The Confused Deputy: (or why capabilities might have been invented)
ACM SIGOPS Operating Systems Review
On lightweight mobile phone application certification
Proceedings of the 16th ACM conference on Computer and communications security
Semantically Rich Application-Centric Security in Android
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Apex: extending Android permission model and enforcement with user-defined runtime constraints
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
MobiAd: private and scalable mobile advertising
Proceedings of the fifth ACM international workshop on Mobility in the evolving internet architecture
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Privad: practical privacy in online advertising
Proceedings of the 8th USENIX conference on Networked systems design and implementation
Taming information-stealing smartphone applications (on Android)
TRUST'11 Proceedings of the 4th international conference on Trust and trustworthy computing
A study of android application security
SEC'11 Proceedings of the 20th USENIX conference on Security
Permission re-delegation: attacks and defenses
SEC'11 Proceedings of the 20th USENIX conference on Security
Quire: lightweight provenance for smart phone operating systems
SEC'11 Proceedings of the 20th USENIX conference on Security
Practical and lightweight domain isolation on Android
Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Android permissions demystified
Proceedings of the 18th ACM conference on Computer and communications security
Proceedings of the 18th ACM conference on Computer and communications security
Privacy and accountability for location-based aggregate statistics
Proceedings of the 18th ACM conference on Computer and communications security
Auctions in do-not-track compliant internet advertising
Proceedings of the 18th ACM conference on Computer and communications security
MockDroid: trading privacy for application functionality on smartphones
Proceedings of the 12th Workshop on Mobile Computing Systems and Applications
RiskRanker: scalable and accurate zero-day android malware detection
Proceedings of the 10th international conference on Mobile systems, applications, and services
AdSplit: separating smartphone advertising from applications
Security'12 Proceedings of the 21st USENIX conference on Security symposium
User interface toolkit mechanisms for securing interface elements
Proceedings of the 25th annual ACM symposium on User interface software and technology
Breaking for commercials: characterizing mobile advertising
Proceedings of the 2012 ACM conference on Internet measurement conference
How expensive are free smartphone apps?
ACM SIGMOBILE Mobile Computing and Communications Review
AdDroid: privilege separation for applications and advertisers in Android
Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security
Fast, scalable detection of "Piggybacked" mobile applications
Proceedings of the third ACM conference on Data and application security and privacy
Proceedings of the third ACM conference on Data and application security and privacy
Towards an understanding of the impact of advertising on data leaks
International Journal of Security and Networks
CAMEO: a middleware for mobile advertisement delivery
Proceeding of the 11th annual international conference on Mobile systems, applications, and services
SmartAds: bringing contextual ads to mobile apps
Proceeding of the 11th annual international conference on Mobile systems, applications, and services
AdRob: examining the landscape and impact of android application plagiarism
Proceeding of the 11th annual international conference on Mobile systems, applications, and services
Slicing droids: program slicing for smali code
Proceedings of the 28th Annual ACM Symposium on Applied Computing
Understanding mobile app usage patterns using in-app advertisements
PAM'13 Proceedings of the 14th international conference on Passive and Active Measurement
Personal cloudlets for privacy and resource efficiency in mobile in-app advertising
Proceedings of the first international workshop on Mobile cloud computing & networking
Rise of the planet of the apps: a systematic study of the mobile app ecosystem
Proceedings of the 2013 conference on Internet measurement conference
ACM SIGMOBILE Mobile Computing and Communications Review
AppIntent: analyzing sensitive data transmission in android for privacy leakage detection
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Vetting undesirable behaviors in android apps with permission use analysis
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
The impact of vendor customizations on android security
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A case of collusion: a study of the interface between ad libraries and their apps
Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices
SEC'13 Proceedings of the 22nd USENIX conference on Security
SEC'13 Proceedings of the 22nd USENIX conference on Security
Can Smartphone Users Turn Off Tracking Service Settings?
Proceedings of International Conference on Advances in Mobile Computing & Multimedia
Information leakage through mobile analytics services
Proceedings of the 15th Workshop on Mobile Computing Systems and Applications
Detecting mobile malware threats to homeland security through static analysis
Journal of Network and Computer Applications
DECAF: detecting and characterizing ad fraud in mobile apps
NSDI'14 Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation
| Hi-index | 0.00 |
In recent years, there has been explosive growth in smartphone sales, which is accompanied with the availability of a huge number of smartphone applications (or simply apps). End users or consumers are attracted by the many interesting features offered by these devices and the associated apps. The developers of these apps are also benefited by the prospect of financial compensation, either by selling their apps directly or by embedding one of the many ad libraries available on smartphone platforms. In this paper, we focus on potential privacy and security risks posed by these embedded or in-app advertisement libraries (henceforth "ad libraries," for brevity). To this end, we study the popular Android platform and collect 100,000 apps from the official Android Market in March-May, 2011. Among these apps, we identify 100 representative in-app ad libraries (embedded in 52.1% of them) and further develop a system called AdRisk to systematically identify potential risks. In particular, we first decouple the embedded ad libraries from host apps and then apply our system to statically examine the ad libraries, ranging from whether they will upload privacy-sensitive information to remote (ad) servers or whether they will download untrusted code from remote servers. Our results show that most existing ad libraries collect private information: some of them may be used for legitimate targeting purposes (i.e., the user's location) while others are hard to justify by invasively collecting the information such as the user's call logs, phone number, browser bookmarks, or even the list of installed apps on the phone. Moreover, additional ones go a step further by making use of an unsafe mechanism to directly fetch and run code from the Internet, which immediately leads to serious security risks. Our investigation indicates the symbiotic relationship between embedded ad libraries and host apps is one main reason behind these exposed risks. These results clearly show the need for better regulating the way ad libraries are integrated in Android apps.