What Mobile Ads Know About Mobile Users
Abstract
We analyze the software stack of popular mobile
advertising libraries on Android and investigate how they protect
the users of advertising-supported apps from malicious advertising.
We find that, by and large, Android advertising libraries
properly separate the privileges of the ads from the host app by
confining ads to dedicated browser instances that correctly apply
the same origin policy.
We then demonstrate how malicious ads can infer sensitive
information about users by accessing external storage, which is
essential for media-rich ads in order to cache video and images.
Even though the same origin policy prevents confined ads from
reading other apps’ external-storage files, it does not prevent
them from learning that a file with a particular name exists. We
show how, depending on the app, the mere existence of a file
can reveal sensitive information about the user. For example, if
the user has a pharmacy price-comparison app installed on the
device, the presence of external-storage files with certain names
reveals which drugs the user has looked for.
We conclude with our recommendations for redesigning
mobile advertising software to better protect users from malicious
advertising.
advertising libraries on Android and investigate how they protect
the users of advertising-supported apps from malicious advertising.
We find that, by and large, Android advertising libraries
properly separate the privileges of the ads from the host app by
confining ads to dedicated browser instances that correctly apply
the same origin policy.
We then demonstrate how malicious ads can infer sensitive
information about users by accessing external storage, which is
essential for media-rich ads in order to cache video and images.
Even though the same origin policy prevents confined ads from
reading other apps’ external-storage files, it does not prevent
them from learning that a file with a particular name exists. We
show how, depending on the app, the mere existence of a file
can reveal sensitive information about the user. For example, if
the user has a pharmacy price-comparison app installed on the
device, the presence of external-storage files with certain names
reveals which drugs the user has looked for.
We conclude with our recommendations for redesigning
mobile advertising software to better protect users from malicious
advertising.
Research Areas
