operando and patching privacy leaks inandroidFOSSCOMM 2016.

Constantinos PatsakisApril 17, 2016

University of Piraeus

``disclaimer''

These slides are meant to initiate a discussion. Feel free to interupt,ask etc. We need to exchange ideas.So please interact!

2

what is operando?.

what is operando?

OPERANDO (http://www.operando.eu) is an EU funded projectfrom 2014 DS Horizon 2020 call.

4

what is it about?

The OPERANDO project will integrate and extend the state of the artto create a platform that will used by independent Privacy ServiceProviders (PSPs) to provide comprehensive user privacy enforcementin the form of a dedicated online service, called ``Privacy Authority''.The OPERANDO platform will support flexible and viable businessmodels, including targeting of individual market segments such aspublic administration, social networks and Internet of Things.

5

who's in?

6

a little bit about ads.

8

the ``freemium'' model

The ``freemium'' model is the dominant business model on theInternet. Users get the basic functionality for free, while otherservices and products can be purchased later. Since the service isfree, users can easily access it and without monetary risk. Buildingupon the success and trust that these free services provide, a usercan then appreciate the extended features that can be purchased.

9

the ``freemium'' model

While ``premium'' services is one of the income sources, the othermain source is advertisement. Most of the companies operatingunder the ``freemium'' model monetize their wide user pool bydisplaying targeted advertisement or by supplying data toadvertising companies.

10

however...

``If you're not paying for the product, you are the product.''

11

they are evolving...

12

...and evolving...

Does she know she's an ad?

13

...and evolving...

Recently, more advanced ad libraries manage to link devices byplaying inaudible sounds from one device and collecting them fromthe microphone of mobile devices that use applications where suchan ad library has been embedded, see Silverpush(https://www.silverpush.co/).

14

mobile ad frameworks.

ad delivery

16

forgot to mention...

It has to be noted that the current model of advertisements worksover HTTP. The use of HTTP facilitates ad servers as they can cachetheir content and compress it significantly increasing theirthroughput.

17

the network provider malicious injects ads

18

the internet provider injects malicious ads

19

the ad server injects malicious ads

20

the advertiser injects malicious ads

21

how bad ad injection is?

5.5% of the traffic of unique IPs studied by Google were injected withads [9].

22

the advertiser injects malicious ads

Taking ad injection to another level, we recently witnessed thatspecific models of a big manufacturer where sold with the notoriousadware Superfish pre-installed1. In fact, Superfish is backed by abusiness which carries its name, which is so well that it was ranked4th in the fastest-growing private companies in America, withrevenue of $35.2m in 20132.

1http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html2http://www.inc.com/inc5000/list/2014/

23

how secure are they?

Experimenting with ad libraries, Stevens et al. [8] found that somead libraries would try to access of undocumented permissions suchas read/write to calendar or access location and camera.Grace et al. [5] found that many applications would use HTTP todownload code and execute it on client's device. While insecure, thismethod is often seen in Android applications [7].

24

about android.

installing an app

Source: [11]

26

permissions

The continuous increase of app requests for access to sensitivepermissions or unrelated to the application's functionality, havemade users to ignore Android warnings [3].

27

permissions

The access level to a resource is granted per application and not percomponent. Theoretically, this does not raise any important issue,since all the components are handled by the same entity, thedeveloper who created the app. (Really?)

28

permissions

In Marshmallow, the user has more control of his apps, as he canselectively or permenantly revoke a permission after the installation,when the app tries to make use of a granted permission.Nevertheless, the user cannot determine for which component ofthe app he is granting access.

29

permissions

Grace et al. [4] observed that approximately half of the ad librarieswould probe the apps that contain them to determine whether theyhave more privileges and abuse them to derive sensitive userinformation.

30

permissions

So shifting to HTTPS does not solve the problem. Moreover, HTTPSimplementations in mobile devices have reportedely proven to beerrorenous [2, 1, 6].

31

what can we do?.

33

we got to take the power back

Solutions:

• Root• Proxies• Fight the apps

34

introducing andropatchapp

AndroPatchApp intervenes before the installation of the app,modifing the application to be installed by injecting smali libraries.The user first uploads the apk file that he wants to patch toAndroPatchApp. AndroPatchApp decompiles it using ApkTool [10]which returns the smali code of the app. Since all ad librariesdisplay the ads through a webview, AndroPatch finds the webviewsthat belong to them and injects some code.

35

introducing andropatchapp

Main features:

Hide user's geolocationObfuscate available resourcesDisable javascriptRemove content of an add

36

how does it work?

37

which ad libraries does it block?

• AdMob• Flurry• InMobi• TapJoy• MobClix• ChartBoost• AdWhirl• MoPub• GreyStripe

38

in numbers

Apps Installs0

2

4

6

8

10

12

14

44.52 50.71

4.28

11.46

1.88

9.2

2.22

8.92

1.87

8.58

2.84

8.34

2.42

6.12

1.26

5.78

0.97

5.74

1

5.58Percentage

Admob Chartboost AdColony MoPub Unity AdsInMobi Millennial Media Tapjoy AppsFlyer Vungle

39

in action

40

in action

41

EOFQuestions?

kpatsak@unipi.grgmail.comprotonmail.ch

Webpage: www.cs.unipi.gr/kpatsak

42

references I

Mauro Conti, Nicola Dragoni, and Sebastiano Gottardo.Mithys: Mind the hand you shake-protecting mobile devicesfrom ssl usage vulnerabilities.In Security and Trust Management, pages 65--81. Springer, 2013.Sascha Fahl, Marian Harbach, Thomas Muders, LarsBaumgärtner, Bernd Freisleben, and Matthew Smith.Why eve and mallory love android: An analysis of android ssl(in) security.In Proceedings of the 2012 ACM conference on Computer andcommunications security, pages 50--61. ACM, 2012.

43

references II

Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney,Erika Chin, and David Wagner.Android permissions: User attention, comprehension, andbehavior.In Proceedings of the Eighth Symposium on Usable Privacy andSecurity, page 3. ACM, 2012.Michael C. Grace, Wu Zhou, Xuxian Jiang, and Ahmad-RezaSadeghi.Unsafe exposure analysis of mobile in-app advertisements.In Proceedings of the Fifth ACM Conference on Security andPrivacy in Wireless and Mobile Networks, WISEC '12, pages101--112. ACM, 2012.

44

references III

Michael C Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang.Systematic detection of capability leaks in stock androidsmartphones.In NDSS, 2012.John Hubbard, Ken Weimer, and Yu Chen.A study of ssl proxy attacks on android and ios mobileapplications.In Consumer Communications and Networking Conference(CCNC), 2014 IEEE 11th, pages 86--91. IEEE, 2014.

45

references IV

Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi,Christopher Kruegel, and Giovanni Vigna.Execute this! analyzing unsafe and malicious dynamic codeloading in android applications.In 21st Annual Network and Distributed System SecuritySymposium, NDSS 2014, San Diego, California, USA, February23-26, 2014. The Internet Society, 2014.Ryan Stevens, Clint Gibler, Jon Crussell, Jeremy Erickson, and HaoChen.Investigating user privacy in android ad libraries.In Proceedings of the 2012 Workshop on Mobile SecurityTechnologies (MoST), 2012.

46

references V

Kurt Thomas, Elie Bursztein, Chris Grier, Grant Ho, Nav Jagpal,Alexandros Kapravelos, Damon McCoy, Antonio Nappa, VernPaxson, Paul Pearce, et al.Ad injection at scale: Assessing deceptive advertisementmodifications.In Security and Privacy (SP), 2015 IEEE Symposium on, pages151--167. IEEE, 2015.R Winsniewski.Android--apktool: A tool for reverse engineering android apkfiles, 2012.Yury Zhauniarovich.Android security (and not) internals.

47