AdDroid: Privilege Separation for Applications and Advertisers in Android

Paul Pearce, Adrienne Porter Felt Gabriel Nunez David Wagner Computer Science Division Sandia National Laboratory∗ Computer Science Division University of California Berkeley [email protected] University of California Berkeley {pearce, apf}@cs.berkeley.edu [email protected]

ABSTRACT Before developers can distribute an Android application, Advertising is a critical part of the Android ecosystem— they must identify and declare what permissions their ap- many applications use one or more advertising services as plications need. The installation process shows these per- a source of revenue. To use these services, developers missions to users if they choose to install the application. must bundle third-party, binary-only libraries into their However, the Android security model does not provide any applications. In this model, applications and their adver- special support for advertisements. This means that there tising libraries share permissions. Advertising-supported is no way for the user or the operating system to differen- applications must request multiple privacy-sensitive per- tiate between the permissions necessary for the host appli- missions on behalf of their advertising libraries, and ad- cation and those needed by advertising libraries. A simple vertising libraries receive access to all of their host appli- advertisement-supported application (e.g., a game or cus- cations’ other permissions. We conducted a study of the tom ringtone application) must request multiple privacy- Android Market and found that 49% of Android applica- sensitive permissions unrelated to its functionality just so tions contain at least one advertising library, and these it can display advertisements. Advertising libraries often require permissions for network connectivity, location in- libraries overprivilege 46% of advertising-supported appli- 1 cations. Further, we find that 56% of the applications with formation, and phone state. Since developers include the advertisements that request location (34% of all applica- advertising library as part of the application, applications tions) do so only because of advertisements. Such pervasive can use the permissions needed for advertising libraries, overprivileging is a threat to user privacy. We introduce and vice versa. This is an instance of overprivileging: the AdDroid, a privilege separated advertising framework for advertising libraries require applications to take on addi- the Android platform. AdDroid introduces a new adver- tional privileges that they otherwise might not need. More- tising API and corresponding advertising permissions for over, these additional permissions have serious implications the Android platform. This enables AdDroid to separate for user privacy. privileged advertising functionality from host applications, The current advertising model results in the following allowing applications to show advertisements without re- classes of threats: questing privacy-sensitive permissions. • Advertisers may track users without their knowledge. • Untrusted applications may have access to unneces- 1. INTRODUCTION sary private data, such as the user’s location. The Android Market [2] has given Android developers an avenue to rapidly develop and distribute applications • If an adversary exploits a buggy application, the be- directly to consumers. Mobile advertising services such as nign-but-buggy application may inadvertently leak or AdMob [1] and Millennial Media [21] play a key role in this expose sensitive information to attack. ecosystem by allowing developers to generate revenue from • Malicious or opportunistic advertising networks could advertisements. These advertisers distribute libraries that abuse the permissions of their host applications. make it easy for applications to request advertisements and display them in their user interfaces. • Applications frequently requesting sensitive permis- sions, or permissions unrelated to the application’s ∗ Work done while at the Computer Science Division, Uni- functionality, can train users to ignore permission versity of California Berkeley. warnings [12]. • Advertising libraries have been observed download- ing code over HTTP and dynamically executing it at Permission to make digital or hard copies of all or part of this work for runtime [13]. personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies To combat these threats we propose AdDroid, an exten- bear this notice and the full citation on the first page. To copy otherwise, to sion of the Android platform that provides special support republish, to post on servers or to redistribute to lists, requires prior specific 1 permission and/or a fee. Applications need phone state to obtain the phone’s In- ASIACCS ’12, May 2–4, 2012, Seoul, Korea. ternational Mobile Equipment Identity (IMEI). Developers Copyright 2012 ACM 978-1-4503-1303-2/12/05 ...$10.00. can use the IMEI as a unique customer identifier. for advertisements. In AdDroid, the host application and the core advertising code run in separate protection do- mains. We accomplish this privilege separation by mov- ing privileged functionality into a new Android system service. Application developers may incorporate adver- tisements into their application by invoking the AdDroid advertising application programming interface (API). Ap- plications using AdDroid no longer need privacy-sensitive permissions just to display advertisements. To understand the potential value of AdDroid, we an- alyzed a set of 964 real-world Android applications col- lected from the Android Market. We found that 49% of applications contain at least one advertising network li- brary. We also found that application developers over- privileged 46% of advertising-supported applications (23% of all applications) by one or more permissions as a di- rect result of their use of advertising libraries. Further, we found that 27% of advertising-supported applications receive both Internet connectivity and location informa- Figure 1: At left, an application’s requested per- tion, even though the application needs neither for its missions are shown as part of the installation pro- functionality. This particular combination of permission cess. At right, an example of an advertisement (top overprivilege is potentially sensitive because it allows ap- of screen) in an application. plications to track a user’s location without their knowl- edge. Lastly, we found that 34% of all applications (56% of advertising-supported applications) that request loca- the microphone, and the ACCESS_FINE_LOCATION permis- tion do so only because of advertisements. With AdDroid, sion permits access to the phone’s GPS location. An ap- 27% of advertising-supported applications would no longer plication cannot perform a given operation unless it has need Internet access, 25% would no longer need location the related permission. information, and 8% would no longer need phone state in- In order to gain permissions, applications must first re- formation. Overall, AdDroid would reduce overprivileging quest them. Developers determine (e.g., via testing) the in 46% of advertising-supported applications. permissions that their applications require, and then they Contributions. The contributions of this work include: bundle their applications with the appropriate list of per- mission requests. Different applications request different • We identify and detail the problem of advertising- sets of permissions, based on their functionality. related overprivileging, including a detailed model of The Android installer asks users to grant these permis- the threats faced by users and developers (Section 2). sion when they install the application. After initiating the • We design and implement AdDroid, a solution to the installation process, the system shows the user the list of threat of advertising overprivilege that applies priv- permissions that the application requests. Figure 1 shows ilege separation to advertising libraries (Sections 3 a screenshot of the permission authorization process in the and 4). Android Market. The user implicitly accepts the permis- sion requests by choosing to complete the installation pro- • We measure the threat of advertising overprivilege cess. Permission authorization is all-or-nothing; the user and the impact of AdDroid with an advertising and must accept all of the application’s permission requests or overprivilege measurement study performed on ap- cancel installation. Once installed, these permissions will plications from the Android Market (Section 5). be available to the application each time it executes. 2. BACKGROUND 2.2 Advertising Libraries To frame the problem, we describe the Android permis- Advertising networks serve as middlemen between ap- sion system and explain how mobile advertising currently plication developers and advertisers. The advertising net- works. We then explain how the current system leads to works supply developers with advertising libraries, and de- privacy and security threats from legitimate advertising velopers place the libraries in their applications. The li- networks, grayware, benign-but-buggy applications, mali- braries provide APIs for inserting advertisements into the cious advertising networks, and vulnerable advertising net- application’s user interface and handle the fetching, ren- works. dering, and tracking of advertisements. These libraries are responsible for 65%-75% of energy usage in free applica- 2.1 Android Permissions tions [22]. Android employs an install-time permission system to In Android all parts of an application—including the ad- alert users to the privacy and security ramifications of in- vertising libraries—have the same permissions. This has stalling an application. A permission gives an applica- two consequences. First, an advertising library can use tion the ability to perform a specific privacy- or security- all of the permissions that its host application requests. relevant action. For example, the INTERNET permission Second, an application that includes an advertising library controls communication with remote servers, the RECORD_- must request all of the permissions that the advertising li- AUDIO permission provides the ability to record audio with brary requires. Figure 2 shows the relationship between Application Process More importantly, users can not tell what informa- tion (e.g., location) the application is sending to ad- Host Applicaton Android System vertisers. Services API Calls • Grayware. In some situations, users may trust adver- Android SDK Ad Lib Ad Lib tising networks more than the application. For exam- A B Android Permission Checks ple, consumers might be willing to share their loca- Inter-Process Communication tion with Google’s advertising network but not with unbranded games. Currently, there is no way for a Android Kernel user to identify what data they give to the untrusted application versus what data they give to the adver- tising network. Consider the case of the unbranded Figure 2: Diagram showing how advertising cur- game requesting location permissions. There is no rently works in Android. The example application way to determine if the game is taking that location uses two advertising networks. Each advertising information and using it in some way contrary to the library access the privileged Android system ser- user’s privacy, or if a reputable advertising network vices via IPC. The Android system does not dis- is using the location to serve location relevant adver- tinguish between different parts of an application. tisements. • Benign-but-buggy applications. The more permissions advertising libraries, applications, and the Android per- a user grants to an application, the more damage it mission system. Android system services perform privi- can do if exploited [24]. If an overprivileged appli- leged operations. Applications access these services via cation contains bugs, an attacker could make use of inter-process communication (IPC), and the system ser- these additional privileges to track users, exfiltrate vices will only perform operations that applications have data, and violate user privacy. A buggy application permissions for. While Android system services are able to could also unknowingly leak private information it perform operations unconstrained by Android application, had access too. they do not run as “root.”2 Certain permissions are commonly associated with ad- • Malicious advertising networks. An unscrupulous ad- vertising libraries. Advertising libraries load advertise- vertising network could supply application develop- ments from remote servers, which requires the INTERNET ers with a malicious library that abuses the permis- permission; they may also use the ACCESS_NETWORK_STATE sions requested by host applications. Although we permission to determine whether the phone has access to are unaware of existing malicious mobile advertis- the Internet. To support location-specific advertisements, ing networks, malware has appeared in the Android applications must request one of the LOCATION permissions Market [10], and malicious advertising partners have (either GPS or network location). Some advertising net- collaborated with botnets in other settings [20]. A works use the READ_PHONE_STATE permission to obtain the less severe variant of this threat is an opportunistic phone’s IMEI, which can serve as a unique customer iden- advertising library that uses aggressive, borderline- tifier. Advertising networks publish documentation that legal marketing techniques. An example of an op- instructs developers to include these permissions in their portunistic threat would be a library that collects lists of required permissions. users’ phone contact lists to send spam. Opportunis- tic advertising libraries that check for and use their 2.3 Threat Model host applications’ permissions have been seen in the Besides potentially training users to ignore sensitive per- wild [13]. mission requests [12], five threats arise from the Android • Vulnerable advertising networks. Advertising librar- advertising ecosystem: ies have been observed downloading code over HTTP and executing it [13]. This behavior could turn a le- • Legitimate advertising networks. Studies suggest that gitimate advertising network into a malicious one if a majority of users have experienced discomfort shar- the user is connected to an unsafe wireless network. ing personal information such as location and brows- ing history with advertising networks [19, 16, 4]. The In each of these threats, providing applications and ad- purpose of the Android permission system is to in- vertising libraries with unfettered access to each other’s form users about what personal information they will permissions poses significant danger. share with a third party, but Android users are cur- rently unable to tell which permissions advertising li- 3. PROPOSAL braries use. Consequently, users are unaware of what We propose to use privilege separation [23] to address information applications or advertising libraries are the threats outlined in Section 2. In general, privilege sep- sharing with advertising networks and are unable to aration involves placing the privileged components of the object to advertising libraries’ permission requests. application in a different protection domain from the rest While users can usually identify whether an applica- of the application, and assigning a different set of permis- tion contains advertisements, this may only become sions to each domain. In this context, we suggest placing apparent after they install and use the application. the privileged parts of the advertising library in a sepa- 2One can think of the Android system services as running rate protection domain, and assigning it a separate set of with the permissions of a traditional Linux process. permissions. We begin by exploring two traditional solutions for privi- • The ADVERTISING permission is necessary to warn lege separation: separation within a process and separation users that the selected application transmits data to between processes. Then, we explain why these solutions an advertising network through an advertising ap- are inadequate in the context of Android advertising. We plication. However, it would be difficult to enforce then present an alternative solution, our system AdDroid. this permission. Once a user or host application has installed an advertising application on a phone, 3.1 Privilege Separation Within A Process other user-selected applications could communicate A natural approach is to introduce a finer-grained per- with it to load advertisements. Advertising applica- mission model, where an application can consist of multiple tions could refuse to service user-selected applications protection domains, each with its own code and associated that lack the ADVERTISING permission, but this relies set of permissions. It is tempting to assign each Java class on the advertising applications to enforce the permis- to its own protection domain, with all protection domains sion requirement. Since advertisers have an incentive running in the same virtual machine and process. This to show advertisements to as many applications as would let the advertising library exist in the same process possible, they are incentivized to not enforce these and Java runtime as the rest of the application, but with permissions. The Android Market could refuse to different permissions. Under this proposal, method calls list advertising applications unless they abide by this between the library and application remain unchanged be- constraint, but this would require periodic audits of cause they are in the same virtual machine, yet the adver- advertising applications. tising library and application have their own permissions. Unfortunately, there are two technical problems with • The Android platform would need to be extended this solution. First, some applications include native li- to support install-time dependencies between appli- braries, which can arbitrarily violate the integrity of the cations so that advertisement-supported applications virtual machine running in the same process [9]. Second, could list an appropriate advertising application from the Dalvik virtual machine (which executes Android Java their preferred advertising network as a prerequisite. code) does not support isolation between portions of code The platform would also need to support runtime ap- within the same virtual machine, which would be neces- plication dependencies. This would require changes sary to prevent one part of an application from interfering to the Android platform, the Market, and the user with or altering other parts of the application. Java in- interface for application installation. Such changes cludes a reflection library that explicitly allows other code could present unforeseen abuse opportunities. There to violate code encapsulation and integrity running in the is also a potential for reliability and security con- same virtual machine. Consequently, we do not think it cerns if the market must manage separate advertis- is feasible to separate the privileges of an application and ing applications for all possible advertising networks. its advertising library within a Dalvik virtual machine or Each phone would need to maintain copies of the process. versions needed by all of the installed applications. This presents significant logistical obstacles for de- 3.2 Privilege Separation Between Processes ployment. Another approach is for advertising libraries to exist as separate, standalone applications. These advertising appli- • The Android Market would need to prevent the dis- cations would run in separate processes from the user ap- tribution of impostor advertising networks. An im- plication. When a user installs an application with adver- postor advertising network would collect all of the tisements, the user-selected application would install the information sent to it without paying the developer appropriate advertising application. User-selected appli- and without the privacy policy of a reputable adver- cations would either interact with advertising applications tising network. via existing IPC mechanisms, or the Android system would Consequently, we believe the solution of standalone adver- have to be modified to allow the user-selected and advertis- tising applications will not suffice. Therefore we present ing applications to share the screen [6]. Advertising appli- a modified and extended IPC approach which leverages cations would consist of the current advertising library and existing infrastructure in the Android platform. shim code to proxy information to and from the target ap- plication. The user-selected and advertising applications 3.3 Our Proposal: AdDroid would each run with their own sets of permissions. As We propose AdDroid, a solution which integrates adver- we envision it, user-selected applications would request a tising into the Android platform. In this solution, adver- new ADVERTISING permission in order to display advertise- tising networks do not provide advertising libraries at all. ments, and the system would allow advertising applications Instead, the Android API is extended to support advertis- to use permissions associated with advertising such as IN- ing. The extended Android API relays advertising meta- TERNET or LOCATION. data from applications to advertising networks, fetches ad- Unfortunately, there are numerous hurdles to implement- vertisements from advertising networks’ servers, and han- ing this approach on the Android platform, including: dles user interface events. Applications provide the API • Users who do not want to look at advertisements with configuration data to identify which advertising net- might uninstall the advertising applications. This work(s) to fetch advertisements from, as well as contextual would hurt developers and companies that rely on information about the advertisement. This modification to advertising revenue. Application developers expect the Android platform introduces a model similar existing users to “pay” for free (i.e., subsidized) applications system services, and relies on mechanisms already in the by viewing advertisements. platform. Application Process _PHONE_STATE permissions. This enables users to dis- Android System tinguish between applications that use permissions Host Applicaton Services for their own purposes and applications that use per- missions for advertising. For example, a person con- API Calls Service Service AdDroid sidering an unbranded game would know that the AdDroid A B Service Android SDK game developer is collecting his or her information Library Android Permission Checks for a purpose other than displaying location-aware advertisements. We expect that our proposal would Inter-Process Communication significantly reduce the number of applications that Android Kernel ask for Internet, location, and identity permissions, which would make the permissions more notable and Phone

Web https https therefore more effective. If these applications only Advertising Advertising requested the advertising related permissions, they Network Network would have no access to Internet, location, or phone identification information.

Figure 3: The AdDroid design. Key components • Benign-but-buggy applications. Since applications no include a userspace AdDroid library that adds ad- longer need to request permissions for their advertis- vertising support to the public API, and a support- ing libraries, many will have fewer permissions. This ing AdDroid system service that communicates means that a buggy application will be less likely to with the advertising network’s Internet servers. have Internet, location, or phone state permissions, thus reducing the impact of any vulnerability or bug in the application. We also propose the addition of two new permissions: ADVERTISING and LOCATION_ADVERTISING. Applications • Malicious advertising networks. In our model, ad- wishing to take advantage of AdDroid would request one vertising networks do not provide any code directly of these permissions, which would give them access to the to developers choosing to use AdDroid. As such, new advertising API calls. Advertising-supported applica- malicious advertising networks would not be able to tions would not need to request additional permissions for leverage application permissions to collect excessive advertising (e.g., LOCATION) because all of the privileged amounts of user data or perform undesirable opera- advertising-related operations would be performed by Ad- tions. Droid on behalf of the application. Applications requesting these permissions will not have unfettered access to In- • Vulnerable advertising networks. Since applications ternet, location, or phone identifying information. These would no longer embed advertising libraries in their permissions will only grant them access to parts of the applications, advertising libraries cannot introduce advertising API. vulnerabilities into applications. Figure 3 shows a system overview of AdDroid. The An- droid SDK now includes additional advertising-related API As such, we believe AdDroid addresses the privacy and se- calls which are supported by a new system service. All of curity concerns about advertising identified in Section 2.3. the advertising-related code that does not require special In addition to improving privacy, AdDroid provides other permissions resides in the Android SDK and does not need benefits. Uniting advertising networks under a common to be trusted by the privileged Android components. Ad- API would decrease developer overhead, particularly for vertising functionality that requires permissions (e.g., con- applications that use multiple advertising networks. In necting to the Internet) is implemented in the new service, turn, this gives advertisers more potential customers, as which can perform privileged operations. The advertising every developer would be able to opt-in to advertisements system service is only accessible to applications with the using a familiar, standardized API. The creation of an AD- appropriate ADVERTISING or LOCATION_ADVERTISING per- VERTISING permission also allows the Android Market to missions. In our proposal, all of the advertising-related become advertising-aware. The Market could allow users code that requires privilege is trusted enough to be part of to sort applications based on whether they include adver- a system service because it has been written or reviewed by tisements. Additionally, the Market could support a fea- the Android development team. Consequently, it is safe for ture that allows users to switch to the paid version of an privileged advertising code to execute as a system service. application (e.g., if the user does not like the advertise- This solution mitigates our five threats as follows: ments in the free version). Section 4 discusses the AdDroid implementation in more • Legitimate advertising networks. The advertising per- depth. Section 5.6 discusses AdDroid’s ability to support missions inform users when applications make use multiple advertising networks further. of advertising. In particular, the LOCATION_ADVER- TISING permission informs users when applications 3.3.1 Existing Applications and Libraries include location-aware advertisements. Armed with this information, users can make informed decisions AdDroid does not prevent the continued use of the ex- about which applications to install, given their per- isting bundled library model. Applications and advertising sonal privacy preferences. networks that do not use AdDroid simply do not receive the benefits of the system. Existing applications and ad- • Grayware. In AdDroid, applications can include ad- vertising networks will continue to function normally. In vertisements without needing the LOCATION or READ- the long term, we would expect the benefits of AdDroid and changing user expectations to entice developers to mi- Since the AdDroid library exists in userspace, it runs grate their applications and advertising libraries. with the host application’s permissions. We do not make any assumptions about what permissions the host appli- 3.3.2 Limitations cation has. Furthermore, a grayware application could ar- The AdDroid proposal has two drawbacks. First, the bitrarily tamper with the userspace library. Consequently, Android development team would need to implement Ad- the AdDroid library does not perform any privileged oper- Droid and incorporate the functionality of existing adver- ations. Whenever an application requests a new advertise- tising libraries into the Android API. However, we show in ment, the library makes a fetchAd IPC call to the AdDroid Section 5.6 that advertising functionality is relatively sim- system service which in turn performs the necessary privi- ple to support. Second, existing advertising networks are leged operations. Although the AdDroid userspace library currently able to declare and update their APIs at their does not perform any privileged operations, it contains the own pace, independent from Android release cycles. Un- majority of the advertising functionality. der AdDroid, advertising networks would be constrained When a user clicks on an advertisement an OnClick- by the advertising support in the Android SDK. For small Listener is invoked, spawning a web browser directed to configuration changes, such as adding new advertising net- the advertisement’s target URL. This action is how adver- works to AdDroid, the Android Market could disseminate tising services and applications track advertisement clicks. signed configuration update files that describe advertis- Launching a web browser is only one of several possible ing networks’ web service APIs. However, larger changes desired actions. Other behaviors can be added as needed to advertising networks might require platform updates. by advertisers. Since AdDroid does not preclude the use of the existing model, advertisers or developers unhappy with these lim- 4.2 AdDroid System Service itations can simply not use the system. The AdDroid so- The AdDroid system service runs with other Android lution is less agile than traditional models, but we believe system services as part of the Android system service pro- the security gains and ecosystem advantages outweigh the cess. This service’s only job is to receive advertising re- loss of flexibility. quests from applications via the AdDroid userspace library and return advertisements. When the AdDroid system ser- 4. IMPLEMENTATION vice receives an advertisement request, it establishes a net- We implemented our AdDroid proposal to illustrate its work connection to the appropriate advertising network, details and demonstrate its feasibility. AdDroid consists transmits data to the advertising network, and stores the of three parts: a userspace library that is part of the An- resulting advertisement. The AdDroid library then makes droid SDK, a new Android system service, and Android a follow-up IPC call to the AdDroid system service to re- permissions. Our proof-of-concept implementation of the trieve the advertisement. AdDroid prototype integrates these three components into The data sent to the advertising network during the the Android Open Source Project, version 2.3.3 (Ginger- transaction might include configuration information (e.g., bread). the application’s customer number or the size of the re- quested advertisement), tracking data collected by the ap- 4.1 AdDroid Library API plication, or advertising context-specific information spec- The AdDroid userspace library provides developers with ified by the application. If the application has the LOCA- a public API, i.e., the classes and methods that developers TION_ADVERTISING permission, then the advertising net- invoke when writing applications. It supports the insertion work will also receive the phone’s current location. Some of advertisements into applications’ user interfaces and re- advertising networks also request the phone’s unique iden- lays data between the application and the AdDroid system tifier. Our current prototype sends the telephony ID (i.e., service. The library includes a new user interface element IMEI, MEID, or ESN), but a full implementation could to display advertisements (an “AdView”), callback listen- supply advertising networks with an alternate identifier. ers, and support for a wide range of user tracking data.3 Alternatives include the ANDROID_ID (a unique ID that After surveying various advertising networks, we based is not tied to the carrier), the android.os.Build.SERIAL the design of the API on the AdMob advertising SDK. field, or another identifier that is application-specific rather AdMob is well-designed and supports most of the features than device-wide. of other advertising networks. Starting with the AdMob API, we made changes to generalize the API and extend 4.3 Android Permission Changes it to other advertising networks. The AdDroid library al- Applications should only be able to fetch ads through lows developers to specify which advertising networks they the AdDroid system service if they have the ADVERTISING would like to use, and allows use of multiple advertising or LOCATION_ADVERTISING permissions. To enforce this re- networks in one application. A separate advertising net- striction, the AdDroid service verifies its caller’s permis- work can be specified for each AdView, providing great sions. The ability to verify caller permissions from within flexibility. The AdDroid API is the same for all appli- Android services is part of the core Android security model, cations, regardless of which advertising network they use. which we leverage. Appendix A contains detailed description of the AdDroid We protect the fetchAd IPC call with our new adver- API and sample usage. tising permissions. The ADVERTISING permission gives ap- 3Applications often ask users for information such as their plications the ability to call fetchAds and request generic gender, which they then share with advertising networks. advertisements based on data supplied by the application. This data is distinct from the user data stored by the op- When applications use LOCATION_ADVERTISING in addition erating system. to ADVERTISING, applications may request that fetchAds permissions that are not necessary for advertising (Sec- tion 5.4). AdDroid would remove all of the overprivilege identified by this measurement study. In Section 5.5 we investigate the permissions commonly used by advertisers. In Section 5.6, we discuss how difficult it would be for de- velopers to switch to AdDroid. 5.1 Methodology We used Stowaway [9] to perform a permission analy- sis of 964 real-world applications and their advertising li- braries. Our set of applications consisted of the 764 most popular free applications, the 100 most popular paid appli- cations, and the 100 most recently added or updated free applications from the official Android Market in October 2010. The first step of our measurement study was to split each application into two parts: the application itself, and any Figure 4: Installation screens of two applications advertising libraries packaged with the application. We requesting the new AdDroid permissions. The disassembled applications using Dedexer [5] and then used text of these permissions is for illustrative purposes namespaces to separate advertising-related code and XML only. Designing effective warnings is an open re- files from the main application. For example, code in the search problem [12]. com.admob.android.ads namespace belongs to the AdMob advertising library. We focused our study on applications that contained advertising libraries. Next, we ran Stow- sends location information to the advertisers as well. Fig- away on the applications and their affiliated advertising ure 4 shows how the permissions appear to users during libraries, which resulted in a list of permissions used by installation of our prototype.4 Screenshots are provided each application and its advertising libraries. for illustrative purposes; UI design is beyond the scope of Stowaway’s permission analysis can be imprecise. Dead this paper. Designing effective permission warnings that code (i.e., code that will not run during normal execu- correctly convey security information to users is a problem tion) can cause Stowaway to falsely report that an appli- in itself [12]. We leave it as an interesting open problem cation uses a permission, or Java reflection can cause it for usability experts how best to communicate this infor- to falsely report that an application does not use a per- mation to users. mission. To validate Stowaway’s results, we manually re- viewed 25 applications’ use of the INTERNET permission. 4.4 Code Size We randomly selected 25 applications from the set of top We found that AdDroid required relatively few modifica- free applications with advertising libraries. We manually tions to the existing Android Open Source Project, version exercised their user interfaces in an emulator while record- 2.3.3. The AdDroid userspace library required 560 new ing all network communication with Wireshark. Using the source lines of code including blank lines and comments Wireshark traces, we determined whether the applications (SLoC), and the new Android system service required 255 use the Internet to communicate with advertisers, other SLoC. Additionally, we modified or added 66 SLoC to the parties, or both. existing system to add support for the framework, system service, and new permissions. We flashed and tested the 5.2 Data Set Characteristics system on a GSM Samsung Nexus S unlocked consumer 473 of the 964 applications (49%) contain libraries from phone. at least one advertising network. We found advertising li- braries from nine advertising networks in the 473 applica- 5. MEASUREMENT STUDY AND tions: AdMob, AdSense, AdWhirl, Flurry, Medialets, Mil- lennial Media, MobClix, Quattro Wireless, and ZestAdz. ADDROID EVALUATION Our data set includes multiple versions of each advertis- We analyzed a set of 964 Android applications to evalu- ing library because developers do not always update their ate the real-world impact of AdDroid on applications and applications to include the latest versions. Some applica- advertising. We performed a static permission analysis tions use multiple advertising libraries. Table 1 shows the on the applications to determine the permissions used by popularity of each advertising network and the distribu- the host applications and their libraries; Section 5.1 ex- tion of advertisements across free and paid applications. plains our methodology and Section 5.2 describes our data Unsurprisingly, free applications are more likely to contain set. We then present results on how often applications re- advertising libraries: 16% of the top paid applications in- quest permissions solely for advertising (Section 5.3) and clude advertising libraries, compared to 50% of the top free how many advertising libraries have access to dangerous applications and 72% of the recently-uploaded free appli- cations. 4These screenshots show the installation screen for manual installation, rather than for an installation from the An- 5.3 Application Overprivilege droid Market. This is because we did not want to place an application in the Android Market solely for these screen- We identified advertising-related overprivilege in the 473 shots. applications with advertising libraries. An application is Media- Millen- Total Total AdMob AdSense AdWhirl Flurry lets nial MobClix Quattro ZestAdz with ads apps Top Free 231 155 44 79 6 32 34 38 4 385 764 Top Paid 4 6 0 11 0 0 2 1 0 16 100 Recent Free 63 10 2 2 0 1 0 1 0 72 100

Table 1: The prevalence of advertising libraries among 964 applications. Some contain multiple advertising libraries.

Requested only Total apps 5.4 Advertising Library Overprivilege Permission for ads requesting Currently, a malicious or aggressive advertising library 131 809 INTERNET has access to all of its host application’s permissions. In the 121 361 LOCATION set of 473 applications with advertising libraries, 398 ap- 40 312 READ_PHONE_STATE plications (84%) request permissions beyond those needed 36 395 ACCESS_NETWORK_STATE by the advertising library. For example, 149 applications’ advertising libraries inherit the ability to read the user’s Table 2: The number of applications that request a contacts, which a malicious advertising network could use permission exclusively for the purpose of advertis- for aggressive marketing campaigns. With AdDroid, ad- ing. For comparison, we also show the total num- vertising libraries would not have access to these extra ber of requests for that permission in the set of 964 permissions: AdDroid prevents advertising networks from applications. abusing permissions that applications have incidentally re- quested. overprivileged by advertising if: 5.5 Advertising Functionality • The application requests a permission. AdDroid’s system service is an advertising service that • The application itself does not use the permission. supports Internet advertisements with differing behavior based on phone identity, and user’s location. We evaluate • One of its advertising libraries uses the permission. whether this is sufficient to support the same functionality as the advertising libraries in our data set. We focus on overprivilege pertaining to the four permis- The permissions used by the AdDroid system service sions related to common advertising library operations. satisfy the functionality of 456 of the 473 applications’ ad- These four permissions control access to the Internet, the vertising libraries. However, we find that 17 applications 5 phone’s location, the state and identity of the phone, and include advertising libraries that use two additional, un- the state of the phone’s network connectivity. supported permissions: We find that advertising libraries overprivilege 218 of the applications (46% of the applications with advertisements, • GET_TASKS. Some versions of MobClix use this per- and 23% of all 964 applications). 110 applications re- mission to check that the advertisement is currently quest multiple permissions that are only used for advertis- displayed in the foreground. While in principle this ing. Table 2 shows how often each of the four advertising- permission could be used to spy on users’ application related permissions contribute to overprivilege. Notably, preferences, we did not observe MobClix using it in more than a third of all applications that request access this fashion. Twelve applications include the version to the user’s location do so only for advertising. 56% of of MobClix that uses this permission. ad-supported applications (34% of all applications) that request a location permission use it only for advertising. With AdDroid, requests for advertising permissions would • VIBRATE. Some versions of Medialets support adver- replace all of these unnecessary permission requests. tisements that vibrate the phone to catch the user’s We performed a manual review to validate the results attention. Five applications use a version of Medi- of the automated analysis. The manual review found that alets that includes this functionality. 9 of 25 randomly-selected applications (36%) only use the INTERNET permission for advertising. Stowaway identified The advertising libraries that use these permissions are not 6 of the 25 applications as overprivileged. We determined fully compatible with the AdDroid proposal. that the discrepancy was due to dead code: 3 of the appli- AdDroid could support the advertising-related behavior cations contain dead code that would access the Internet associated with the GET_TASKS permission by adding an if it were reachable. For example, one application contains API call that allows an advertising service to determine unfinished code for connecting to Facebook. However, the whether it is in the foreground, without providing it with code is not currently connected to any user interface ele- the full list of applications. This would allow AdDroid to ments (e.g., menu items or buttons). We did not observe support MobClix’s desire to restrict certain actions to the any instances in which Java reflection caused Stowaway to foreground. We have not yet investigated whether there falsely state that an application does not use a permission. are technical challenges for providing this feature. We do 5There are technically two permissions that control loca- not recommend adding support for vibrating the phone; we tion: one for GPS location, and one for cellular network feel that these are intrusive advertising practices. As such, location. We group the two location permissions together AdDroid does not support all of Medialets’ functionality, for this discussion. but we believe this benefits users. 5.6 API For Developers screen sharing. These works are similar to the proposed For AdDroid to be successful, developers must be able approach in Section 3.2. Each work encounters technical to use its API. We have two usability goals: (1) a single hurdles and limitations similar to those outlined in our API able to support multiple advertising networks, and proposed approach. Some of these limitations are solved (2) developers need to be able to easily port their appli- with added complexity to the Android platform, and oth- cations from existing libraries to the new AdDroid API. ers are left as open problems. AdSplit also speculates that We evaluate this with our prototype API and two sample its ideal deployment is as part of the core Android distri- applications. bution, similar to our approach with AdDroid. Towards these goals, our proof-of-concept implementa- Prior work on Android overprivilege has not considered tion of AdDroid (Section 4) supports the core advertising the impact of advertising. Recent studies [11, 9] have ex- and user interface interactions of the AdMob and Millen- plored whether Android applications request more permis- nial Media advertising networks. We do not currently sup- sions than they require to function. However, they consid- port advanced functionality such as interstitial or video ered advertising libraries to be a legitimate use of permis- advertisements, but this is not an inherent limitation. Ad- sions, whereas we do not. Our measurement study focuses Mob, Millennial Media, and Google AdSense make up 69% specifically on overprivilege that stems from advertising. of ad network usage in our dataset (Table 1). We support Other researchers have explored information leakage to AdMob and Millennial Media, and Google has since depre- advertisers. Grace et al. [13] used static analysis to per- cated the AdSense SDK in favor of AdMob. Consequently, form a measurement study of the type and quantity of the AdDroid API already covers 69% of the market. Most private information sent to advertisers across over 100, 000 other advertising networks are similar to AdMob and Mil- applications. They found that advertising networks were lennial Media, and we believe that their needs could also opportunistically checking for and making use of host ap- be met with only small changes to our implementation. plication permissions. Grace et al. also found that some We built two sample applications that use the AdDroid advertising networks were downloading code over HTTP API to load real advertisements from advertising networks. and executing that code during runtime. AdDroid alle- This required a modification to our implementation be- viates these problems by isolating the privileged parts of cause our proof-of-concept implementation of AdDroid in- advertising libraries from the host application, and ensur- teracts with our own advertising server rather than actual ing that such privileged code is secure. TaintDroid [8] and advertising networks for ethical reasons. Existing advertis- PiOS [7] study information flow on the two most preva- ing libraries are not open source, and reverse engineering lent smartphone platforms: Google’s Android and Apple’s an undocumented protocol could lead to excessive charges iOS. They discovered that smartphone applications often to advertisers for impressions or clicks that did not oc- divulge sensitive personal information (e.g., unique device cur. Instead, for this demonstration only, we replaced the identifiers, location) to application developers and other AdDroid system service with existing advertising libraries. third parties. Known advertising networks are among the The sample applications invoke API calls in the AdDroid list of third-party recipients of data. Journalists [26] con- library, which proxies the calls to an advertising library, ducted their own study of Android and iPhone applications which in turn communicates with the advertising network with similar results. AppFence [15] extends TaintDroid to server. track more types of user data and detect exfiltration. The The first sample application uses the AdDroid API to user is warned at the point of exfiltration and can disallow fetch AdMob advertisements. The second uses the Ad- the operation. TaintDroid and AppFence are intended to Droid API to fetch Millennial Media advertisements. We detect and warn about the exfiltration of data by any party. bundled them with the AdDroid userspace library and the In contrast, AdDroid prevents advertising networks from original advertising libraries. The applications use the Ad- accessing information beyond location and device identi- Droid API to fetch advertisements and do not directly in- fiers without user involvement. AdDroid simply disallows voke the original advertising libraries. Both of the sample invasive data collection by advertisers; unlike approaches applications are able to correctly display advertisements that rely on taint tracking, AdDroid does not incur any from these advertising networks through the AdDroid API, additional overhead at runtime. and their use of the AdDroid API is nearly identical to how AdJail [18] is a mechanism to protect desktop browsers the original advertising APIs are used. Switching from the from malicious advertisements. AdJail uses policies and original library to the AdDroid API required us to modify sandboxing mechanisms to isolate users from advertise- less than 20 lines of code in our sample application. ments and prevent the disclosure of sensitive user data. The authors intend AdJail for web site publishers who want to protect their visitors, much like we direct Ad- 6. RELATED WORK Droid’s functionality to application developers to protect their customers. Concurrent with this work, several other researchers have Quire [6] is a proposed solution to the problem of prove- looked at the problem of Android overprivileging and ad- nance on Android. Currently, the identity of the origi- vertising. AdSplit [25] approaches the problem of advertis- nal caller in Android IPC can quickly become obfuscated. ing overprivileging by running advertising libraries as sep- Quire approaches this problem with call chains and mes- arate applications, and uses prior work [6] to allow both sage signing. The authors proposed that Quire could be applications to share the screen. AdSplit also performs used to help build a new advertising ecosystem with sepa- a measurement study similar to our own, yielding simi- rate user-level advertising applications. Quire’s objective, lar overprivileging results. Leontiadis et al. [17] also use with respect to advertising, is to prevent advertising fraud separate applications to limit advertising library overpriv- by certifying that applications properly display and users ilege, leveraging in-application widgets and IPC instead of click advertisements. Our objective with AdDroid is to [3] Cleff, E. B. Privacy Issues in Mobile Advertising. enhance privacy by preventing advertising libraries from Int. Review of Law, Computers & Technology (2007). disclosing private data. [4] 2009 Study: Consumer Attitudes About Behavioral Privacy on mobile platforms is a growing public and le- Targeting. http://www.truste.com/pdf/TRUSTe_ gal concern. MobiAd [14] is a proposed solution to allow TNS_2009_BT_Study_Summary.pdf, 2009. for targeted advertising while maintaining user privacy and [5] Dedexer User’s Manual. anonymity. The authors also note concerns over the trade- http://dedexer.sourceforge.net/. off users make for these interest- and location-based ad- [6] Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., vertisements. They conclude by stating that there is in- and Wallach, D. S. Quire: Lightweight sufficient data to know when and where users are willing Provenance for Smart Phone Operating Systems. In to accept advertisements. Cleff [3] argues that legislation USENIX Security Symposium (SSYM) (2011). is slow and well behind technological advancements and [7] Egele, M., Kruegel, C., Kirda, E., and Vigna, discusses the legal problems this raises in regards to pro- G. PiOS: Detecting Privacy Leaks in iOS tecting users’ privacy. Cleff asserts that users need control Applications. In Network and Distributed System over their private data and the types of advertising they Security Symposium (NDSS) (2011). receive. [8] Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. 7. CONCLUSION TaintDroid: An Information-Flow Tracking System With the widespread use of advertising in Android ap- for Realtime Privacy Monitoring on Smartphones. In plications, it is important to examine the security and pri- USENIX Symposium on Operating Systems Design vacy implications of the existing advertising model. Users and Implementation (OSDI) (2010). of advertisement-supported applications can fall victim to [9] Felt, A. P., Chin, E., Hanna, S., Song, D., and advertising networks tracking their behavior without their Wagner, D. Android Permissions Demystified. In knowledge, grayware, buggy-but-benign applications, and ACM Conference on Computer and Communication malicious or vulnerable advertising networks. Security (CCS) (2011). To combat the privacy and security threats related to [10] Felt, A. P., Finifter, M., Chin, E., Hanna, S., advertising, we propose AdDroid, an advertising API inte- and Wagner, D. A Survey of Mobile Malware in grated into the Android platform. AdDroid uses privilege the Wild. In ACM Workshop on Security and separation to isolate privacy-sensitive advertising network Privacy in Mobile Devices (SPSM) (2011). functionality from applications and introduces new adver- [11] Felt, A. P., Greenwood, K., and Wagner, D. tising permissions to protect the API. We have a proof- The Effectiveness of Application Permissions. In of-concept implementation of AdDroid and its advertising USENIX Conference on Web Application API. Through the use of AdDroid we believe the Android Development (WebApps) (2011). ecosystem can evolve and directly integrate advertisements [12] Felt, A. P., Ha, E., Egelman, S., Haney, A., into the fabric of the market. Such integration can provide Chin, E., and Wagner, D. Android Permissions: not just increased user privacy and security, but also eco- User Attention, Comprehension, and Behavior. Tech. nomic benefits and incentives for advertisers, developers, Rep. UCB/EECS-2012-26, University of California and the platform itself. Berkeley, 2012. To demonstrate the need for AdDroid, we performed [13] Grace, M., Zhou, W., Jiang, X., and Sadeghi, a study of the Android Market and found that 46% of A.-R. Unsafe Exposure Analysis of Mobile In-App advertisement-supported applications suffer from overpriv- Advertisements. In Conference on Security and ilege resulting from advertising library use. We also find Privacy in Wireless and Mobile Networks (WiSEC) that 34% of all applications (56% of advertisement-sup- (2012). ported applications) request access to location information [14] solely for advertising. Use of AdDroid would prevent this Haddadi, H., Hui, P., Henderson, T., and Targeted Advertising on the Handset: overprivileging due to advertising. Instead, applications Brown, I. Privacy and Security Challenges. In Pervasive would ask for the ADVERTISING or LOCATION_ADVERTISING Advertising. 2011. permissions, and advertising networks would not gain ac- cess to applications’ other permissions. [15] Hornyack, P., Han, S., Jung, J., Schechter, S., and Wetherall, D. These Aren’t the Droids You’re Looking For: Retrofitting Android to Protect 8. ACKNOWLEDGEMENTS Data from Imperious Applications. In ACM We would like to thank Ulfar´ Erlingsson for this help- Conference on Computer and Communication ful feedback throughout the project. This research was Security (CCS) (2011). supported by Intel through the Intel Science and Technol- [16] Kelley, P. G., Benisch, M., Cranor, L., and ogy Center for Secure Computing, by the Office of Naval Sadeh, N. When Are Users Comfortable Sharing Research under MURI Grant No. N000140911081, by a Their Locations With Advertisers? In Conference on Facebook Fellowship, and by a gift from Google. Human Factors in Computing (CHI) (2011). [17] Leontiadis, I., Efstratiou, C., Picone, M., and 9. REFERENCES Mascolo, C. Don’t kill my ads!: Balancing Privacy [1] AdMob: Mobile Advertising. in an Ad-Supported Mobile Application Market. In http://www.admob.com/. Workshop on Mobile Computing Systems & [2] Android Market. https://market.android.com/. Applications (HotMobile) (2012). [18] Louw, M. T., Ganesh, K. T., and Class AdProperties Venkatakrishnan, V. AdJail: Practical public AdProperties( int width , int height , AdProperties.Align alignment , Enforcement of Confidentiality and Integrity Policies int r e f r e s h ) on Web Advertisements. In USENIX Security public AdProperties.Align getAlignment() Symposium (SSYM) (2010). public java.lang.String toString() public static AdProperties BANNER [19] McDonald, A. M., and Cranor, L. F. public static AdProperties BANNER BOTTOM Americans’ Attitudes About Internet Behavioral public static AdProperties BANNER TOP Advertising Practices. In Workshop on Privacy in public static AdProperties IAB BANNER public static AdProperties IAB LEADERBOARD the Electronic Society (WPES) (2010). public static AdProperties IAB MRECT [20] Miller, B., Pearce, P., Grier, C., Kreibich, C., public static int NO REFRESH and Paxson, V. What’s Clicking What? Techniques s t a t i c enum AdProperties.Align and Innovations of Today’s Clickbots. In Conference BOTTOM TOP UNSET on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2011). Class AdRequest public AdRequest() [21] Mobile Advertising with Millennial Media. public void addExtra(String key, Object value) http://www.millennialmedia.com/. public void addKeyword(String keyword) [22] public Map getRequestMap() Pathak, A., Charlie, Y., and Zhang, H. M. public void setBirthday(String birthday) Where is the energy spent inside my app? Fine public void setExtras(Map e x t r s ) Grained Energy Accounting on Smartphones with public void setGender(AdRequest.Gender gender) Eprof. In European Conference on Computer public void setKeywords(Set keywords ) public void setLocation( boolean l o c a t i o n ) Systems (EuroSys) (2012). public void setTesting( boolean t e s t i n g ) [23] Provos, N., Friedl, M., and Honeyman, P. Preventing Privilege Escalation. In USENIX Security s t a t i c enum AdRequest. ErrorCode INTERNAL ERROR INVALID REQUEST NETWORK ERROR Symposium (SSYM) (2003). NO FILL UNKNOWN [24] Saltzer, J. H., and Schroeder, M. D. The Class AdView extends RelativeLayout implements Ad Protection of Information in Computer Systems. In public AdView(Activity activity , IEEE (1975). AdProperties props , AdNetwork network) [25] Shekhar, S., Dietz, M., and Wallach, D. S. public boolean isReady ( ) public boolean isRefreshing() AdSplit: Separating Smartphone Advertising From public void loadAd(AdRequest request) Applications. CoRR abs/1202.4030 (2012). public void setAdListener(AdListener listener) [26] Thurm, S., and Kane, Y. I. Your Apps Are public boolean stopLoading() Watching You. http://online.wsj.com/article/SB1000142- Listing 1: Our abbreviated AdDroid API as found 4052748704694004576020083703574602.html, Dec. in package com.ads.addroid. 2010.

public class AdDroidDemo extends A c t i v i t y { // Called when the activity starts or restarts APPENDIX @Override public void onCreate(Bundle savedInstanceSt){ super .onCreate(savedInstanceSt ); setContentView(R. layout .main); A. SAMPLE API AND USAGE // Specify the add type Listing 1 shows our AdDroid API, abbreviated for space. // (e.g., banner, interstitial , video) AdProperties props = AdProperties .BANNER; Listing 2 shows sample usage of the AdDroid API by the // Specify the ad network (e.g., AdMob) demo application called AdDroidDemo. This code demon- // and the associated unique ID strates how an AdDroid ad can be instantiated. AdNetwork network = new AdNetwork(AdNetwork . NetworkType .ADMOB, ”ADVERTISER ID” ) ; // Instantiate the view for the ad Interface AdListener AdView adView = void onCacheReceive(Ad ad) new AdView ( this , props, network); void onDismissScreen(Ad ad) // Lookup your LinearLayout assuming its void onFailedToRecieveAd(Ad ad, // been given the id ”main layout ” AdRequest.ErrorCode error) LinearLayout layout = void onForcedPresentScreen(Ad ad) findViewById(R. id . main layout ) ; void onLeaveApplication(Ad ad) // Add the AdView to the layout void onPresentScreen(Ad ad) layout .addView(adView); void onReceiveAd(Ad ad) // Instantiate the ad request AdRequest adReq = new AdRequest (); Class AdNetwork // Request and load the ad public AdNetwork(AdNetwork.NetworkType network , adView. loadAd(adReq); java.lang.String applicationId) } public java.lang.String getId() } public AdNetwork.NetworkType getNetwork()

s t a t i c enum AdNetwork. NetworkType Listing 2: A complete AdDroidDemo activity ADMOB MILLMEDIA MOBCLIX showing sample usage of the AdDroid API.