Advertisement

AndroPatchApp: Taming Rogue Ads in Android

  • Vasilis Tsiakos
  • Constantinos PatsakisEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10026)

Abstract

Mobile applications have drastically changed the way that we use our mobile devices. The different sensors that are embedded allow novel user interaction and make them context-aware. However, the operating system of most mobile devices allows limited user configuration; the user does not have full access, in order to make them more secure. Despite this measure, the overall security and privacy of users cannot be considered adequate. While there are many tools for “rooted” devices, the choices for “out of the stock” devices are not that many, and more importantly, they are not that effective.

To address these shortcomings, AndroPatchApp takes a different approach. Instead of installing monitoring and detection apps in the operating system, AndroPatchApp embeds some security and privacy controls before installation, by generating a “sanitized” version of the app.

Keywords

Android Mobile ads Privacy 

Notes

Acknowledgments

This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the OPERANDO project (Grant Agreement no. 653704).

References

  1. 1.
    Hoffman-Andrews, J.: Verizon injecting perma-cookies to track mobile customers, bypassing privacy controls (2014). https://www.eff.org/deeplinks/2014/11/verizon-x-uidh
  2. 2.
    Mills, E.: Malware delivered by yahoo, fox, google ads (2010). http://www.cnet.com/news/malware-delivered-by-yahoo-fox-google-ads/
  3. 3.
    Thomas, K., Bursztein, E., Grier, C., Ho, G., Jagpal, N., Kapravelos, A., McCoy, D., Nappa, A., Paxson, V., Pearce, P., et al.: Ad injection at scale: assessing deceptive advertisement modifications. In: IEEE Symposium on Security and Privacy (SP), pp. 151–167. IEEE (2015)Google Scholar
  4. 4.
    Graham, R.: Extracting the superfish certificate (2015). http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
  5. 5.
    Inc. 5000 2015: The full list (2016). http://www.inc.com/inc5000/list/2014/
  6. 6.
    Vigneri, L., Chandrashekar, J., Pefkianakis, I., Heen, O.: Taming the android appstore: lightweight characterization of android applications, CoRR abs/1504.06093Google Scholar
  7. 7.
    Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 20th USENIX Conference on Security, p. 21. USENIX Association (2011)Google Scholar
  8. 8.
    Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-18178-8_30 CrossRefGoogle Scholar
  9. 9.
    Orthacker, C., Teufl, P., Kraxberger, S., Lackner, G., Gissing, M., Marsalek, A., Leibetseder, J., Prevenhueber, O.: Android security permissions–can we trust them? In: Prasad, R., Farkas, K., Schmidt, A.U., Lioy, A., Russello, G., Luccio, F.L. (eds.) MobiSec 2011. LNICSSITE, vol. 94, pp. 40–51. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30244-2_4 CrossRefGoogle Scholar
  10. 10.
    Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 3. ACM (2012)Google Scholar
  11. 11.
    Enck, W., Ongtang, M., McDaniel, P.: Understanding android security. IEEE Secur. Priv. 7(1), 50–57 (2009)CrossRefGoogle Scholar
  12. 12.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)Google Scholar
  13. 13.
    Grace, M.C., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock android smartphones. In: NDSS (2012)Google Scholar
  14. 14.
    Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Execute this! analyzing unsafe, malicious dynamic code loading in android applications. In: 21st Annual Network and Distributed System Security Symposium, NDSS, San Diego, California, USA, 23–26 February. The Internet Society (2014)Google Scholar
  15. 15.
    Zhauniarovich, Y.: Android security (and not) internalsGoogle Scholar
  16. 16.
    Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N., Wetherall, D.: A conundrum of permissions: installing applications on an android smartphone. In: Blyth, J., Dietrich, S., Camp, L.J. (eds.) FC 2012. LNCS, vol. 7398, pp. 68–79. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34638-5_6 CrossRefGoogle Scholar
  17. 17.
    Balebako, R., Jung, J., Lu, W., Cranor, L.F., Nguyen, C.: Little brothers watching you: raising awareness of data leaks on smartphones. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, p. 12. ACM (2013)Google Scholar
  18. 18.
    Stevens, R., Gibler, C., Crussell, J., Erickson, J., Chen, H.: Investigating user privacy in android ad libraries. In: Proceedings of the Workshop on Mobile Security Technologies (MoST) (2012)Google Scholar
  19. 19.
    Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app. advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC 2012, pp. 101–112. ACM (2012)Google Scholar
  20. 20.
    Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why Eve and Mallory love android: an analysis of android SSL (in) security. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)Google Scholar
  21. 21.
    Conti, M., Dragoni, N., Gottardo, S.: MITHYS: mind the hand you shake-protecting mobile devices from SSL usage vulnerabilities. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 65–81. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-41098-7_5 CrossRefGoogle Scholar
  22. 22.
    Hubbard, J., Weimer, K., Chen, Y.: A study of SSL proxy attacks on android, iOS mobile applications. In: IEEE 11th Consumer Communications and Networking Conference (CCNC), pp. 86–91. IEEE (2014)Google Scholar
  23. 23.
    Book, T., Wallach, D.S.: A case of collusion: a study of the interface between ad libraries and their apps. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 79–86. ACM (2013)Google Scholar
  24. 24.
    Book, T., Pridgen, A., Wallach, D.S.: Longitudinal analysis of android ad library permissions, arXiv preprint arXiv:1303.0857
  25. 25.
    Goodin, D.: Beware of ads that use inaudible sound to link your phone, tv, tablet, and pc (2015). http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/
  26. 26.
    Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30921-2_17 CrossRefGoogle Scholar
  27. 27.
    Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: AdDroid: privilege separation for applications and advertisers in android. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pp. 71–72. ACM (2012)Google Scholar
  28. 28.
  29. 29.
    Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)CrossRefGoogle Scholar
  30. 30.
    Shekhar, S., Dietz, M., Wallach, D.S.: AdSplit: Separating smartphone advertising from applications. In: Presented as Part of the 21st USENIX Security Symposium (USENIX Security 12), pp. 553–567 (2012)Google Scholar
  31. 31.
    Winsniewski, R.: Android-apktool: a tool for reverse engineering android apk files (2012). http://ibotpeaches.github.io/Apktool/
  32. 32.
    Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 23. USENIX Association, Berkeley (2011)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Department of InformaticsUniversity of PiraeusPiraeusGreece

Personalised recommendations