研究：包括移动应用程序中的广告造成隐私，安全风险

北卡罗来纳州立大学的研究人员发现，包括移动应用程序（应用程序）的广告，包括隐私和安全风险。在最近关于官方谷歌市场市场的100,000个应用程序的研究中，研究人员注意到超过一半的所谓的广告图书馆。和297个应用程序包括已启用的攻击广告库，该库已启用从远程服务器下载和运行代码 - 这提高了重大隐私和安全问题。

“Running code downloaded from the Internet is problematic because the code could be anything,” says Dr. Xuxian Jiang, an assistant professor of computer science at NC State and co-author of a paper describing the work. “For example, it could potentially launch a ‘root exploit’ attack to take control of your phone – as demonstrated in a recently discovered piece of Android malware called RootSmart.”

In Google Play (formerly known as the Android Market) and other markets, many developers offer free apps. To generate revenue, these app developers incorporate “in-app ad libraries,” which are provided by Google, Apple or other third-parties. These ad libraries retrieve advertisements from remote servers and run the ads on a user’s smartphone periodically. Every time an ad runs, the app developer receives a payment.

This poses potential problems because the ad libraries receive the same permissions that the user granted to the app itself when it was installed – regardless of whether the user was aware he or she was granting permissions to the ad library.

Jiang’s team looked at a sample of 100,000 apps available on Google Play between March and May 2011 and examined the 100 representative ad libraries used by those apps. One significant find was that 297 of the apps (1 out of every 337 apps) used ad libraries “that made use of an unsafe mechanism to fetch and run code from the Internet – a behavior that is not necessary for their mission, yet has troubling privacy and security implications,” Jiang says. But that is only the most extreme example.

江队的团队发现，48,139的应用程序（2.1中1）有广告库，可以通过GPS跟踪用户位置，大概是允许广告库更好地为用户提供目标广告。但是，4,190个应用程序（1中的23.4中）使用了广告库，也允许广告商自己通过GPS访问用户的位置。某些广告库访问的其他信息包括用户存储在他或她手机上的所有应用程序的呼叫日志，用户电话号码和列表。

这些广告库构成了安全风险，因为它们为第三方提供了一种方法 - 包括黑客 - 绕过现有的Android安全工作。具体来说，应用程序本身可能是无害的，因此它不会触发任何安全问题。但是应用程序的广告库可能在安装后下载有害或侵入性代码。

“要限制敞口这些风险，我们需要将广告库从应用中隔离，并确保他们没有相同的权限，”江泽民说。“目前在移动应用程序中直接嵌入广告库的当前模型确实可以方便的应用程序开发商，但也从根本上引入了隐私和安全风险。最好的解决方案是谷歌，Apple和其他移动平台提供商在提供有效的广告机制方面采取铅。“

本文，“移动内广告的不安全曝光分析，“江泽民合作;NC国家博士。学生迈克尔格雷恩和吴周;达姆施塔特技术大学的Ahmad-Reza Sadeghi博士。本文将于4月17日在图森无线和移动网络中的第5次ACM安全和隐私会议上展示。该研究得到了国家科学基金会的支持。

- 船员 -

编辑注：这项研究摘要跟随。

“移动内广告的不安全曝光分析”

作者：迈克尔·格雷恩，吴州，北卡罗来纳州北古江州立大学;Ahmad-Reza Sadeghi，技术大学达姆施塔特

提出了：2012年4月17日，在图森的无线和移动网络中的第5次ACM安全和隐私会议

抽象的：近年来,出现了爆炸性增长n smartphone sales, which is accompanied with the availability of a huge number of smartphone applications (or simply apps). End users or consumers are attracted by the many interesting features offered by these devices and the associated apps. The developers of these apps are also benefited by the prospect of financial compensation, either by selling their apps directly or by embedding one of the many ad libraries available on smartphone platforms. In this paper, we focus on potential privacy and security risks posed by these embedded or in-app advertisement libraries (henceforth “ad libraries,” for brevity). To this end, we study the popular Android platform and collect 100,000 apps from the official Android Market in March-May, 2011. Among these apps, we identify 100 representative in-app ad libraries (embedded in 52.1% of them) and further develop a system called AdRisk to systematically identify potential risks. In particular, we first decouple the embedded ad libraries from host apps and then apply our system to statically examine the ad libraries, ranging from whether they will upload privacy sensitive information to remote (ad) servers or whether they will download untrusted code from remote servers. Our results show that most existing ad libraries collect private information: some of them may be used for legitimate targeting purposes (i.e., the user’s location) while others are hard to justify by invasively collecting the information such as the user’s call logs, phone number, browser bookmarks, or even the list of installed apps on the phone. Moreover, additional ones go a step further by making use of an unsafe mechanism to directly fetch and run code from the Internet, which immediately leads to serious security risks. Our investigation indicates the symbiotic relationship between embedded ad libraries and host apps is one main reason behind these exposed risks. These results clearly show the need for better regulating the way ad libraries are integrated in Android apps.