Transcript Presentation - Embedded System Lab.

Workshop on Mobile Security Technologies (MoST). 2012
2015. 6. 26
박종혁
[email protected]
컴퓨터 보안 및 운영체제 연구실
Contents
 Introduction
 Background
 Unique Privacy Concern in Ad
 Methodology
 Permission
 Private Data on the network
 Tracking User
 Potential Solution
 Conclusion
Computer Security & OS Lab.
2
Introduction
 Smart phone
 have Rapidly increased in popularity in recent years
 Many Developer release their applications for free and generate revenue
from ads
 Advertisement Libraries
 Send information about the device and user to the ad server
 Growing concern about user privacy
 In this paper
 Identify unique privacy concerns in Android app advertising
 Discover privacy threats resulting from these concerns
 Analyze popular Android ad libraries for these threats
Computer Security & OS Lab.
3
Background
 Android
 Linux-based smart phone operating system
 Require application to specify a list of permissions(manifest.xml)
 Permission access sensitive user information
 Android Third-party Library




Developer use libraries to parse a specific file format
Communicate with a popular web applications or provide advertising functionality
Libraries the same privileges as application code
Allow to read application-specific private information or utilize functionality granted by any
permission the application declares
 Unique Device Identifier(UDID)
 ANDROID_ID
• Random hex string that is generated during the first boot of device
 IMEI, MEID, ESN
• The telephony device ID of the Phone
 Android.os.Build.SERIAL
• Does not require a permission
 MAC address
• Phone’s Wifi or Bluetooth adapter
Computer Security & OS Lab.
4
Background
 Online Advertising
 Refer to the Internet Advertising Bureau’s glossary of advertising terms
Ad Request
Response with Advertisement 
Ad Server
Advertiser
Ad Provider
Publisher
Users
Computer Security & OS Lab.
5
Background
 Advertising on Android
 Android ad providers give developers a Software Development kit(SDK) library, which
provide an API for displaying advertisements
Computer Security & OS Lab.
6
Unique Privacy Concern in Ad
 Consider three specific differences
 Between in-app advertising using an ad library and in-browser advertising
 1. Lack of Privilege Separation Between Application and Ad Code
 Give ad provider the opportunity to run code on user’s device with the same
permission as the application that uses the library
 Allowing the ad provider to exfiltrate data from the device
 In-browser advertising
• Exfiltrating user information is difficult because of same origin policy
 in-app advertising
• Has specific permission which gives application the ability to access to user information
 2. Detailed User Data
 On the user’s device may have more privileged access to the user’s data
 In-browser advertising
• Browser assume external code is untrusted and sandboxes
 in-app advertising
• Allow in-app advertising code to run in a very privileged state
Computer Security & OS Lab.
7
Unique Privacy Concern in Ad
 Consistency of User Identifiers
 Ad provider to track the user’s behavior
• UDID can be sent with the ad request and allow the ad provider to track user behavior
 In-browser advertising
• IP addresses and cookies change over time may be reset by user
 in-app advertising
• Resetting the UDID values on Android either requires a factory rest or root permission on the phone
Computer Security & OS Lab.
8
Methodology
 Examine the most Popular ad providers
 To gain the best insight into current Android ad provider
 Combine ad provider list
 Determine the ad providers that are the most popular in terms of the
overall amount of ad traffic
 Ad traffic of mount is number of user using applications supported by the
ad provider
 Examining most prevalent ad providers in the top 500 applications on the
google play Market
Computer Security & OS Lab.
9
Methodology
 Analyze the behavior of library
 Signed up as a developer
• each ad provider downloaded a copy of the most recent library
Instrumented a sample application using library
• Captured the data(ad request) sent over network
• Determine the fields such as age or gender
Referenced the provider’s documentation
• Determine how the fields were populated
Ensure fields are present in live traffic
• Manually verified that ad request from each ad provider contained the
relevant fields
Computer Security & OS Lab.
10
Permissions
 Permissions Classification
 Ad library cat take advantage of permissions to covertly access sensitive
data
 Kind of Permission in ad provider documentation
• Required permission
• Optional permission
 Stowaway
• Detect Android framework API methods the application accesses
• using an internal mapping between API methods and required permissions
 Mannually investigated
• Each of the undocumented permissions
• Determine if they were being used
Computer Security & OS Lab.
11
Permission
 Permission misuse
 Conjecture actively collecting personal data using permission
 Most ad libraries require similar core set of permission
• INTERNET, ACCESS_LOCATION, ACCESS_NETWORK. READ_PHONE_STATE
 Moblix library
• Include four invasive permissions
• READ CALENDAR, WRITE CALENDAR, READ CONTACTS, and WRITE CONTACTS
• Contain contains read / write a user’s calendar and contacts databases
 mOcean and lnmobi library
• contain functionality to start phone calls
• Add events to a user’s calendar without user interaction
• mOcean can send SMS messages without user interaction
Computer Security & OS Lab.
12
Permission
 Permission misuse
Computer Security & OS Lab.
13
Permission
 JavaScript Interface
 Can be used to dynamically invoke other method during method
 Android documentation
• Specifically warns against running untrusted JavaScript Interface
 Vulnerable Ad libraries
• Confirm that four ad libraries will run external code within the Webview
• User would be vulnerable to loss of personal data or other malicious action
Ad Libraries
exfiltrate
Mobclix
•
•
Modify users’ calendar , contact , User’s audio and image file
On/off the camera LED
greystripe
•
Get and/or set user’s cookies
mOcean
•
•
Send SMS and email message, Start phone call, add calendar entries
Get location make arbitrary network request
Lnmobi
•
Send SMS and email message, Start phone call, Modify the user
calendar
Computer Security & OS Lab.
14
Permission
 JavaScript Interface
 Proof-of-Concept
•
•
•
•
To demonstrate the significance of vulnerability
Set up a test environment
Attempted to exploit Mobclix and mOcean ad libraries
Used Samsung Galaxy Nexus as the victim device
 To simulate the user’s vulnerable application
• Perform a end-to-end attack to victim device from Mobclix and mOcean
• Initiate a phone call to an arbitrary number with no user interaction
Computer Security & OS Lab.
15
Private Data on the Network
 Report what private user information
 Each ad library is capable of sending over the network
•
•
•
•
Observed each library’s behavior both in emulated environment and live traffic
Determine how the fields were populated in ad request
Referenced the provider’s documentation about specified fields
Determine which fields the library would set automatically by observing the permission that
the ad library used
Computer Security & OS Lab.
16
Tracking Users
 Android UDID
 Never change or can only be changed with root privilege
 Concerned with two primary treats
 Unscrupulous ad provider tracking users across several installed application
 A network sniffer tracking users across several ad provider
 Ad provider consistently transmit
 The same UDID filed(hashed or unhashed UDID value) regardless of the
appllication
 Network Sniffer that may track users across several libraries
Computer Security & OS Lab.
17
Tracking Users
Computer Security & OS Lab.
18
Potential Solution
 Failure to Protect the Contents of ad request
 Protecting sensitive information during transmission
• Need to encrypt their communication such as SSL
• SSL is expensive and allow for concurrency on the server
 Solution
• Low overhead – minimal session stae
• Lightweight – perferrably symmetric key
 Mishandling of UDID
 User’s privacy must be protected against a network sniffer
 Solution
• hash(ad provider || package name || UDID)
 Lack of ad and application privilege separation
 Ad libraries access to all of the sensitive data in application
 Solution
• Third party code should not be allow to access application-specific data
• Permission not explicitly granted to ad code then any request that requires it is granted
Computer Security & OS Lab.
19
Conclusion
 No privilege separation between app and ad code
 Problem – Undocumented permission
 Greater access to detailed user data
 Private user data on network
 More persistent user identifiers
 User profile data over time
Computer Security & OS Lab.
20