Adlib: analyzer for mobile ad platform libraries

Mobile advertising has become a popular advertising approach by taking advantage of various information from mobile devices and rich interaction with users. Mobile advertising platforms show advertisements of nearby restaurants to users using the geographic locations of their mobile devices, and also allow users to make reservations easily using their phone numbers. However, at the same time, they may open the doors for advertisements to steal device information or to perform malicious behaviors. When application developers integrate mobile advertising platform SDKs (AdSDKs) to their applications, they are informed of only the permissions required by the AdSDKs, and they may not be aware of the rich functionalities of the SDKs that are available to advertisements. In this paper, we first report that various AdSDKs provide powerful functionalities to advertisements, which are seriously vulnerable to security threats. We present representative malicious behaviors by advertisements using APIs provided by AdSDKs. To mitigate the security vulnerability, we develop a static analyzer, Adlib, which analyzes Android Java libraries that use hybrid features to enable communication with JavaScript code and detects possible flows from the APIs that are accessible from third-party advertisements to device-specific features like geographic locations. Our evaluation shows that Adlib found genuine security vulnerabilities from real-world AdSDKs.

[1]  Julian Dolby,et al.  HybriDroid: Static analysis framework for Android hybrid applications , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[2]  Samy Bengio,et al.  Special Uses and Abuses of the Fiat-Shamir Passport Protocol , 1987, CRYPTO.

[3]  Sungjae Hwang,et al.  All about activity injection: Threats, semantics, and detection , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[4]  Mohamed Shehab,et al.  Reducing Attack Surface on Cordova-based Hybrid Mobile Apps , 2014, MobileDeLi '14.

[5]  Neil D. Jones,et al.  Flow analysis and optimization of LISP-like structures , 1979, POPL.

[6]  Shashi Shekhar,et al.  AdSplit: Separating Smartphone Advertising from Applications , 2012, USENIX Security Symposium.

[7]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[8]  Vitaly Shmatikov,et al.  What Mobile Ads Know About Mobile Users , 2016, NDSS.

[9]  David A. Wagner,et al.  AdDroid: privilege separation for applications and advertisers in Android , 2012, ASIACCS '12.

[10]  Mira Mezini,et al.  Access-Path Abstraction: Scaling Field-Sensitive Data-Flow Analysis with Unbounded Access Paths (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[11]  M. Wegman,et al.  Global value numbers and redundant computations , 1988, POPL '88.

[12]  Zhenkai Liang,et al.  Web-to-Application Injection Attacks on Android: Characterization and Detection , 2015, ESORICS.

[13]  Achim D. Brucker,et al.  On the Static Analysis of Hybrid Mobile Apps - A Report on the State of Apache Cordova Nation , 2016, ESSoS.

[14]  A. B. Bhavani Cross-site Scripting Attacks on Android WebView , 2013, ArXiv.

[15]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[16]  Vitaly Shmatikov,et al.  Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks , 2014, NDSS.

[17]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[18]  Xiao Zhang,et al.  AFrame: isolating advertisements from mobile applications in Android , 2013, ACSAC.