What Mobile Ads Know About Mobile Users

@inproceedings{Son2016WhatMA,
  title={What Mobile Ads Know About Mobile Users},
  author={Sooel Son and Daehyeok Kim and Vitaly Shmatikov},
  booktitle={NDSS},
  year={2016}
}
We analyze the software stack of popular mobile advertising libraries on Android and investigate how they protect the users of advertising-supported apps from malicious advertising. We find that, by and large, Android advertising libraries properly separate the privileges of the ads from the host app by confining ads to dedicated browser instances that correctly apply the same origin policy. We then demonstrate how malicious ads can infer sensitive information about users by accessing external… 
Adlib: analyzer for mobile ad platform libraries
TLDR
A static analyzer, Adlib, is developed, which analyzes Android Java libraries that use hybrid features to enable communication with JavaScript code and detects possible flows from the APIs that are accessible from third-party advertisements to device-specific features like geographic locations.
The Long-Standing Privacy Debate: Mobile Websites vs Mobile Apps
TLDR
An anti-tracking mechanism that enable the users to access an online service through a mobile app without risking their privacy, and is able to preserve the privacy of the user by reducing the leaking identifiers of apps by 27.41% on average, while it imposes a practically negligible latency of less than 1 millisecond per request.
An Empirical Study on User Reviews Targeting Mobile Apps' Security & Privacy
TLDR
It was evident from the results that the number of permissions that the apps request plays a dominant role in this matter and sending out the location can affect the users' thoughts about the app.
A Case Study of Intra-library Privacy Issues on Android GPS Navigation Apps
TLDR
The results show that GPS navigation apps have access to several types of device data, while they may allow for personal data leakage towards third parties such as library providers or tracking services without providing adequate or precise information to the users.
A longitudinal study of popular ad libraries in the Google Play Store
TLDR
This study provides the first in-depth look into how the important mobile app market segment of ad libraries has evolved over a period of 33 months and derives a reference architecture from the studied eight ad libraries.
How Did That Get In My Phone? Unwanted App Distribution on Android Devices
TLDR
An analysis of the who-installs-who relationships between installers and child apps reveals that the Play market is the main app distribution vector, responsible for 87% of all installs and 67% of unwanted app installs, but it also has the best defenses against unwanted apps.
"We Can't Live Without Them!" App Developers' Adoption of Ad Networks and Their Considerations of Consumer Risks
TLDR
A mixed-methods study with mobile app developers to better understand why and how they partner with advertising networks and their considerations of consumer risks in those interactions finds that developers use advertising because they see it as the only viable way to monetize their app.
A Practical System for Privacy-Aware Targeted Mobile Advertising Services
TLDR
This paper proposes a practical system that allows the ad network to perform accurate user targeting, while ensuring strong privacy protection for mobile users, and shows how to properly leverage a cryptographic primitive called private stream searching to support secure, accurate, and practical targeted mobile ad delivery.
Understanding Malicious Cross-library Data Harvesting on Android
TLDR
This research brought to light a new attack vector long been ignored yet with serious privacy impacts – malicious libraries strategically target other vendors’ SDKs integrated in the same host app to harvest private user data.
Short Text, Large Effect: Measuring the Impact of User Reviews on Android App Security & Privacy
TLDR
This paper presents the first study of the relationship between end-user reviews and security- & privacy-related changes in apps, and shows that user reviews in fact lead to privacy improvements of apps.
...
...

References

SHOWING 1-10 OF 70 REFERENCES
Investigating User Privacy in Android Ad Libraries
TLDR
This work examines the effect on user privacy of thirteen popular Android ad providers by reviewing their use of permissions, and discovers the insecure use of Android’s JavaScript extension mechanism in several ad libraries.
AdSplit: Separating Smartphone Advertising from Applications
TLDR
AdSplit is described, where Android is extended to allow an application and its advertising to run as separate processes, under separate user-ids, eliminating the need for applications to request permissions on behalf of their advertising libraries, and providing services to validate the legitimacy of clicks, locally and remotely.
AdDroid: privilege separation for applications and advertisers in Android
TLDR
AdDroid is introduced, a privilege separated advertising framework for the Android platform that enables AdDroid to separate privileged advertising functionality from host applications, allowing applications to show advertisements without requesting privacy-sensitive permissions.
Screenmilker: How to Milk Your Android Screen for Secrets
TLDR
Screenmilker is built, an app that can detect the right moment to monitor the screen and pick up a user’s password when she is typing in real time and is presented with a mitigation mechanism that controls the exposure of the ADB capabilities only to authorized apps.
Unauthorized origin crossing on mobile platforms: threats and mitigation
TLDR
An origin-based protection mechanism, called Morbs, is designed for mobile OSes that labels every message with its origin information, lets developers easily specify security policies, and enforce the policies on the mobile channels based on origins, and demonstrates the effectiveness of the new technique in defeating unauthorized origin crossing.
Analyzing Android Browser Apps for file: // Vulnerabilities
TLDR
An automated system is designed to dynamically test 115 browser apps collected from Google Play and finds that 64 of them are vulnerable to four types of attacks in Android that exploits the vulnerable file:// to obtain users’ private files, such as cookies, bookmarks, and browsing histories.
AppProfiler: a flexible method of exposing privacy-related behavior in android applications to end users
TLDR
A knowledge base of mappings between API calls and fine-grained privacy-related behaviors is created and high-level behavior profiles of application behavior are produced to analyze users' opinions about how applications affect their privacy.
Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting
TLDR
By analyzing the code of three popular browser-fingerprinting code providers, it is revealed the techniques that allow websites to track users without the need of client-side identifiers and how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques.
Indirect File Leaks in Mobile Applications
TLDR
This paper devise new indirect file leak (IFL) attacks that exploit browser interfaces, command interpreters, and embedded app servers to leak data from very popular apps, such as Evernote and QQ.
Unsafe exposure analysis of mobile in-app advertisements
TLDR
The investigation indicates the symbiotic relationship between embedded ad libraries and host apps is one main reason behind these exposed risks, and clearly shows the need for better regulating the way ad libraries are integrated in Android apps.
...
...