What Mobile Ads Know About Mobile Users Sooel Son joint work with - - PowerPoint PPT Presentation
What Mobile Ads Know About Mobile Users Sooel Son joint work with Daehyeok Kim and Vitaly Shma<kov 1 Overview Background Mobile adver<sing library ACack model: malicious adver<ser Informa<on available to the aCacker
joint work with Daehyeok Kim and Vitaly Shma<kov
1
– Mobile adver<sing library – ACack model: malicious adver<ser
– Local file resources in Android devices
– User trajectories
2
source: AppBrain
source: AppBrain
3
!+(%(4'1.+4% &'()*+%#LL% ,-%*)(4#49%
O %
&'()*+%#LL% ,-%*)(4#49%
Y %
N4)'4%4+.+#4A"% 78%'#.&85'
M4#A+%+$%#*J%Z!)5+A%IV>I[% 5$+=+0.%+$%#*J%Z&'5\%IV>I[% @''7%+$%#*J%Z&'5\%IV>X[% 5"+7#4%+$%#*J%Z3.+0)]%IV>I[% ^J% 9:(-'&("'/(1,&,.85'(6;$%05$%5'1$(%"' (<.8-'/.<,1$'85$%5='
_ %
–! ,-&'(%SM''B*+W`%% %%%%%&'L2(%S\1)C+4W`% %%%%%,)4N2."`%:#09%'$"+4.%
%%%%$'%>VV`VVV.%'F%-+=+*'L+4.%
'L+4#$'4.%
(4'7+4.`%+]A"#0B+.%
0'%#AA'20$#()*)$9%
.#0)<d#<'0%#4+%"#4-%
e %
L+4:)..)'0.%F'4%,-58/.`%4+L#A7#B+%#LL.%%
>44'
>6?+@
' >44'("6'>6?+@'5:(%$'-:$' 5(/$'4%,;,1$2$5' >6 ' >44'("6'>6'5:.816'A7B' 5:(%$'-:$'5(/$'4%,;,1$2$5'
K %
g %
^%A#0%*'#-%S(2$%0'$%4+#-iW% H*+.%F4':%+]$+40#*%.$'4#B+%
>V %
%%%%1)$"%#LL4'L4)#$+%L+4:)..)'0.%
%%%%#AA+..%$'%+]$+40#*%.$'4#B+%% %%%%$'%A#A"+%):#B+.`%=)-+'%
–! ,09%#LL%A#0%4+#-%#09%'$"+4%#LLl.%H*+.%% –! @2$%:'()*+%#-.%#4+%0'$%#LL.J%%?(/$'.%,2,"'4.1,&C'D' 8"-%85-$6'E(;(?&%,4-'&("".-'%$(6'$F-G5-.%(2$'H1$5'
I'<8-'&("'()$/4-'-.'1.(6'-:$/%
>> %
&#*)A)'2.%#-=+4<.+4%
2.+4l.%0+$1'47%$4#mA%
!"#$%A#0%$"+%#C#A7+4%*+#40% F4':%2.+4l.%-+=)A+n%
>I %
>R()$%o*'A#*%4+.'24A+%'4#A*+pD%
+]).$%)0%$"+%-+=)A+l.%+]$+40#*% .$'4#B+n%
>X %
,LL%F'4%H0-)0B%L"#4:#A)+.`%A':L#4)0B%-42B%L4)A+.% S>%$'%Y%:)**)'0%)0.$#**.%)0%M''B*+%N*#9%5$'4+W% %
@''7:#47%F20A<'0#*)$9D% % $"2:(0#)*%):#B+.%'F%-42B.% $"#$%$"+%2.+4%.+#4A"+-%F'4% A#A"+-%)0%+]$+40#*%.$'4#B+%
>O %
8'+.%$").%H*+%+]).$n% H*+Dqq.-A#4-q,0-4')-q-#$#q A':JB''-4]qA#A"+q2)*R):#B+.q OYeVOKXe% ,09%#-%-).L*#9+-%)0%#09%'$"+4%#LL% '0%$"+%.#:+%-+=)A+%A#0%)0F+4% 1")A"%-42B.%$"+%2.+4%).%$#7)0B%
>Y %
\").%#LL%-'+.%0'$% )0A*2-+%#-=+4<.)0B^% ^%(2$%#-.%."'10%)0%#09%#LL% '0%$"+%.#:+%-+=)A+%A#0%2.+% $"+%L4+.+0A+%'F%)$.%A#A"+-% H*+.%$'%)0F+4%2.+4l.%.+A4+$.%
+.$5'".-' ;,.1(-$'5(/$' .%,2,"'4.1,&C '
>_ %
in JavaScript – Read: accessing actual contents of a resource. – Load: aCaching a resource to the DOM
cross-origin resource.
prohibited.
8'*L")0%:'()*+%(4'1.+4% SYV%$'%>VV%:)**)'0%)0.$#**.%)0%M''B*+%N*#9%5$'4+W% % \'%4+-2A+%(#0-1)-$"% 2.#B+%#0-%4+.L'0.+%<:+`% A#A"+.%F+$A"+-%):#B+.`% s\&G`%#0-%h#=#5A4)L$%)0% +]$+40#*%.$'4#B+%
>K %
,09%#-%-).L*#9+-%)0%#09%'$"+4%#LL% '0%$"+%.#:+%-+=)A+%A#0%)0F+4% 1")A"%.)$+.%2.+4%=).)$+-%4+A+0$*9%
j#A"+-%1+(L#B+.%
>g %
resources in external storage
– Default is false since Android 4.0 – Once enabled, it allows reading local resources from any file scheme URL
20
%%%%.+=+4#*%H]+-%)0%$"+)4%*#$+.$%,-58/%4+*+#.+.%
I> %
– WebSeungs.SetAllowFileAccess(false) – Limit direct access to files
22
– ACLs based on file paths – Do not block other links to local resources
public WebResourceResponse shouldInterceptRequest( WebView view, String Url) { Uri givenUri = Uri.parse(Url); string givenPath = givenUri.getPath(); if (givenPath.starsWith(JAIL_PREFIX)) { // If givenUrl is a subdirectory of JAIL_PREFIX, request is granted … } }
23
%%%%%%%%%%%%%%%%%%%%%%%j''7)+.%-'%0'$%.+4=+%$"+)4%L24L'.+% %
E&5E%#0-%'$"+4.%%
MN5%-#$#% %
IO %
– Adver0ng service providers – Adver0sers?
25
I_ %
X>6'!+W'H"$'2%(,"$6'1.&(0."W'0/$YZ' X>6'!+W'H"$'2%(,"$6'1.&(0."W'0/$[Z' 'INNNN' '''
Ie %
protect users from malicious adver<sing
secure in the mobile context
– Mere existence of a certain file in external storage can reveal sensi<ve informa<on about the user – Direct informa<on leakage
privacy-sensi<ve info and infer the iden<<es.
28
29
%
B2)-+%*)0+%1)$"%tETQzG?j,\E?T%L+4:)..)'0J%%
,-58/%L4'=)-+4.%#0-%#-=+4<.+4.%#A4'..%-)r+4+0$% =+0-'4.J%%
XV %
31