spain Canada USA India Location of Lumen user ATS-related IP address USA 29

  30. Cross-Continent Flow Germany Spain Netherland 30

  31. A Different Measurement Result ● Browser information flow ● “Inaccurate geolocation on IP“ ○ Physical location of Google server -> Mountain View ○ Use Improved IP mapping ○ RIPE IPmap EU users are fine! Tracing Cross Border Web Tracking, IMC 2018 31

  32. GDPR Reception 32

  33. Google Ads Consent SDK 33

  34. Compliance to COPPA ● 88% Game & educational apps are under 13 ● Do not use less ATS/ATS-c 34

  35. Insights on Regulation Compliance ● Due to the opacity of ATS, it is difficult to uncover how organizations collect, store and share the data ● The clarity of GDPR needs further improvement ○ How consent must be obtained? Install-time permission OK? ○ How exact to withdraw the consent? Uninstall enough? ● User has no control of who has access to their data 35

  36. Future Work ● What is the impact of GDPR on ATS tracking? ● Do apps behave the same after opt-out? 36

  37. Takeaway ● ATS tracking are pervasive ● Big companies are the biggest data brokers ● You can get somewhat less tracking by paying for it ● Difficult to strictly enforce GDPR on ATS ● Would not judge individual compliance 37

  38. Questions? 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Exploring the Eastern Frontier: A First Look at Mobile App Tracking in China Zhaohua Wang

Exploring the Eastern Frontier: A First Look at Mobile App Tracking in China Zhaohua Wang

Exploring the Eastern Frontier: A First Look at Mobile App Tracking in China Zhaohua Wang Zhenyu Li Minhui Xue Gareth Tyson Table of contents Why study the mobile app tracking in China? Dataset and methodology How

585 views • 26 slides
Thomas Cook Money 1 1 Ferratums Mobile Bank ecosystem Global scalability beyond White Label

Thomas Cook Money 1 1 Ferratums Mobile Bank ecosystem Global scalability beyond White Label

Strategic partnership with Thomas Cook Money 1 1 Ferratums Mobile Bank ecosystem Global scalability beyond White Label Ferratums balance sheet Partners Ferratums technology and licence platform enables consumer- Mobile Financial

247 views • 9 slides
2 The Mobile Ecosystem and Java 2 Micro Edition F. Ricci 2010/2011 Content Mobile

2 The Mobile Ecosystem and Java 2 Micro Edition F. Ricci 2010/2011 Content Mobile

Internet and Mobile Services 2 The Mobile Ecosystem and Java 2 Micro Edition F. Ricci 2010/2011 Content Mobile Ecosystem Mobile application frameworks Java 2 Micro Edition Configurations and profiles Optional packages

1.17k views • 79 slides
5 6 6 th Mobile IoT Summit Graham Trickey GSMA 6 th Mobile IoT Summit Scaling Global Deployment

5 6 6 th Mobile IoT Summit Graham Trickey GSMA 6 th Mobile IoT Summit Scaling Global Deployment

5 6 6 th Mobile IoT Summit Graham Trickey GSMA 6 th Mobile IoT Summit Scaling Global Deployment Gr Graham Trickey Head of Internet of Things - GSMA MOBILE IoT FAST AND STRONG GROWTH COMMERCIAL First 3GPP Rel13 ECOSYSTEM 41

514 views • 8 slides
THE YEAR AHEAD Mobile Content and Commerce Trends 2014 Global trade association representing

THE YEAR AHEAD Mobile Content and Commerce Trends 2014 Global trade association representing

THE YEAR AHEAD Mobile Content and Commerce Trends 2014 Global trade association representing companies from across the mobile ecosystem To advance, protect and champion mobile as an entertainment, engagement and commerce platform

300 views • 11 slides
Mobile Device Integration Enhances Geo-Spatial Tracking | Salient CRGT Proprietary |

Mobile Device Integration Enhances Geo-Spatial Tracking | Salient CRGT Proprietary |

Mobile Device Integration Enhances Geo-Spatial Tracking | Salient CRGT Proprietary | www.SalientCRGT.com | 1 Customer Challenge Managing the work of a mobile, highly distributed workforce Controlling and tracking field operations

544 views • 5 slides
Tracking E-learning: Mobile Devices Dispelling the myth Key terms Models and examples Q & A

Tracking E-learning: Mobile Devices Dispelling the myth Key terms Models and examples Q & A

Tracking E-learning: Mobile Devices Interactive Advantage Corporation Tracking E-learning: Mobile Devices Dispelling the myth Key terms Models and examples Q & A Content | Integration | Consulting |Training | Support Tracking E-learning:

439 views • 8 slides
The NAI Mobile Application Code: Extending Third-Party Compliance into the Mobile Ecosystem Why

The NAI Mobile Application Code: Extending Third-Party Compliance into the Mobile Ecosystem Why

The NAI Mobile Application Code: Extending Third-Party Compliance into the Mobile Ecosystem Why a Mobile Application Code? Extend the NAI compliance program into the mobile application space Provide extra flexibility for this rapidly

319 views • 18 slides
Mobility DNA AN ENTERPRISE MOBILITY ECOSYSTEM EMC Global Marketing April, 2015 THE REALITY OF

Mobility DNA AN ENTERPRISE MOBILITY ECOSYSTEM EMC Global Marketing April, 2015 THE REALITY OF

Mobility DNA AN ENTERPRISE MOBILITY ECOSYSTEM EMC Global Marketing April, 2015 THE REALITY OF MOBILITY The productivity and profitability of a company relies on the functionality of its mobile solution. 2 Zebra Confidential: For

700 views • 10 slides
NoMoATS: Towards Automatic Detection of Mobile Tracking Abstract: Todays mobile apps employ

NoMoATS: Towards Automatic Detection of Mobile Tracking Abstract: Todays mobile apps employ

Proceedings on Privacy Enhancing Technologies ; 2020 (2):4566 Anastasia Shuba* and Athina Markopoulou NoMoATS: Towards Automatic Detection of Mobile Tracking Abstract: Todays mobile apps employ third-party ad- 1 Introduction vertising and

373 views • 22 slides
The Mobile Learning Ecosystem Dr. Agnieszka (Aga) Palalas October 2013 Mobile Learning Defined

The Mobile Learning Ecosystem Dr. Agnieszka (Aga) Palalas October 2013 Mobile Learning Defined

The Mobile Learning Ecosystem Dr. Agnieszka (Aga) Palalas October 2013 Mobile Learning Defined Learning or training: knowledge construction, skill development and performance support Learners participate across locations, times and

398 views • 11 slides
CS 528 Mobile and Ubiquitous Computing Lecture 6: Tracking Location, Maps, Services, Audio/Video

CS 528 Mobile and Ubiquitous Computing Lecture 6: Tracking Location, Maps, Services, Audio/Video

CS 528 Mobile and Ubiquitous Computing Lecture 6: Tracking Location, Maps, Services, Audio/Video Playback, Presentation/Critique Guidelines Emmanuel Agu Tracking the Devices Location Location Tracking Outdoors: Uses GPS (More accurate)

955 views • 71 slides
CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International Data Tracking 2 http://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found Two Main Attack

986 views • 63 slides
Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS

Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS

New Zealand Pilot Corporate Ecosystem Services Review URS Case Study December 17, 2012 CASE STUDY QUESTIONS What are the ecosystem services that our Auckland water Clients impact on and depended on ? What risks and opportunities arise to

256 views • 9 slides
Mobility Collector Battery Conscious Mobile Tracking Adrian C. Prelipcean , Gyz Gidfalvi

Mobility Collector Battery Conscious Mobile Tracking Adrian C. Prelipcean , Gyz Gidfalvi

Mobility Collector Battery Conscious Mobile Tracking Adrian C. Prelipcean , Gyz Gidfalvi Geoinformatics, Royal Institute of Technology KTH, Sweden Outline Spatial and temporal granularity in Location tracking location-dependant data

669 views • 51 slides
Metro Atlanta Becoming a Global Hub for Mobility GSMA-Smart Cities North America February 27,

Metro Atlanta Becoming a Global Hub for Mobility GSMA-Smart Cities North America February 27,

Metro Atlanta Becoming a Global Hub for Mobility GSMA-Smart Cities North America February 27, 2014 Agenda About Atlanta Mobile Atlanta -On Our Way to Becoming Global Smart City for Mobile by Mobilizing our ecosystem Strategic

444 views • 20 slides
Annoucements Next Thursday: Chris software overview Reading: Henrik Wann Jensen,

Annoucements Next Thursday: Chris software overview Reading: Henrik Wann Jensen,

Annoucements Next Thursday: Chris software overview Reading: Henrik Wann Jensen, "Global Illumination using Photon Maps," In "Rendering Techniques '96". Eds. X. Pueyo and P. Schrder. Springer-Verlag, pp. 21-30, 1996

959 views • 50 slides
DIVIDE: ADAPTIVE CONTEXT-AWARE QUERY DERIVATION FOR IOT DATA STREAMS Mathias De Brouwer Sensors

DIVIDE: ADAPTIVE CONTEXT-AWARE QUERY DERIVATION FOR IOT DATA STREAMS Mathias De Brouwer Sensors

DIVIDE: ADAPTIVE CONTEXT-AWARE QUERY DERIVATION FOR IOT DATA STREAMS Mathias De Brouwer Sensors and Actuators on the Web (SAW) workshop ISWC 2019 Auckland, New Zealand 26 October 2019 CONTEXT-AWARE MONITORING IN I O T Wearable Motion

1.15k views • 75 slides
Designing for Pragmatists and Fundamentalists: Privacy Concerns and Attitudes on the Internet of

Designing for Pragmatists and Fundamentalists: Privacy Concerns and Attitudes on the Internet of

Designing for Pragmatists and Fundamentalists: Privacy Concerns and Attitudes on the Internet of Things The Rise of the INTERNET OF THINGS Internet of Things (IoT) A two-sided technology UTILITY RISK Privacy The right to be let alone

926 views • 20 slides
ROLE OF OER IN CA ADULT ED CALIFORNIA AE TEACHERS This Photo by Unknown

ROLE OF OER IN CA ADULT ED CALIFORNIA AE TEACHERS This Photo by Unknown

ROLE OF OER IN CA ADULT ED CALIFORNIA AE TEACHERS This Photo by Unknown Author is licensed under CC BY ROLE OF OER IN CA ADULT ED INITIAL ATTITUDE This Photo by Unknown Author is licensed under CC BY-SA-NC ROLE OF OER IN CA

574 views • 28 slides
Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project discussions Native Apps Live on device Access to all device features GPS, accelerometer, compass, list of contacts Written for specific

654 views • 38 slides
workflow: workflow: QSPR = Quantitative Structure Property

workflow: workflow: QSPR = Quantitative Structure Property

workflow: workflow: QSPR = Quantitative Structure Property Relationship workflow: workflow: 1600 1500 1400 1300 1200 1100 1000 900 mass (Da) 800 700 600 500 400 300 200 100 0 -5 -4 -3 -2 -1

793 views • 33 slides
Overview Perimenopause-related mood disturbance 1. Depressive symptoms vs. clinical depression

Overview Perimenopause-related mood disturbance 1. Depressive symptoms vs. clinical depression

Overview Perimenopause-related mood disturbance 1. Depressive symptoms vs. clinical depression Depression in the Menopause Transition: Role of Female Reproductive Hormones, Hot Flashes, and Sleep 2. Causal factors Prior depression Hadine

336 views • 6 slides
ANVISA's current practice and challenges in the evaluation of dissolution profile comparisons in

ANVISA's current practice and challenges in the evaluation of dissolution profile comparisons in

ANVISA's current practice and challenges in the evaluation of dissolution profile comparisons in support of minor/moderate product quality changes Case Studies Victor Gomes Pereira Outline 1) Short overview of Anvisas Dissolution

359 views • 33 slides

More recommend