AsiaCCS'12 AdDroid: Privilege Separation for Applications and Advertisers in Android

References:

Overview:

Problem from Study: Overprivileging of ads:

  • 49% of android apps contain at least one ad library; these libraries overprivilege 46% of ad-supported apps;
  • 56% of apps with ads that request location (34% of all apps) only because of ads;

Solution: a new ad framework, AdDroid, to apply privilege separation to advertising libraries:

  • new ad API with corresponding ad permissions.
    • A userspace library that is part of the Android SDK;
    • A new Android system service;
    • New Android permissions;
  • allow applications to show ads without requesting privacy-sensitive permissions.

Challenges:

  • Two existing separation strategies are inadequate:
    • Intra-process separation, e.g. by assigning each Java class with its own protection domains. But two technical problems:
    • Applications can have native libraries, which will violate the integrity of the VM running in the same process;
    • Dalvik virtual machine does not support isolation between portions of code within the same virtual machine;
    • Inter-process separation, e.g. by putting advertising libraries into separate, standalone applications. But the problem can come from four aspects:
    • Users can uninstall the ad application;
    • Difficult to enforce the ADVERTISING permission: Many other user applications can also access the ad app, and this can be hard to be prevented;
    • Need to resolve install-time dependencies, as well as the runtime application dependencies. Adding such support will change Android platform, and can cause unforeseen abuse opportunities.
    • Need to prevent the distribution of impostor advertising networks. The impostor advertising network would collect all of the information sent to it without paying the developer and without the privacy policy of a reputable ad network.

Evaluation

  1. Measurement Study: a static permission analysis for overprivilege study. That answers:
    • How often applications request permissions solely for advertising;
    • How many ad libraries have access to dangerous permissions that are not necessary for advertising
  2. Usability Discussion: how difficult it would be for developers to switch to AdDroid.
    • Two Goals:
      • a) a signle API able to support multiple ad networks;
      • b) easily port for developers to the new AdDroid API;
    • Two sample applications, with home built ad servers (for ethical reason):
      • First sample uses the AdDroid API to fetch AdMob advertisements;
      • Second sample uses the AdDroid API to fetch Millennial Media advertisements;
    • Hacks in implementation:
      • Use home built servers for ethical reason;
      • Replace AdDroid system service with existing advertising libraries;

Can we do the same thing?

No. The idea must come after some internal knowledge of the Android system, especially for the advertisement internals, which I am not familiar with. That is, it is hard to think out this idea in the first place.

Even if we know this idea is novel and can be useful, due to the limited knowledge of Android ecosystem, it might take for a while to get familiar with the Android platform and implement this.

Created Oct 13, 2019 // Last Updated Dec 19, 2020

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?