AdDroid: Privilege Separation for Applications and Advertisers in Android Paul Pearce, Adrienne Porter Felt Gabriel Nunez David Wagner Computer Science Division Sandia National Laboratory∗ Computer Science Division University of California Berkeley [email protected] University of California Berkeley {pearce, apf}@cs.berkeley.edu [email protected] ABSTRACT Before developers can distribute an Android application, Advertising is a critical part of the Android ecosystem| they must identify and declare what permissions their ap- many applications use one or more advertising services as plications need. The installation process shows these per- a source of revenue. To use these services, developers missions to users if they choose to install the application. must bundle third-party, binary-only libraries into their However, the Android security model does not provide any applications. In this model, applications and their adver- special support for advertisements. This means that there tising libraries share permissions. Advertising-supported is no way for the user or the operating system to differen- applications must request multiple privacy-sensitive per- tiate between the permissions necessary for the host appli- missions on behalf of their advertising libraries, and ad- cation and those needed by advertising libraries. A simple vertising libraries receive access to all of their host appli- advertisement-supported application (e.g., a game or cus- cations' other permissions. We conducted a study of the tom ringtone application) must request multiple privacy- Android Market and found that 49% of Android applica- sensitive permissions unrelated to its functionality just so tions contain at least one advertising library, and these it can display advertisements. Advertising libraries often require permissions for network connectivity, location in- libraries overprivilege 46% of advertising-supported appli- 1 cations. Further, we find that 56% of the applications with formation, and phone state. Since developers include the advertisements that request location (34% of all applica- advertising library as part of the application, applications tions) do so only because of advertisements. Such pervasive can use the permissions needed for advertising libraries, overprivileging is a threat to user privacy. We introduce and vice versa. This is an instance of overprivileging: the AdDroid, a privilege separated advertising framework for advertising libraries require applications to take on addi- the Android platform. AdDroid introduces a new adver- tional privileges that they otherwise might not need. More- tising API and corresponding advertising permissions for over, these additional permissions have serious implications the Android platform. This enables AdDroid to separate for user privacy. privileged advertising functionality from host applications, The current advertising model results in the following allowing applications to show advertisements without re- classes of threats: questing privacy-sensitive permissions. • Advertisers may track users without their knowledge. • Untrusted applications may have access to unneces- 1. INTRODUCTION sary private data, such as the user's location. The Android Market [2] has given Android developers an avenue to rapidly develop and distribute applications • If an adversary exploits a buggy application, the be- directly to consumers. Mobile advertising services such as nign-but-buggy application may inadvertently leak or AdMob [1] and Millennial Media [21] play a key role in this expose sensitive information to attack. ecosystem by allowing developers to generate revenue from • Malicious or opportunistic advertising networks could advertisements. These advertisers distribute libraries that abuse the permissions of their host applications. make it easy for applications to request advertisements and display them in their user interfaces. • Applications frequently requesting sensitive permis- sions, or permissions unrelated to the application's ∗ Work done while at the Computer Science Division, Uni- functionality, can train users to ignore permission versity of California Berkeley. warnings [12]. • Advertising libraries have been observed download- ing code over HTTP and dynamically executing it at Permission to make digital or hard copies of all or part of this work for runtime [13]. personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies To combat these threats we propose AdDroid, an exten- bear this notice and the full citation on the first page. To copy otherwise, to sion of the Android platform that provides special support republish, to post on servers or to redistribute to lists, requires prior specific 1 permission and/or a fee. Applications need phone state to obtain the phone's In- ASIACCS ’12, May 2–4, 2012, Seoul, Korea. ternational Mobile Equipment Identity (IMEI). Developers Copyright 2012 ACM 978-1-4503-1303-2/12/05 ...$10.00. can use the IMEI as a unique customer identifier. for advertisements. In AdDroid, the host application and the core advertising code run in separate protection do- mains. We accomplish this privilege separation by mov- ing privileged functionality into a new Android system service. Application developers may incorporate adver- tisements into their application by invoking the AdDroid advertising application programming interface (API). Ap- plications using AdDroid no longer need privacy-sensitive permissions just to display advertisements. To understand the potential value of AdDroid, we an- alyzed a set of 964 real-world Android applications col- lected from the Android Market. We found that 49% of applications contain at least one advertising network li- brary. We also found that application developers over- privileged 46% of advertising-supported applications (23% of all applications) by one or more permissions as a di- rect result of their use of advertising libraries. Further, we found that 27% of advertising-supported applications receive both Internet connectivity and location informa- Figure 1: At left, an application's requested per- tion, even though the application needs neither for its missions are shown as part of the installation pro- functionality. This particular combination of permission cess. At right, an example of an advertisement (top overprivilege is potentially sensitive because it allows ap- of screen) in an application. plications to track a user's location without their knowl- edge. Lastly, we found that 34% of all applications (56% of advertising-supported applications) that request loca- the microphone, and the ACCESS_FINE_LOCATION permis- tion do so only because of advertisements. With AdDroid, sion permits access to the phone's GPS location. An ap- 27% of advertising-supported applications would no longer plication cannot perform a given operation unless it has need Internet access, 25% would no longer need location the related permission. information, and 8% would no longer need phone state in- In order to gain permissions, applications must first re- formation. Overall, AdDroid would reduce overprivileging quest them. Developers determine (e.g., via testing) the in 46% of advertising-supported applications. permissions that their applications require, and then they Contributions. The contributions of this work include: bundle their applications with the appropriate list of per- mission requests. Different applications request different • We identify and detail the problem of advertising- sets of permissions, based on their functionality. related overprivileging, including a detailed model of The Android installer asks users to grant these permis- the threats faced by users and developers (Section 2). sion when they install the application. After initiating the • We design and implement AdDroid, a solution to the installation process, the system shows the user the list of threat of advertising overprivilege that applies priv- permissions that the application requests. Figure 1 shows ilege separation to advertising libraries (Sections 3 a screenshot of the permission authorization process in the and 4). Android Market. The user implicitly accepts the permis- sion requests by choosing to complete the installation pro- • We measure the threat of advertising overprivilege cess. Permission authorization is all-or-nothing; the user and the impact of AdDroid with an advertising and must accept all of the application's permission requests or overprivilege measurement study performed on ap- cancel installation. Once installed, these permissions will plications from the Android Market (Section 5). be available to the application each time it executes. 2. BACKGROUND 2.2 Advertising Libraries To frame the problem, we describe the Android permis- Advertising networks serve as middlemen between ap- sion system and explain how mobile advertising currently plication developers and advertisers. The advertising net- works. We then explain how the current system leads to works supply developers with advertising libraries, and de- privacy and security threats from legitimate advertising velopers place the libraries in their applications. The li- networks, grayware, benign-but-buggy applications, mali- braries provide APIs for inserting advertisements into the cious advertising networks, and vulnerable advertising net- application's user interface and handle the fetching, ren- works. dering, and tracking of advertisements. These libraries are responsible for 65%-75%