Tong Zhu,Yan Meng,Haotian Hu,Xiaokuan Zhang,Minhui Xue,Haojin Zhu

DOI: https://doi.org/10.1145/3460120.3484546

2021-09-15

Abstract:Although the use of pay-per-click mechanisms stimulates the prosperity of the mobile advertisement network, fraudulent ad clicks result in huge financial losses for advertisers. Extensive studies identify click fraud according to click/traffic patterns based on dynamic analysis. However, in this study, we identify a novel click fraud, named humanoid attack, which can circumvent existing detection schemes by generating fraudulent clicks with similar patterns to normal clicks. We implement the first tool ClickScanner to detect humanoid attacks on Android apps based on static analysis and variational AutoEncoder (VAE) with limited knowledge of fraudulent examples. We define novel features to characterize the patterns of humanoid attacks in the apps' bytecode level. ClickScanner builds a data dependency graph (DDG) based on static analysis to extract these key features and form a feature vector. We then propose a classification model only trained on benign datasets to overcome the limited knowledge of humanoid attacks. We leverage ClickScanner to conduct the first large-scale measurement on app markets (i.e.,120,000 apps from Google Play and Huawei AppGallery) and reveal several unprecedented phenomena. First, even for the top-rated 20,000 apps, ClickScanner still identifies 157 apps as fraudulent, which shows the prevalence of humanoid attacks. Second, it is observed that the ad SDK-based attack (i.e., the fraudulent codes are in the third-party ad SDKs) is now a dominant attack approach. Third, the manner of attack is notably different across apps of various categories and popularities. Finally, we notice there are several existing variants of the humanoid attack. Additionally, our measurements demonstrate the proposed ClickScanner is accurate and time-efficient (i.e., the detection overhead is only 15.35% of those of existing schemes).

Cryptography and Security

Haitao Xu,Daiping Liu,Aaron Koehl,Haining Wang,Angelos Stavrou

DOI: https://doi.org/10.1007/978-3-319-11212-1_24

2014-01-01

Abstract:Click fraud-malicious clicks at the expense of pay-per-click advertisers-is posing a serious threat to the Internet economy. Although click fraud has attracted much attention from the security community, as the direct victims of click fraud, advertisers still lack effective defense to detect click fraud independently. In this paper, we propose a novel approach for advertisers to detect click frauds and evaluate the return on investment (ROI) of their ad campaigns without the helps from ad networks or publishers. Our key idea is to proactively test if visiting clients are full-fledged modern browsers and passively scrutinize user engagement. In particular, we introduce a new functionality test and develop an extensive characterization of user engagement. Our detection can significantly raise the bar for committing click fraud and is transparent to users. Moreover, our approach requires little effort to be deployed at the advertiser side. To validate the effectiveness of our approach, we implement a prototype and deploy it on a large production website; and then we run 10-day ad campaigns for the website on a major ad network. The experimental results show that our proposed defense is effective in identifying both clickbots and human clickers, while incurring negligible overhead at both the server and client sides.

Wu Zhou,Yajin Zhou,Michael C. Grace,Xuxian Jiang,Shihong Zou

DOI: https://doi.org/10.1145/2435349.2435377

2013-01-01

Abstract:Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

Shishir Nagaraja,Ryan Shah

DOI: https://doi.org/10.48550/arXiv.1903.00733

2019-03-02

Cryptography and Security

Abstract:Advertising is a primary means for revenue generation for millions of websites and smartphone apps (publishers). Naturally, a fraction of publishers abuse the ad-network to systematically defraud advertisers of their money. Defenses have matured to overcome some forms of click fraud but are inadequate against the threat of organic click fraud attacks. Malware detection systems including honeypots fail to stop click fraud apps; ad-network filters are better but measurement studies have reported that a third of the clicks supplied by ad-networks are fake; collaborations between ad-networks and app stores that bad-lists malicious apps works better still, but fails to prevent criminals from writing fraudulent apps which they monetise until they get banned and start over again. This work develops novel inference techniques that can isolate click fraud attacks using their fundamental properties. In the {\em mimicry defence}, we leverage the observation that organic click fraud involves the re-use of legitimate clicks. Thus we can isolate fake-clicks by detecting patterns of click-reuse within ad-network clickstreams with historical behaviour serving as a baseline. Second, in {\em bait-click defence}. we leverage the vantage point of an ad-network to inject a pattern of bait clicks into the user's device, to trigger click fraud-apps that are gated on user-behaviour. Our experiments show that the mimicry defence detects around 81\% of fake-clicks in stealthy (low rate) attacks with a false-positive rate of 110110 per hundred thousand clicks. Bait-click defence enables further improvements in detection rates of 95\% and reduction in false-positive rates of between 0 and 30 clicks per million, a substantial improvement over current approaches.

Feng Dong,Haoyu Wang,Yuanchun Li,Yao Guo,Li,Shaodong Zhang,Guoai Xu

2017-01-01

Abstract:Previous studies on mobile ad fraud detection are limited to detecting certain types of ad fraud (e.g., placement fraud and click fraud). Dynamic interactive ad fraud has never been explored by previous work. In this paper, we propose an explorative study of ad fraud in Android apps. We first created a taxonomy of existing mobile ad fraud. Besides static placement fraud, we also created a new category called dynamic interactive fraud and found three new types of them. Then we propose FrauDroid, a new approach to detect ad fraud based on user interface (UI) state transition graph and networking traffic. To achieve accuracy and scalability, we use an optimized exploration strategy to traverse the UI states that contain ad views, and design a set of heuristic rules to identify kinds of ad fraud. Experiment results show that FrauDroid could achieve a precision of 80.9\% and it is capable of detecting all the 7 types of mobile ad fraud. We then apply FrauDroid to more than 80,000 apps from 21 app markets to study the prevalene of ad fraud. We find that 0.29\% of apps that use ad libraries are identified containing frauds, with 23 ad networks suffering from ad fraud. Our finding also suggests that Dynamic interactive fraud is more prevalent than static placement fraud in real world apps.

Congcong Shi,Rui Song,Xinyu Qi,Yubo Song,Bin Xiao,Sanglu Lu

DOI: https://doi.org/10.1109/icc40277.2020.9149420

2020-01-01

Abstract:Advertising income depends on the amount of clicks by users of websites and mobile applications. However, the emergence of click fraud greatly reduces the real benefits of the advertisement. Most existing researches focus on detecting click fraud by analyzing properties and patterns of click data streams, but attackers can construct data that looks legitimate by replaying former data streams. In this paper, we propose a novel system called ClickGuard to detect click fraud attacks. ClickGuard takes advantage of motion sensor signals from mobile devices, since the pattern of motion signals is completely different under real click events and fraud events. To prevent attackers from bypassing the system by faking the time-domain statistical characteristics of original signals, we introduce the MFCC algorithm in feature extraction phase. MFCC algorithm can extract frequency-domain features of original signals in specific frequency bands which are hardly constructed out of thin air. Classifiers are finally constructed using these features and several machine learning algorithms. Experiments show that ClickGuard can achieve the accuracy of 96.71% in general environment and 84.16% when attackers modify the time-domain statistical characteristics of raw data.

Jianyu Wang,Chunming Wu

DOI: https://doi.org/10.1177/0020294020970213

2020-01-01

Abstract:Given users and products that he/she reviews, can we recognize fake reviews just using the text information, or determine whether a reviewer is a fraud or not? Automatically detecting fake reviews and reviewers is an urgent problem and lots of work attempts for discovering linguistics, behaviors and graph patterns. However, in reality, there are new kinds of fraudsters who can change their behaviors to camouflage as genuine reviewers to avoid detection systems. With the fraudsters become distributed, dynamic, and adversarial, anti-spam tasks face a new challenge. In this paper, we tackle the challenge of adversarial fraudsters in online app review platform and propose a system called DDF (Detect, Defense, and Forecast) to uncover camouflage accounts. Firstly, we select a small set of seed with high-precision based on text and behavior features; Secondly, we build our graph-based detection model for uncovering hidden (distant) users who serve structurally similar to the seed by utilizing Graph Convolutional Network (GCN) algorithm. Thirdly, we evaluate DDF using real-world data set from Tencent APP Store and analyze the potential fraudsters detected by DDF. It is worth mentioning that precision can achieve 0.95+. Finally, we validate the efficiency and scalability of DDF and show that it can be well transferred to other anti-spam tasks.

Jianyu Wang,Rui Wen,Chunming Wu,Jian Xiong

DOI: https://doi.org/10.1145/3366424.3383756

2020-01-01

Abstract:The online review system provides a platform for consumers to express their opinions and make decisions. However, the spam review has become a widespread problem recently. Existing detection systems are mostly designed for fraudsters who write fake reviews to promote their products or mislead consumers in E-commerce (e.g., Amazon, Yelp, Alibaba). In this paper, we focus on spams in the large-scale online app review platform. Through an in-depth analysis of 5 million reviews from the Tencent App store, we find almost half of the reviews are spams. Even worse, most of the reviews are deliberately designed by fraud reviewers for misleading classifiers. Specially, we conclude three popular patterns of generating adversarial spams by attackers. Considering the characteristics of spam reviews are adversarial, irregular, and distributed. Human labeling is costly. We build our detection system by utilizing a collective method to spot suspicious users and reviews. First, we trained our two models based on the Behavior-Based Module (BBM) and Content-Based Module (CBM) individually. Then, they are co-trained by getting the feedback from each other. Experiment results show that our method outperforms the state-of-the-art baselines in identifying adversarial examples. Besides, the scalability and effectiveness of our approach have also been demonstrated by deploying it on Tencent Beacon Anti-Fraud System.

Rui Shao,Vaibhav Rastogi,Yan Chen,Xiang Pan,Guanyu Guo,Shihong Zou,Ryan Riley

DOI: https://doi.org/10.1109/tmc.2018.2809727

2016-01-01

Abstract:Mobile users are increasingly becoming targets of malware infections and scams. In order to curb such attacks it is important to know how these attacks originate. We take a previously unexplored step in this direction. Numerous in-app advertisements work at this interface: when the user taps on the advertisement, she is led to a web page which may further redirect until the user reaches the final destination. Even though the original applications may not be malicious, the Web destinations that the user visits could play an important role in propagating attacks. We develop a systematic static analysis methodology to find ad libraries embed in applications and dynamic analysis methodology consisting of three components related to triggering web links, detecting malware and scam campaigns, and determining the provenance of such campaigns reaching the user. Our static analysis system identified 242 different ad libraries and dynamic analysis system was deployed for a two-month period and analyzed over 600,000 applications while triggering a total of about 1.5 million links in applications to the Web. We gain a general understanding of attacks through the app-web interface and make several interesting findings including a rogue antivirus scam, free iPad scams, and advertisements propagating SMS trojans.

Yushi Cheng,Xiaoyu Ji,Wenyuan Xu,Hao Pan,Zhuangdi Zhu,Chuang-Wen You,Yi-Chao Chen,Lili Qiu

DOI: https://doi.org/10.1145/3321705.3329817

2019-01-01

Abstract:Mobile devices have emerged as the most popular platforms to access information. However, they have also become a major concern of privacy violation and previous researches have demonstrated various approaches to infer user privacy based on mobile devices. In this paper, we study a new side channel of a laptop that could be harvested by a commercial-off-the-shelf (COTS) mobile device, eg, a smartphone. We propose MagAttack, which exploits the electromagnetic (EM) side channel of a laptop to infer user activities, i.e., application launching and application operation. The key insight of MagAttack is that applications are discrepant in essence due to the different compositions of instructions, which can be reflected on the CPU power consumption, and thus the corresponding EM emissions. MagAttack is challenging since that EM signals are noisy due to the dynamics of applications and the limited sampling rate of the built-in magnetometers in COTS mobile devices. We overcome these challenges and convert noisy coarse-grained EM signals to robust fine-grained features. We implement MagAttack on both an iOS and an Android smartphone without any hardware modification, and evaluate its performance with 13 popular applications and 50 top websites in China. The results demonstrate that MagAttack can recognize aforementioned 13 applications with an average accuracy of 98.6%, and figure out the visiting operation among 50 websites with an average accuracy of 84.7%.

Michael C. Grace,Yajin Zhou,Qiang Zhang,Shihong Zou,Xuxian Jiang

DOI: https://doi.org/10.1145/2307636.2307663

2012-01-01

Abstract:ABSTRACTSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

Malak Aljabri,Rami Mustafa A. Mohammad

DOI: https://doi.org/10.1016/j.eij.2023.05.006

IF: 4.195

2023-05-17

Egyptian Informatics Journal

Abstract:Advertising corporations have moved their focus to online and in-App advertisements in response to the expansion of digital technologies and social media. Online advertising represents the primary revenue source for advertising networks that serve as the middlemen between advertisers and advertisement publishers. The advertising networks pay the publisher of the advertisement based on the number of clicks through to advertisers, following the pay-per-click (PPC) payment scheme. However, there is a growing security issue with this payment approach known as Click Fraud. Click fraud is the illegal process of clicking on pay-per-click advertisements to increase publishers' revenue or deplete advertisers' budgets. Artificial intelligence techniques have been increasingly employed to solve complicated challenges in different research areas, including cybersecurity, to achieve unexpected outcomes. In this paper, several Machine Learning models were constructed to establish whether the user is a human or a bot and conducted a comparative performance analysis using a set of evaluation metrics. We used a real captured dataset detailing Internet users' behavior while navigating websites. We extracted a set of features related to users' behaviors, including the number of webpages viewed during the browsing session, the duration of the browsing journey, and the actions performed. The empirical results revealed that all the considered models obtained good results, where the random forest algorithm surpassed all other algorithms in all evaluation metrics.

computer science, information systems, artificial intelligence

Yitian (Sky) Liang,Xinlei (Jack) Chen,Yuxin Chen,Ping Xiao,Jinglong Zhang

DOI: https://doi.org/10.1016/j.ijresmar.2023.09.003

IF: 8.047

2024-01-01

International Journal of Research in Marketing

Abstract:Ad fraud has serious consequences for brands. It also contaminates academic research if scholars neglect a significant level of ad fraud in their data. However, only limited theoretical work has addressed this topic, and empirical research is scarce. In this article, we take a first step to document empirical patterns of mobile ad fraud using two datasets. The datasets are commonly available to buyers of advertising services, and the types of ad fraud studied are significant in the advertising market. We identify some app and campaign characteristics correlated with ad fraud, and uncover methods used by fraudsters to conceal the fraud. They often make the ad fraud proportional to the daily traffic but lowering the ratio of ad fraud on high-traffic days. However, when traffic is unstable, they change strategy to use ad fraud to smooth out the traffic. Meanwhile, in advertising campaigns, the fraudsters allocate most part of fraud during the middle of campaign period, an attempt to reduce the risk of being detected. These findings not only help practitioners and academic researchers determine the extent of ad fraud in the data but also provide stylized facts for future research on theoretical modeling of ad fraud.

Tian Tian,Jun Zhu,Fen Xia,Xin Zhuang,Tong Zhang

DOI: https://doi.org/10.1145/2736277.2741136

2015-01-01

Abstract:The rise of crowdsourcing brings new types of malpractices in Internet advertising. One can easily hire web workers through malicious crowdsourcing platforms to attack other advertisers. Such human generated crowd frauds are hard to detect by conventional fraud detection methods. In this paper, we carefully examine the characteristics of the group behaviors of crowd fraud and identify three persistent patterns, which are moderateness, synchronicity and dispersivity. Then we propose an effective crowd fraud detection method for search engine advertising based on these patterns, which consists of a constructing stage, a clustering stage and a filtering stage. At the constructing stage, we remove irrelevant data and reorganize the click logs into a surfer-advertiser inverted list; At the clustering stage, we define the sync-similarity between surfers' click histories and transform the coalition detection to a clustering problem, solved by a nonparametric algorithm; and finally we build a dispersity filter to remove false alarm clusters. The nonparametric nature of our method ensures that we can find an unbounded number of coalitions with nearly no human interaction. We also provide a parallel solution to make the method scalable to Web data and conduct extensive experiments. The empirical results demonstrate that our method is accurate and scalable.

Hamed Haddadi

DOI: https://doi.org/10.48550/arXiv.1002.2353

2010-02-11

Abstract:Online advertising is currently the greatest source of revenue for many Internet giants. The increased number of specialized websites and modern profiling techniques, have all contributed to an explosion of the income of ad brokers from online advertising. The single biggest threat to this growth, is however, click-fraud. Trained botnets and even individuals are hired by click-fraud specialists in order to maximize the revenue of certain users from the ads they publish on their websites, or to launch an attack between competing businesses. In this note we wish to raise the awareness of the networking research community on potential research areas within this emerging field. As an example strategy, we present Bluff ads; a class of ads that join forces in order to increase the effort level for click-fraud spammers. Bluff ads are either targeted ads, with irrelevant display text, or highly relevant display text, with irrelevant targeting information. They act as a litmus test for the legitimacy of the individual clicking on the ads. Together with standard threshold-based methods, fake ads help to decrease click-fraud levels.

Cryptography and Security

Wei Liu,Yueqian Zhang,Zhou Li,Hai-Xin Duan

DOI: https://doi.org/10.1145/2994459.2994472

2016-01-01

Abstract:We studied a new type of fraudulent activities, usage fraud, on Android platform in this paper. Different from previous fraud on mobile platforms targeting advertisers or mobile users, usage fraud was invented to boost usage statistics on third-party analytics platforms like Google Analytics to cheat investors. To understand the business model and infrastructures employed by the fraudsters, we infiltrated two underground services, Laicaimao and Anzhibao. A number of insights have been gained during this course, including the use of emulators and manipulation of user identifiers. In addition, we evaluated the efficacy of the existing fraud services and the defense status quo on 8 popular analytics platforms. Our result indicates that the fraud services are indeed capable of crafting valid usage numbers and the basic checks are missed by analytics platforms. We give several recommendations in the end and call for the contribution from the community to fight against this new type of fraud.

Qiuyun Lyu,Hao Li,Renjie Zhou,Jilin Zhang,Nailiang Zhao,Yan Liu

DOI: https://doi.org/10.1155/2022/3043489

IF: 1.968

2022-04-29

Security and Communication Networks

Abstract:Online advertising, which depends on consumers’ click, creates revenue for media sites, publishers, and advertisers. However, click fraud by criminals, i.e., the ad is clicked either by malicious machines or hiring people, threatens this advertising system. To solve the problem, many schemes are proposed which are mainly based on machine learning or statistical analysis. Although these schemes mitigate the problem of click fraud, several problems still exist. For example, some fraudulent clicks are still in the wild since their schemes only discover the fraudulent clicks with a probability approaching but not 100%. Also, the process of detecting a click fraud is executed by a single publisher, which makes a chance for the publisher to obtain illegal income by deceiving advertisers and media sites. Besides, the identity privacy of consumers is also exposed because the schemes deal with the plain text of consumers’ real identity. Therefore, in this paper, a blockchain-based click fraud detection and prevention scheme (BCFDPS) for online advertising is proposed to deal with the above problems. Specifically, the BCFDPS mainly introduces bilinear pairing to implicitly verify whether a consumer’s real digital identity is contained in a click message to significantly avoid click fraud and employs a consortium blockchain to ensure the transparency of the detection and prevention process. In our scheme, the clicks by machines or fraud ones by a human can be accurately detected and prevented by media sites, publishers, and advertisers. Furthermore, ciphertext-policy attribute-based encryption is adopted to protect the identity privacy of consumers. The implementation and evaluation results show that compared with the existing click fraud detection and prevention schemes based on machine learning and statistical analysis, BCFDPS achieves detection of each fraudulent click with a probability of 100% and consumes lower computation cost; furthermore, BCFDPS adds functions of consumers’ privacy protection and click fraud detection and prevention, compared to the existing blockchain-based online advertising scheme, by introducing limited communication cost ( 4,984 bytes) at lower storage cost.

computer science, information systems,telecommunications

Tianming Liu,Haoyu Wang,Li Li,Xiapu Luo,Feng Dong,Yao Guo,Liu Wang,Tegawende Bissyande,Jacques Klein

DOI: https://doi.org/10.1145/3366423.3380242

2020-01-01

Abstract:Advertisement drives the economy of the mobile app ecosystem. As a key component in the mobile ad business model, mobile ad content has been overlooked by the research community, which poses a number of threats, e.g., propagating malware and undesirable contents. To understand the practice of these devious ad behaviors, we perform a large-scale study on the app contents harvested through automated app testing. In this work, we first provide a comprehensive categorization of devious ad contents, including five kinds of behaviors belonging to two categories: ad loading content and ad clicking content. Then, we propose MadDroid, a framework for automated detection of devious ad contents. MadDroid leverages an automated app testing framework with a sophisticated ad view exploration strategy for effectively collecting ad-related network traffic and subsequently extracting ad contents. We then integrate dedicated approaches into the framework to identify devious ad contents. We have applied MadDroid to 40,000 Android apps and found that roughly 6% of apps deliver devious ad contents, e.g., distributing malicious apps that cannot be downloaded via traditional app markets. Experiment results indicate that devious ad contents are prevalent, suggesting that our community should invest more effort into the detection and mitigation of devious ads towards building a trustworthy mobile advertising ecosystem.

Weibin Li,Qiwei Zhong,Qingyang Zhao,Hongchun Zhang,Xiaonan Meng

DOI: https://doi.org/10.48550/arXiv.2105.03567

IF: 5.414

2021-05-08

Machine Learning

Abstract:Advertising click fraud detection plays one of the vital roles in current E-commerce websites as advertising is an essential component of its business model. It aims at, given a set of corresponding features, e.g., demographic information of users and statistical features of clicks, predicting whether a click is fraudulent or not in the community. Recent efforts attempted to incorporate attributed behavior sequence and heterogeneous network for extracting complex features of users and achieved significant effects on click fraud detection. In this paper, we propose a Multimodal and Contrastive learning network for Click Fraud detection (MCCF). Specifically, motivated by the observations on differences of demographic information, behavior sequences and media relationship between fraudsters and genuine users on E-commerce platform, MCCF jointly utilizes wide and deep features, behavior sequence and heterogeneous network to distill click representations. Moreover, these three modules are integrated by contrastive learning and collaboratively contribute to the final predictions. With the real-world datasets containing 2.54 million clicks on Alibaba platform, we investigate the effectiveness of MCCF. The experimental results show that the proposed approach is able to improve AUC by 7.2% and F1-score by 15.6%, compared with the state-of-the-art methods.

Miguel A. Bermejo-Agueda,Patricia Callejo,Rubén Cuevas,Ángel Cuevas

2024-09-12

Abstract:This paper introduces adF, a novel system for analyzing the vulnerability of different devices, Operating Systems (OSes), and browsers to web fingerprinting. adF performs its measurements from code inserted in ads. We have used our system in several ad campaigns that delivered 5.40 million ad impressions. The collected data allow us to assess the vulnerability of current desktop and mobile devices to web fingerprinting. Based on our results, we estimate that 66% of desktop devices and 40% of mobile devices can be uniquely fingerprinted with our web fingerprinting system. However, the resilience to web fingerprinting varies significantly across browsers and device types, with Chrome on desktops being the most vulnerable configuration. To counter web fingerprinting, we propose ShieldF, a simple solution which blocks the reporting by browsers of those attributes that we found in the analysis of our dataset that present the most significant discrimination power. Our experiments reveal that ShieldF outperforms all anti-fingerprinting solutions proposed by major browsers (Chrome, Safari and Firefox) offering an increase in the resilience offered to web fingerprinting up to 62% for some device configurations. ShieldF is available as an add-on for any chromium-based browser. Moreover, it is readily adoptable by browser and mobile app developers. Its widespread use would lead to a significant improvement in the protection offered by browsers and mobile apps to web fingerprinting.

Cryptography and Security,Computers and Society