Investigating User Privacy in Android Ad Libraries

Ryan Stevens, Clint Gibler, Jonathan Crussell, Jeremy Erickson, Hao Chen

Workshop on Mobile Security Technologies (MoST 2012)

Abstract

Recent years have witnessed incredible growth in the popularity and prevalence of smart phones. A flourishing mobile application market has evolved to provide users with additional functionality such as interacting with social networks, games, and more. Mobile applications may have a direct purchasing cost or be free but ad-supported. Unlike in-browser ads, the privacy implications of ads in Android applications has not been thoroughly explored. We start by comparing the similarities and differences of in-browser ads and in-app ads. We examine the effect on user privacy of thirteen popular Android ad providers by reviewing their use of permissions. Worryingly, several ad libraries checked for permissions beyond the required and optional ones listed in their documentation, including dangerous permissions like CAMERA, WRITE_CALENDAR and WRITE_CONTACTS. Further, we discover the insecure use of Android’s JavaScript extension mechanism in several ad libraries. We identify fields in ad requests for private user information and confirm their presence in network data obtained from a tier-1 network provider. We also show that users can be tracked by a network sniffer across ad providers and by an ad provider across applications. Finally, we discuss several possible solutions to the privacy issues identified above.

@inproceedings{stevens2012investigating,
  title={Investigating User Privacy in Android Ad Libraries},
  author={Stevens, Ryan and Gibler, Clint and Crussell, Jon and Erickson, Jeremy and Chen, Hao},
  booktitle={Workshop on Mobile Security Technologies (MoST)},
  year={2012}
}

Links:

• PDF