Yanjie Zhao,Tianming Liu,Haoyu Wang,Yepang Liu,John Grundy,Li

DOI: https://doi.org/10.1145/3543507.3583534

2023-01-01

Abstract:As smartphones and mobile apps permeate every aspect of people’s lives, children are accessing mobile devices at an increasingly younger age. The inescapable exposure of advertisements in mobile apps to children has grown alarmingly. Mobile advertisements are placed by advertisers and subsequently distributed by ad SDKs, under the rare control of app developers and app markets’ content ratings. Indeed, content that is objectionable and harmful to children’s mental health has been reported to appear in advertising, such as pornography. However, few studies have yet concentrated on automatically and comprehensively identifying such kid-unsuitable mobile advertising. In this paper, we first characterize the regulations for mobile ads relating to children. We then propose our novel automated dynamic analysis framework, named AdRambler, that attempts to collect ad content throughout the lifespan of mobile ads and identify their inappropriateness for child app users. Using AdRambler, we conduct a large-scale (25,000 mobile apps) empirical investigation and reveal the non-incidental presence of inappropriate ads in apps with child-included target audiences. We collected 11,270 ad views and identified 1,289 ad violations (from 775 apps) of child user regulations, with roughly half of the app promotions not in compliance with host apps’ content ratings. Our finding indicates that even certified ad SDKs could still propagate inappropriate advertisements. We further delve into the question of accountability for the presence of inappropriate advertising and provide concrete suggestions for all stakeholders to take action for the benefit of children.

Wu Zhou,Yajin Zhou,Xuxian Jiang,Peng Ning

DOI: https://doi.org/10.1145/2133601.2133640

2012-01-01

Abstract:Recent years have witnessed incredible popularity and adoption of smartphones and mobile devices, which is accompanied by large amount and wide variety of feature-rich smartphone applications. These smartphone applications (or apps), typically organized in different application marketplaces, can be conveniently browsed by mobile users and then simply clicked to install on a variety of mobile devices. In practice, besides the official marketplaces from platform vendors (e.g., Google and Apple), a number of third-party alternative marketplaces have also been created to host thousands of apps (e.g., to meet regional or localization needs). To maintain and foster a hygienic smartphone app ecosystem, there is a need for each third-party marketplace to offer quality apps to mobile users. In this paper, we perform a systematic study on six popular Android-based third-party marketplaces. Among them, we find a common "in-the-wild" practice of repackaging legitimate apps (from the official Android Market) and distributing repackaged ones via third-party marketplaces. To better understand the extent of such practice, we implement an app similarity measurement system called DroidMOSS that applies a fuzzy hashing technique to effectively localize and detect the changes from app-repackaging behavior. The experiments with DroidMOSS show a worrisome fact that 5% to 13% of apps hosted on these studied marketplaces are repackaged. Further manual investigation indicates that these repackaged apps are mainly used to replace existing in-app advertisements or embed new ones to "steal" or re-route ad revenues. We also identify a few cases with planted backdoors or malicious payloads among repackaged apps. The results call for the need of a rigorous vetting process for better regulation of third-party smartphone application marketplaces.

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Rui Shao,Vaibhav Rastogi,Yan Chen,Xiang Pan,Guanyu Guo,Shihong Zou,Ryan Riley

DOI: https://doi.org/10.1109/tmc.2018.2809727

2016-01-01

Abstract:Mobile users are increasingly becoming targets of malware infections and scams. In order to curb such attacks it is important to know how these attacks originate. We take a previously unexplored step in this direction. Numerous in-app advertisements work at this interface: when the user taps on the advertisement, she is led to a web page which may further redirect until the user reaches the final destination. Even though the original applications may not be malicious, the Web destinations that the user visits could play an important role in propagating attacks. We develop a systematic static analysis methodology to find ad libraries embed in applications and dynamic analysis methodology consisting of three components related to triggering web links, detecting malware and scam campaigns, and determining the provenance of such campaigns reaching the user. Our static analysis system identified 242 different ad libraries and dynamic analysis system was deployed for a two-month period and analyzed over 600,000 applications while triggering a total of about 1.5 million links in applications to the Web. We gain a general understanding of attacks through the app-web interface and make several interesting findings including a rogue antivirus scam, free iPad scams, and advertisements propagating SMS trojans.

Boyuan He,Haitao Xu,Ling Jin,Guanyu Guo,Yan Chen,Guangyao Weng

DOI: https://doi.org/10.1109/infocom.2018.8486010

2018-01-01

Abstract:In-app advertising has served as the major revenue source for millions of app developers in the mobile Internet ecosystem. Ad networks play an important role in app monetization by providing third-party libraries for developers to choose and embed into their apps. However, developers lack guidelines on how to choose from hundreds of ad networks and various ad features to maximize their revues without hurting the user experience of their apps. Our work aims to uncover the best practice and provide app developers guidelines on ad network selection and ad placement. To this end, we investigate 697 unique APIs from 164 ad networks which are extracted from 277,616 Android apps, develop a methodology of ad type classification based on UI interaction and behavior, and perform a large scale measurement study of in-app ads with static analysis techniques at the API granularity. We found that developers have more choices about ad networks than several years before. Most developers are conservative about ad placement and about 71% apps contain at most one ad library. In addition, the likeliness of an app containing ads depends on the app category to which it belongs. The app categories featuring young audience usually contain the most ad libraries maybe because of the ad-tolerance characteristic of young people. Furthermore, we propose a terminology and classify mobile ads into five ad types: Embedded, Popup, Notification, Offerwall, and Floating. We found that embedded and popup ad types are popular with apps in nearly all categories. Our results also suggest that developers should embed at most 6 ad libraries into an app, which otherwise would anger the app users. Also, a developer should use at most one ad network when her app is still at the initial stage and could start using more (2 or 3) ad networks when the app becomes popular. Our research is the first to reveal the preference of both developers and users for ad networks and ad types.

Ling Jin,Boyuan He,Guangyao Weng,Haitao Xu,Yan Chen,Guanyu Guo

DOI: https://doi.org/10.1109/tmc.2019.2953609

IF: 6.075

2019-01-01

IEEE Transactions on Mobile Computing

Abstract:In-app advertising has served as the major revenue source for millions of app developers in the mobile Internet ecosystem. Ad networks play an important role in app monetization by providing third-party libraries for developers to choose and embed into their apps. Various ad mediations help developers manage all of the ad libraries used in apps to show the best available ad among received ads from different ad network servers. However, developers lack guidelines on how to choose from hundreds of ad networks or ad mediations and various ad features to maximize their revenues without hurting the user experience of their apps. Our work aims to provide app developers guidelines on the selection of ad networks, ad mediations, and ad placement by observing current common practices. To this end, we investigate 838 unique APIs from 207 ad networks which are extracted from 277,616 Android apps, develop a methodology of ad type classification based on UI interaction and behavior, and perform a large scale measurement study of in-app ads with static analysis techniques at the API granularity. We found that developers have more choices about ad networks than several years before. Most developers are conservative about ad placement and about 77 percent of the apps contain at most one ad library. Besides, the likeliness of an app containing ads depends on the app category to which it belongs. Furthermore, we propose a terminology and classify mobile ads into five ad types: Embedded, Popup, Notification, Offerwall, and Floating. Also, our research shows that it is a better solution for developers to integrate ad libraries with ad mediation feature in their apps because it may avoid bad ratings and improve user experience. And in our findings, more than 95 percent of embedded, popup, notification, and offer ads locate in the zero activity (main activity), the first activity and the second activity of Android apps. More interestingly, developers tend to put high aggressive ads on activities which need deeper user interaction. Our research is the first to reveal the preference of both developers and users for ad networks, ad mediation feature and ad types.

Feng Dong,Haoyu Wang,Yuanchun Li,Yao Guo,Li,Shaodong Zhang,Guoai Xu

2017-01-01

Abstract:Previous studies on mobile ad fraud detection are limited to detecting certain types of ad fraud (e.g., placement fraud and click fraud). Dynamic interactive ad fraud has never been explored by previous work. In this paper, we propose an explorative study of ad fraud in Android apps. We first created a taxonomy of existing mobile ad fraud. Besides static placement fraud, we also created a new category called dynamic interactive fraud and found three new types of them. Then we propose FrauDroid, a new approach to detect ad fraud based on user interface (UI) state transition graph and networking traffic. To achieve accuracy and scalability, we use an optimized exploration strategy to traverse the UI states that contain ad views, and design a set of heuristic rules to identify kinds of ad fraud. Experiment results show that FrauDroid could achieve a precision of 80.9\% and it is capable of detecting all the 7 types of mobile ad fraud. We then apply FrauDroid to more than 80,000 apps from 21 app markets to study the prevalene of ad fraud. We find that 0.29\% of apps that use ad libraries are identified containing frauds, with 23 ad networks suffering from ad fraud. Our finding also suggests that Dynamic interactive fraud is more prevalent than static placement fraud in real world apps.

Jingyu WANG,Mingkun XU,Haoyu WANG,Guo＇ai XU

2019-01-01

Abstract:Mobile Apps frequently request access to sensitive information. Google recommends that developers should publish privacy policy document when uploading an App, with the aim of making the user aware of how the privacy information is used for better protection of users??privacy. Many studies focus on detecting the consistence between App behavior and privacy policy. However, most of them only focus on static analysis and use white-list to identify third-party libraries, which is inaccurate and incomplete. An automated detection tool is proposed to check whether the App privacy document is consistent with the App behavior. First, an improved natural language ap-proach is used to extract the declared sensitive behavior in the privacy policy. Then, both static analysis and dynamic analysis are used to analyze the sensitive behavior of mobile App. Besides, a clustering-based approach is used to identify third-party library used in the App, which is more accurate than the traditional white-list based approach. Finally, the consistence detection is conducted with the statement of privacy policy and the analysis of the privacy permission in code. Based on the experiment of 455 Apps, the tool can accurately extract 94.75% of the privacy information in the privacy policy statement. Experiment results show that for roughly 50% of the Apps, there exists inconsistence between App behavior and privacy policy.

Tianming Liu,Haoyu Wang,Li Li,Xiapu Luo,Feng Dong,Yao Guo,Liu Wang,Tegawende Bissyande,Jacques Klein

DOI: https://doi.org/10.1145/3366423.3380242

2020-01-01

Abstract:Advertisement drives the economy of the mobile app ecosystem. As a key component in the mobile ad business model, mobile ad content has been overlooked by the research community, which poses a number of threats, e.g., propagating malware and undesirable contents. To understand the practice of these devious ad behaviors, we perform a large-scale study on the app contents harvested through automated app testing. In this work, we first provide a comprehensive categorization of devious ad contents, including five kinds of behaviors belonging to two categories: ad loading content and ad clicking content. Then, we propose MadDroid, a framework for automated detection of devious ad contents. MadDroid leverages an automated app testing framework with a sophisticated ad view exploration strategy for effectively collecting ad-related network traffic and subsequently extracting ad contents. We then integrate dedicated approaches into the framework to identify devious ad contents. We have applied MadDroid to 40,000 Android apps and found that roughly 6% of apps deliver devious ad contents, e.g., distributing malicious apps that cannot be downloaded via traditional app markets. Experiment results indicate that devious ad contents are prevalent, suggesting that our community should invest more effort into the detection and mitigation of devious ads towards building a trustworthy mobile advertising ecosystem.

Kaifa Zhao,Xian Zhan,Le Yu,Shiyao Zhou,Hao Zhou,Xiapu Luo,Haoyu Wang,Yepang Liu

2023-09-09

Abstract:The privacy of personal information has received significant attention in mobile software. Although previous researchers have designed some methods to identify the conflict between app behavior and privacy policies, little is known about investigating regulation requirements for third-party libraries (TPLs). The regulators enacted multiple regulations to regulate the usage of personal information for TPLs (e.g., the "California Consumer Privacy Act" requires businesses clearly notify consumers if they share consumers' data with third parties or not). However, it remains challenging to analyze the legality of TPLs due to three reasons: 1) TPLs are mainly published on public repositoriesinstead of app market (e.g., Google play). The public repositories do not perform privacy compliance analysis for each TPL. 2) TPLs only provide independent functions or function sequences. They cannot run independently, which limits the application of performing dynamic analysis. 3) Since not all the functions of TPLs are related to user privacy, we must locate the functions of TPLs that access/process personal information before performing privacy compliance analysis. To overcome the above challenges, in this paper, we propose an automated system named ATPChecker to analyze whether the Android TPLs meet privacy-related regulations or not. Our findings remind developers to be mindful of TPL usage when developing apps or writing privacy policies to avoid violating regulations.

Software Engineering,Cryptography and Security

Steven Meyer

DOI: https://doi.org/10.48550/arXiv.1107.1101

2011-07-06

Cryptography and Security

Abstract:Mobile application markets facilitate the distribution of applications and thus help developers advertise their work and customers find useful applications. In addition, the operators of mobile application markets can control the quality and the content of the applications. These markets are growing rapidly with more than 300'000 application in the App Store of Apple and more than 100'000 in the Android Market of Google. This is not only a great opportunity for phone manufacturers to earn money but also for indie developers (single or small teams of developers with small financial support) who can thus have a great distribution channel. Steve Demeter, the Trim game developer for iPhone, became millionaire with a single puzzle game . Obviously, as new markets generate a lot of money, the temptation of misbehavior to steal part of the benefits is big. The first famous case was the one of Molinker who self-rated his applications with 5 stars to pump up his ranking in order to increase its revenue stream. In this report, we will consider the problem of misbehavior in mobile application markets. We will investigate multiple attacks by misbehaving developers, users or network operators that aim at breaking rules for their own benefit, managing to outwit the operators' control on which applications can be installed. We notably suggest novel attacks that may affect mobile markets in the future: in particular, we show that it is possible to get revenue for applications created by someone else, trick a user to download and buy an application and new ways to pump up an application's ranking. We will also discuss possible solutions against spyware applications and cheating developer

Feiyang Tang,Bjarte M. Østvold

DOI: https://doi.org/10.1109/PST58708.2023.10320181

2023-06-20

Abstract:The rise of mobile apps has brought greater convenience and many options for users. However, many apps use analytics services to collect a wide range of user interaction data, with privacy policies often failing to reveal the types of interaction data collected or the extent of the data collection practices. This lack of transparency potentially breaches data protection laws and also undermines user trust. We conducted an analysis of the top 20 analytic libraries for Android apps to identify common practices of interaction data collection and used this information to develop a standardized collection claim template for summarizing an app's data collection practices wrt. user interaction data. We selected the top 100 apps from popular categories on Google Play and used automatic static analysis to extract collection evidence from their data collection implementations. Our analysis found that a significant majority of these apps actively collected interaction data from UI types such as View (89%), Button (76%), and Textfield (63%), highlighting the pervasiveness of user interaction data collection. By comparing the collection evidence to the claims derived from privacy policy analysis, we manually fact-checked the completeness and accuracy of these claims for the top 10 apps. We found that, except for one app, they all failed to declare all types of interaction data they collect and did not specify some of the collection techniques used.

Software Engineering,Cryptography and Security

Saad Sajid Hashmi,Nazar Waheed,Gioacchino Tangari,Muhammad Ikram,Stephen Smith

DOI: https://doi.org/10.48550/arXiv.2106.10035

2021-07-28

Abstract:Contemporary mobile applications (apps) are designed to track, use, and share users' data, often without their consent, which results in potential privacy and transparency issues. To investigate whether mobile apps have always been (non-)transparent regarding how they collect information about users, we perform a longitudinal analysis of the historical versions of 268 Android apps. These apps comprise 5,240 app releases or versions between 2008 and 2016. We detect inconsistencies between apps' behaviors and the stated use of data collection in privacy policies to reveal compliance issues. We utilize machine learning techniques for the classification of the privacy policy text to identify the purported practices that collect and/or share users' personal information, such as phone numbers and email addresses. We then uncover the data leaks of an app through static and dynamic analysis. Over time, our results show a steady increase in the number of apps' data collection practices that are undisclosed in the privacy policies. This behavior is particularly troubling since privacy policy is the primary tool for describing the app's privacy protection practices. We find that newer versions of the apps are likely to be more non-compliant than their preceding versions. The discrepancies between the purported and the actual data practices show that privacy policies are often incoherent with the apps' behaviors, thus defying the 'notice and choice' principle when users install apps.

Cryptography and Security

Xu,Yangyu Hu,Qian Guo,Ren He,Li,Guoai Xu,Zhihui Han,Haoyu Wang

DOI: https://doi.org/10.1109/qrs51102.2020.00072

2020-01-01

Abstract:Mobile advertising has become the most popular monetizing way in the Android app ecosystem. Offerwall, as a new form of mobile ads, has been widely adopted by apps, and a number of ad networks have provided such services. Although new to the ecosystem, offerwall ads have been criticized for being aggressive, and the contents disseminated are prone to security issues. However, to date, our community has not proposed any studies to dissect such issues related to offerwall ads. To this end, we present the first work to fill this gap. Specifically, we first develop a robust approach to identify apps that have embedded with offerwall ads. Then, we apply the tool to 10K apps and experimentally discover 312 offerwall apps. We go one step further to characterize them from several aspects, including security issues. Our observation reveals that offerwall ads could indeed be manipulated by hackers to fulfill malicious purposes.

Yangyu Hu,Haoyu Wang,Li Li,Yao Guo,Guoai Xu,Ren He

DOI: https://doi.org/10.1109/SANER.2019.8668035

2019-01-01

Abstract:Have you ever thought of earning profits from the apps that you are using on your mobile device? It is actually achievable thanks to many so-called money-making apps, which pay app users to complete tasks such as installing another app or clicking an advertisement. To the best of our knowledge, no existing studies have investigated the characteristics of moneymaking apps. To this end, we conduct the first exploratory study to understand the features and implications of money-making apps. We first propose a semi-automated approach aiming to harvest money-making apps from Google Play and alternative app markets. Then we create a taxonomy to classify them into five categories and perform an empirical study from different aspects. Our study reveals several interesting observations: (1) moneymaking apps have become the target of malicious developers, as we found many of them expose mobile users to serious privacy and security risks. Roughly 26% of the studied apps are potentially malicious. (2) these apps have attracted millions of users, however, many users complain that they are cheated by these apps. We also revealed that ranking fraud techniques are widely used in these apps to promote the ranking of apps inside app markets. (3) these apps usually spread inappropriate and malicious contents, while unsuspicious users could get infected. Our study demonstrates the emergency for detecting and regulating this kind of apps and protect mobile users.

Cuiyun Gao,Jichuan Zeng,David Lo,Xin Xia,Irwin King,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.2008.12112

2020-08-22

Computers and Society

Abstract:In-app advertising closely relates to app revenue. Reckless ad integration could adversely impact app reliability and user experience, leading to loss of income. It is very challenging to balance the ad revenue and user experience for app developers. In this paper, we present a large-scale analysis on ad-related user feedback. The large user feedback data from App Store and Google Play allow us to summarize ad-related app issues comprehensively and thus provide practical ad integration strategies for developers. We first define common ad issues by manually labeling a statistically representative sample of ad-related feedback, and then build an automatic classifier to categorize ad-related feedback. We study the relations between different ad issues and user ratings to identify the ad issues poorly scored by users. We also explore the fix durations of ad issues across platforms for extracting insights into prioritizing ad issues for ad maintenance. We summarize 15 types of ad issues by manually annotating 903/36,309 ad-related user reviews. From a statistical analysis of 36,309 ad-related reviews, we find that users care most about the number of unique ads and ad display frequency during usage. Besides, users tend to give relatively lower ratings when they report the security and notification related issues. Regarding different platforms, we observe that the distributions of ad issues are significantly different between App Store and Google Play. Moreover, some ad issue types are addressed more quickly by developers than other ad issues. We believe the findings we discovered can benefit app developers towards balancing ad revenue and user experience while ensuring app reliability.

Muhammad Ikram,Mohamed Ali Kaafar

DOI: https://doi.org/10.48550/arXiv.1709.02901

2017-09-12

Abstract:Online advertisers and analytics services (or trackers), are constantly tracking users activities as they access web services either through browsers or a mobile apps. Numerous tools such as browser plugins and specialized mobile apps have been proposed to limit intrusive advertisements and prevent tracking on desktop computing and mobile phones. For desktop computing, browser plugins are heavily studied for their usability and efficiency issues, however, tools that block ads and prevent trackers in mobile platforms, have received the least or no attention. In this paper, we present a first look at 97 Android adblocking apps (or adblockers), extracted from more than 1.5 million apps from Google Play, that promise to block advertisements and analytics services. With our data collection and analysis pipeline of the Android adblockers, we reveal the presences of third-party tracking libraries and sensitive permissions for critical resources on user mobile devices as well as have malware in the source codes. We analyze users' reviews for the in-effectiveness of adblockers in terms of not blocking ads and trackers. We found that a significant fraction of adblockers are not fulfilling their advertised functionality.

Cryptography and Security

Tong Zhu,Yan Meng,Haotian Hu,Xiaokuan Zhang,Minhui Xue,Haojin Zhu

DOI: https://doi.org/10.1145/3460120.3484546

2021-09-15

Abstract:Although the use of pay-per-click mechanisms stimulates the prosperity of the mobile advertisement network, fraudulent ad clicks result in huge financial losses for advertisers. Extensive studies identify click fraud according to click/traffic patterns based on dynamic analysis. However, in this study, we identify a novel click fraud, named humanoid attack, which can circumvent existing detection schemes by generating fraudulent clicks with similar patterns to normal clicks. We implement the first tool ClickScanner to detect humanoid attacks on Android apps based on static analysis and variational AutoEncoder (VAE) with limited knowledge of fraudulent examples. We define novel features to characterize the patterns of humanoid attacks in the apps' bytecode level. ClickScanner builds a data dependency graph (DDG) based on static analysis to extract these key features and form a feature vector. We then propose a classification model only trained on benign datasets to overcome the limited knowledge of humanoid attacks. We leverage ClickScanner to conduct the first large-scale measurement on app markets (i.e.,120,000 apps from Google Play and Huawei AppGallery) and reveal several unprecedented phenomena. First, even for the top-rated 20,000 apps, ClickScanner still identifies 157 apps as fraudulent, which shows the prevalence of humanoid attacks. Second, it is observed that the ad SDK-based attack (i.e., the fraudulent codes are in the third-party ad SDKs) is now a dominant attack approach. Third, the manner of attack is notably different across apps of various categories and popularities. Finally, we notice there are several existing variants of the humanoid attack. Additionally, our measurements demonstrate the proposed ClickScanner is accurate and time-efficient (i.e., the detection overhead is only 15.35% of those of existing schemes).

Cryptography and Security

Gong Chen,Shouling Ji,John A. Copeland

DOI: https://doi.org/10.1109/ICPADS.2016.0068

2016-01-01

Abstract:To date, app developers are allowed to monetize their apps in two services: in-app advertising and in-app billing. Of these two, in-app billing is not prevalently used by users, whereas in-app advertising is considered an important funding source for developers. However, this service incurs a number of criticisms: (1) users must passively receive all mobile ads while using apps, (2) users get nothing from viewing or clicking ads, (3) ad networks transfer user private information to remote servers in an unencrypted format without user consent, and (4) negative impressions brought from irrelevant ads may harm the advertised brands. To overcome these problems, we propose In-App AdPay, a framework that combines the advantages of "in-app advertising" and "in-app billing" together so that ad networks can overtly ask users' permissions in order to serve more tailored ads, but in return, advertisers will pay targeted users' virtual transactions within the app (e.g., coins in mobile games) via a secure channel. While mobile users can be brought into the monetization loop, it will be technically and legitimately easier for ad networks to study users. We implemented the proof-of-concept framework and conducted a test with 42 volunteers. Based on these studies, we believe that "In-App AdPay" would balance user privacy and user experience without interfering with the existing monetization arrangements. Lastly, we reveal how tracked-by-consent users react in different test scenarios and value the permissions used in ad libraries.

Jice Wang,Yue Xiao,Xueqiang Wang,Yuhong Nan,Luyi Xing,Xiaojing Liao,JinWei Dong,Nicolas Serrano,Haoran Lu,XiaoFeng Wang,Yuqing Zhang

2021-01-01

Abstract:Recent years have witnessed the rise of security risks of libraries integrated in mobile apps, which are reported to steal private user data from the host apps and the app backend servers. Their security implications, however, have never been fully understood. In our research, we brought to light a new attack vector long been ignored yet with serious privacy impacts - malicious libraries strategically target other vendors' SDKs integrated in the same host app to harvest private user data (e.g., Facebook's user profile). Using a methodology that incorporates semantic analysis on an SDK's Terms of Services (ToS, which describes restricted data access and sharing policies) and code analysis on cross-library interactions, we were able to investigate 1.3 million Google Play apps and the ToSes from 40 highly-popular SDKs, leading to the discovery of 42 distinct libraries stealthily harvesting data from 16 popular SDKs, which affect more than 19K apps with a total of 9 billion downloads. Our study further sheds light on the underground ecosystem behind such library-based data harvesting (e.g., monetary incentives for SDK integration), their unique strategies (e.g., hiding data in crash reports and using C2 server to schedule data exfiltration) and significant impacts.