Advertising is a financial pillar that supports the mobile computing ecosystem. Android, the most popular mobile platform, and many of its apps are distributed for free while being supported by ads. Since advertising is pervasive in the Android ecosystem, its security and privacy implications affect all the parties involved:
For mobile users: how does advertising impinge on their privacy?
For advertisers: how to detect and prevent fraudulent ad requests?
User privacy in ad libraries
Ad libraries send user information to their servers to serve targeted ads. [1][2] examined popular Android ad libraries to find sensitive information that ad libraries exfiltrated, such as user profile, GPS coordinates, app package name, device make and model. Since some of these data were protected by permissions, ad libraries declared their requested permissions in their documentation. However, worryingly some ad libraries tried to sneak permissions: their documentation didn’t require certain permissions, but their code detected if the host app had requested those permissions and, if so, freeloaded off those permissions.[3] characterized what targeting information mobile apps sent to ad networks and how effectively ad networks used the information. It analyzed 500K ad requests from 150K Android apps and 101 ad networks, and found that apps did not yet exploit the full potential of targeting: even though ad controls provided APIs to send a lot of information to ad networks, much key targeting information was optional and often not provided by app developers. It systematically probed top 10 in-app ad networks to harvest over 1 million ads and found that while targeting was used by many of the top networks, often targeting information or behavioral profile did not have a statistically significant impact on how ads were chosen.
Mobile ad fraud
Ad libraries fetch content from the ad provider and display it on the app’s user interface. The ad provider pays the developer for the ads displayed to the user and ads clicked by the user. Ad fraud happens when a miscreant’s code fetches ads without displaying them to the user or “clicks” on ads automatically.[4] studied mobile ad fraud perpetrated by Android apps. It identifies two fraudulent ad behaviors in apps: 1) requesting ads while the app is in the background, and 2) clicking on ads without user interaction. Based on these observations, it developed an analysis tool, MAdFraud, which automatically rans many apps simultaneously in emulators to trigger and expose ad fraud.
It applies MAdFraud to more than 160,000 apps and found that about 30% of apps with ads made ad requests while in running in the background and 27 apps generated clicks without user interaction. It found that the click fraud apps attempted to remain stealthy when fabricating ad traffic by only periodically sending clicks and changing which ad provider was being targeted between installations.[5] proposed a verifiable mobile ad framework called AdAttester, based on ARM?s TrustZone technology. AdAttester provided two security primitives, unforgeable clicks and verifiable display. The two primitives attest that ad-related operations (e.g., user clicks) were initiated by the end user (instead of a bot) and that the ad is displayed intact and timely. AdAttester leveraged the secure world of TrustZone to implement these two primitives to collect proofs, which were piggybacked on ad requests to ad providers for attestation. AdAttester was non-intrusive to mobile users and can be incrementally deployed in existing ad ecosystem. A prototype of AdAttester was implemented for Android running on a Samsung Exynos 4412 board.
参考文献
[1] Ryan Stevens, Clint Gibler, Jon Crussell, Jeremy Erickson and Hao Chen. Investigating User Privacy in Android Ad Libraries. IEEE Mobile Security Technologies (MoST), 2012.
[2] M. Grace, W. Zhou, X. Jiang, and A.R. Sadeghi. Unsafe Exposure Analysis of Mobile In-App Advertisements. Conference on Security and Privacy in Wireless and Mobile Networks (WiSeC), 2012.
[3] Suman Nath. MAdScope: Characterizing Mobile In-App Targeted Ads. 13th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys), 2015.
[4] Jon Crussell, Ryan Stevens, and Hao Chen. MAdFraud: Investigating Ad Fraud in Android Applications. 12th International Conference on Mobile Systems, Applications and Services (MobiSys), 2014.
[5] Wenhao Li, Haibo Li, Haibo Chen, Yubin Xia. AdAttester: Secure Online Mobile Advertisement Attestation Using TrustZone. 13th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys), 2015.
作者简介
Hao Chen is an associate professor at the Department of ComputerScience at the University of California, Davis. He received his Ph.D.at the Computer Science Division at the University of California, Berkeley, and both his B.S. and M.S. from Southeast University. His primary interests are computer security and mobile computing. He won the National Science Foundation CAREER award in 2007, and UC Davis College of Engineering Faculty Award in 2010.
