free for all assessing user data exposure to advertising
play

Free for All! Assessing User Data Exposure to Advertising Libraries - PowerPoint PPT Presentation

Nov 01, 2023 •109 likes •396 views

Free for All! Assessing User Data Exposure to Advertising Libraries on Android Soteris Demetriou, Whitney Merrill, Wei Yang, Aston Zhang, Carl Gunter University of Illinois at Urbana - Champaign Approach Approach GOAL: Assess the RISK of

  1. Free for All! Assessing User Data Exposure to Advertising Libraries on Android Soteris Demetriou, Whitney Merrill, Wei Yang, Aston Zhang, Carl Gunter University of Illinois at Urbana - Champaign

  2. Approach

  3. Approach • GOAL: Assess the RISK of integrating advertising libraries in Android apps • RISK: Potential compromise of an asset as a result of an exploit of a vulnerability by a threat . All the different ways an ad library can access private user Private User Data data Ad Library

  4. Approach OUT-APP IN-APP EXPOSURE EXPOSURE Host app API API FILES Ad Library

  5. Is there any interesting information in local files? FILES

  6. Motivation: in-app FILES I’m Pregnant / Pregnancy App • Weight • Symptoms (headaches, backache, cons9pa9on) • Height • Events (date of intercourse) • Pregnancy month and day • Outcomes (miscarriage, birth date)

  7. Motivation: in-app FILES Diabetes Journal • Birth date • Weight • Gender • Height • First name • Blood glucose levels • Last name • Workout ac9vi9es

  8. Motivation: in-app FILES Diabetes Journal • There is a plethora of private user information in app local files. • It is trivial for ad libraries to access such information. • Birth date • Weight • Gender • Height • First name • Blood glucose levels • Last name • Workout ac9vi9es

  9. Are ad libraries interested in app bundles?

  10. Motivation: out-app API METHODOLOGY RESULTS • Call graphs on 2700 Google Play apps • 2535 unique apps • getInstalledPackages (gIP) • 27.5% contain at least one invocation of gIP or gIA • getInstalledApplications (gIA) • 12.54% contain an ad library that invokes gIP • Manual analysis of packages containing gIP or gIA and gIA • 28 unique ad libraries

  11. Motivation: out-app API METHODOLOGY RESULTS • Call graphs on 2700 Google Play apps • 2535 unique apps Ad Libraries are increasingly collecting app bundles from • getInstalledPackages (gIP) • 27.5% contain at least one invocation of gIP or gIA user devices. • getInstalledApplications (gIA) • 12.54% contain an ad library that invokes gIP • Manual analysis of packages containing gIP or gIA and gIA • 28 unique ad libraries

  12. What can ad libraries learn from app bundles?

  13. Motivation: out-app Ground Truth collection: Private User Data Question 1 • Question 2 • … • Random ID

  14. Motivation: out-app Ground Truth collection: Private User Data Question 1 • Question 2 • … • 243 approved users Random ID 1985 distinct apps

  15. Evaluation: out-app AGE MARITAL STATUS SEX P (%) R (%) P (%) R (%) P (%) R (%) Random 88.6 88.6 95.0 93.8 93.8 92.9 Forest SVM 44.8 35.4 66.9 50.5 80.9 70.1 KNN 85.7 83.6 92.5 91.2 91.6 89.9 P: Precision R: Recall

  16. Pluto Risk Assessment Framework

  17. Pluto Design PURPOSE: “offline” estimation of the private user data a target app can expose to an embedded ad library that utilizes: • in-app attack channels • out-app attack channels [please see the paper for details]

  18. Pluto Design: in-app exposure discovery MONKEY DB DB XML XML JSON U GENERIC MANIFEST Layout Strings DECOMPILER MANIFEST Miners Matching Dynamic Analysis Module Goals

  19. Evaluation

  20. Evaluation Ground Truth collection: Data Points

  21. Evaluation: in-app Ground Truth collection: Manual construction of L1 and L2 Name Number Description Unique apps collected from the 27 Google Play Full Dataset (FD) 2535 categories Level 1 Dataset (L1) 262 Apps randomly selected from FD Level 2 Dataset (L2) 35 Apps purposively selected from L1

  22. Evaluation: in-app AGE GENDER 1" 1" 0.9" 0.9" 0.8" 0.8" 0.7" 0.7" 0.6" 0.6" L1" L1" 0.5" 0.5" L2" L2" 0.4" 0.4" 0.3" 0.3" 0.2" 0.2" 0.1" 0.1" 0" 0" PRECISION" RECALL" PRECISION" RECALL" WORKOUT ADDRESS 1" 1" 0.9" 0.9" 0.8" 0.8" 0.7" 0.7" L1" 0.6" 0.6" L1" L1:MMiner" 0.5" 0.5" L2" L2" 0.4" 0.4" 0.3" 0.3" L2:Mminer" 0.2" 0.2" 0.1" 0.1" 0" 0" PRECISION" RECALL" PRECISION" RECALL"

  23. Privacy Risk App Ranking

  24. Utility: assessing the risk with Pluto • D: set of data points in cost model (e.g. Financial Times) • X: set of data point weights in the cost model • |D| = |X| = n • α : target app • x α : sum of all weights of data points exposed by α risk score:

  25. Utility: assessing the risk with Pluto RISK SCORE CATEGORY APP TITLE AVG # INSTALLS [ 0 - 10 ] MEDICAL Depression CBT Self-Help Guide 100K - 500K 8.14 MEDICAL Prognosis: Your Diagnosis 500K - 1M 6.31 HEALTH & Dream Body Workout Plan 100K - 500K 7.33 FITNESS HEALTH & myCigna 100K - 500K 5.62 FITNESS

  26. Utility: assessing the risk with Pluto RISK SCORE CATEGORY APP TITLE AVG # INSTALLS [ 0 - 10 ] MEDICAL Depression CBT Self-Help Guide 100K - 500K 8.14 MEDICAL Prognosis: Your Diagnosis 500K - 1M 6.31 HEALTH & Dream Body Workout Plan 100K - 500K 7.33 FITNESS HEALTH & exposes 16 data points myCigna 100K - 500K 5.62 FITNESS depression, headache, pregnancy,…

  27. Summary • Apps store an abundance of private user data in local files. • Revealed a trend of aggressive collection of app bundles. • New techniques for assessing user sensitive information exposure to libraries. [not covered in this talk] • Designed a tool (Pluto) to automatically assess the data exposure risk to third-party libraries by apps at scale. • Pluto is evaluated on real world apps and user data and evidently achieves good prediction performance.

  28. Thank You! Source code is available online at: https://github.com/soteris/android- advertising-pluto

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted insecurely Failure to protect all sensitive data Usernames, passwords, password hashes, credit-card information, identity info Session

415 views • 17 slides
Assessing the impact of a health intervention via

Assessing the impact of a health intervention via

Assessing the impact of a health intervention via user-generated Internet data Data Mining and Knowledge Discovery 29(5), pp. 14341457, 2015 Vasileios Lampos

449 views • 42 slides
Expanding HIV Pre-Exposure Prophylaxis Presented by: care delivery through assessing knowledge,

Expanding HIV Pre-Exposure Prophylaxis Presented by: care delivery through assessing knowledge,

Southcentral Foundation; Anchorage, Alaska Expanding HIV Pre-Exposure Prophylaxis Presented by: care delivery through assessing knowledge, Nikolina Golob, Pharm.D., MBA attitudes, and barriers from providers, nurse case managers, and

383 views • 15 slides
Monitor for detecting and assessing exposure to airborne nanoparticles Johan Marra 1 , Matthias

Monitor for detecting and assessing exposure to airborne nanoparticles Johan Marra 1 , Matthias

Monitor for detecting and assessing exposure to airborne nanoparticles Johan Marra 1 , Matthias Voetz 2 , Heinz-Jrgen Kiesling 2 1 Philips Research Laboratories; Eindhoven 2 Bayer Technology Services; Leverkusen 4 November, 2008 Current

541 views • 15 slides
Formative Research for Assessing Exposure and Effectiveness of IEC/SBCC Interventions Implemented

Formative Research for Assessing Exposure and Effectiveness of IEC/SBCC Interventions Implemented

Dissemination Seminar of the Study Findings on Formative Research for Assessing Exposure and Effectiveness of IEC/SBCC Interventions Implemented by IEM Unit of DGFP Study Conducted by Department of Population Sciences University of Dhaka,

721 views • 60 slides
Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk

Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk

Assessing'the'exposure'to'risk'and' techniques'to'continually'identify' and'manage'new'risk Kevin&Lindsay Deputy&Head&of&Financial&Crime&Group

374 views • 10 slides
Assessing exposure to occupational chemicals in large-scale epidemiological studies on

Assessing exposure to occupational chemicals in large-scale epidemiological studies on

Assessing exposure to occupational chemicals in large-scale epidemiological studies on occupational cancers Hans Kromhout Institute for Risk Assessment Sciences Utrecht University, Utrecht, the Netherlands Industrial Cohort Study European

842 views • 45 slides
Assessing Occupational Exposure in Black Hair Salons Co-Investigators: Anna M. Abrams Allison

Assessing Occupational Exposure in Black Hair Salons Co-Investigators: Anna M. Abrams Allison

Assessing Occupational Exposure in Black Hair Salons Co-Investigators: Anna M. Abrams Allison F. Marill Alexis J. Cooper Ramya B. Ramakrishna Jay D. Feinstein Teleah I. Slater Annie E. Fortnow Cassidy L. Tatun Omkar A. Kulkarni Raymond

657 views • 24 slides
An overview of a simulation approach to assessing environmental risk of sound exposure to marine

An overview of a simulation approach to assessing environmental risk of sound exposure to marine

An overview of a simulation approach to assessing environmental risk of sound exposure to marine mammals. Dr. C. Donovan [C. Harris, L. Marshall, L. Milazzo, R. Williams & J. Harwood] Centre for Research into Ecological and Environmental

433 views • 27 slides
(ADVERTISING AND PRICE COMPETITION, ADVERTISING INTENSITY, UNCERTAINTY IN ADVERTISING)

(ADVERTISING AND PRICE COMPETITION, ADVERTISING INTENSITY, UNCERTAINTY IN ADVERTISING)

LECTURE 11. BUSINESS STRATEGY-ADVERTISING (ADVERTISING AND PRICE COMPETITION, ADVERTISING INTENSITY, UNCERTAINTY IN ADVERTISING) Konstantinos Kounetas School of Business Administration Department of Economics Master of Science in Applied

374 views • 25 slides
Assessing the utility of electronic health records and health care claims data to determine

Assessing the utility of electronic health records and health care claims data to determine

Assessing the utility of electronic health records and health care claims data to determine potential health impacts associated with opportunities for exposure to environmental contaminants NAHDO 2020 35 th Annual Conference August 25 th , 2020

172 views • 13 slides
Back to Basics Exposure and Depth of Field Woodley PC Members Evening 16 September 2019 Bob

Back to Basics Exposure and Depth of Field Woodley PC Members Evening 16 September 2019 Bob

Back to Basics Exposure and Depth of Field Woodley PC Members Evening 16 September 2019 Bob Collis Correct An exposure that achieves the desired effect ! Exposure: Taking Control of Exposure A S Camera uses factory User sets ISO and

439 views • 21 slides
USER IDENTIFICATION PROBLEMS ON DSP SIDE IN TERMS OF ADVERTISING RTB AUCTIONS B. F. Trofimov, .

USER IDENTIFICATION PROBLEMS ON DSP SIDE IN TERMS OF ADVERTISING RTB AUCTIONS B. F. Trofimov, .

USER IDENTIFICATION PROBLEMS ON DSP SIDE IN TERMS OF ADVERTISING RTB AUCTIONS B. F. Trofimov, . V. Arsiriy, . . rsiriy AGENDA Introduction Informational technology of AD delivery for RTB User identification on DSP side

145 views • 12 slides
Digital Advertising (PPC/SEM) Course Digital Advertising (PPC/SEM) Equinet 1 Academy Digital

Digital Advertising (PPC/SEM) Course Digital Advertising (PPC/SEM) Equinet 1 Academy Digital

Equinet Academy Digital Advertising (PPC/SEM) Course Digital Advertising (PPC/SEM) Equinet 1 Academy Digital Advertising Framework Determine Campaign Analyse & Digital Setup & Gather Data Optimise Define Marketing

1.6k views • 110 slides
UC San Diego 1 Many Web services today are free/open access Supported by advertising

UC San Diego 1 Many Web services today are free/open access Supported by advertising

Marti Motoyama, Damon McCoy, Kirill Levchenko, Stefan Savage, and Geoffrey M. Voelker UC San Diego 1 Many Web services today are free/open access Supported by advertising revenue Reaching critical mass requires low barrier to entry

443 views • 41 slides
Advertising Showcase The Advertising Space Fantastic Transit Advertising Opportunity! There is

Advertising Showcase The Advertising Space Fantastic Transit Advertising Opportunity! There is

THE ROLLING GEEKS TOUR Advertising Showcase The Advertising Space Fantastic Transit Advertising Opportunity! There is an exciting new business starting up in Maltas historical harbour area, covering Senglea, Vittoriosa, Cospicua and Kalkara.

253 views • 8 slides
experiencing miscarriage? Background Miscarriage affects one in four confirmed pregnancies

experiencing miscarriage? Background Miscarriage affects one in four confirmed pregnancies

@HISA_HIC #HIC18 31 July 2018 Patrick Pang @pangpatrick The University of Melbourne, Australia Meredith Temple-Smith, Clare Bellhouse, Van-Hau Trieu, Litza Kiropoulos The University of Melbourne, Australia Helen Williams, Arri Coomarasamy

676 views • 12 slides
How to Use Social Lead Generation to Attract Customers When They No Longer Want to Hear From You

How to Use Social Lead Generation to Attract Customers When They No Longer Want to Hear From You

How to Use Social Lead Generation to Attract Customers When They No Longer Want to Hear From You Francois Gossieaux Co-President Human 1.0 Session Speaker Francois Gossieaux Co-President Human 1.0 Through his role as a co-founder and

355 views • 35 slides
Song of Songs Song of Solomon Song of Songs 6:13-8:4 (NIV) Ch Choru rus Come back, come back,

Song of Songs Song of Solomon Song of Songs 6:13-8:4 (NIV) Ch Choru rus Come back, come back,

Song of Songs Song of Solomon Song of Songs 6:13-8:4 (NIV) Ch Choru rus Come back, come back, O Shulammite; come back, come back, that we may gaze on you! Song of Songs 6:13-8:4 (NIV) He Why would you gaze on the Shulammite as on the

721 views • 20 slides
http:/ / www.readynation.org/ 1 5/5/2016 5/5/2016 4 We are hardwired for relationships

http:/ / www.readynation.org/ 1 5/5/2016 5/5/2016 4 We are hardwired for relationships

5/5/2016 The Importance of Understanding Early Brain Development Mark Hald, PhD Licensed Psychologist May 5, 2016 1 Three Core Concepts in Early Brain Developm ent ReadyNation is a business partnership for early childhood and economic

363 views • 9 slides
Traducianism, from L. traducere meaning to transfer. This view teaches that both the

Traducianism, from L. traducere meaning to transfer. This view teaches that both the

Traducianism, from L. traducere meaning to transfer. This view teaches that both the material body and the immaterial soul are transmitted through physical procreation. This position was first developed by Tertullian, AD 155220

442 views • 23 slides
Johnson v. United States, 135 S. Ct. 2551 (June 26, 2015) The ACCAs residual clause, 18

Johnson v. United States, 135 S. Ct. 2551 (June 26, 2015) The ACCAs residual clause, 18

F E DE RAL HABE AS BASI CS F OR L I T I GAT I NG JOHNSON CL AI MS NOVE MBE R 18-19, 2015 Ann He ste r F e de ra l De fe nde rs o f We ste rn No rth Ca ro lina , I nc . Ann_He ste r@ fd.o rg Johnson v. United States, 135 S.

819 views • 62 slides
Facilitating Attuned Interactions (FAN) A Taste of the FAN Your Trainer: Sylvia Kurin, MSW

Facilitating Attuned Interactions (FAN) A Taste of the FAN Your Trainer: Sylvia Kurin, MSW

Facilitating Attuned Interactions (FAN) A Taste of the FAN Your Trainer: Sylvia Kurin, MSW LICSW Mindfulness Moment Our Time Together Overview of Erikson Institute, Fussy Baby Network, and Cooper House The FAN as a Tool for

765 views • 39 slides
Block-based partial packet recovery corrupt packet Maranello Practical Partial Packet Recovery

Block-based partial packet recovery corrupt packet Maranello Practical Partial Packet Recovery

Maranello : Practical Partial Packet Recovery for 802.11 Bo Han Aaron Schulman Lusheng Ji Neil Spring Francesco Gringoli Seungjoon Lee Bobby Bhattacharjee Lorenzo Nava Robert Miller University of Maryland University of Brescia AT&T

894 views • 43 slides

More recommend