Post-graduate theses
Current Record: 88 of 824
|
Identifier |
000441193 |
Title |
This greedy piggy went to the Ad market : stealing users' (Input) data using mobile sensors |
Author
|
Μουστάκας, Σεραφείμ Ι.
|
Thesis advisor
|
Μαρκάτος, Ευάγγελος
|
Reviewer
|
Ιωαννίδης, Σωτήριος
Χριστοφίδης, Βασίλης
|
Abstract |
Mobile sensors in modern smartphones play a crucial role in the human-computer confluence by enhancing and transforming the user experience. However, misuse of mobile
sensors combined with the absence of sufficient access control mechanisms introduce a
plethora of privacy and security risks. As previously demonstrated, there is a wide range of
sensor-based attacks using the rich data captured from mobile sensors and while previous
attack paths depended on specific requirements such as malware or visiting a webpage;
we found that an alternative and stealthier approach exists and affects all Android users
without any requirements.
In this thesis we introduce a novel attack channel, that abuses the advertising ecosystem
for delivering a variety of sophisticated and sneaky attacks using mobile sensors. The
proposed threat-model does not depend on app permissions or user specific actions and
affects all Android apps that contain in-app advertisements due to improper access control
for sensor data in WebViews. We explain how motion sensor data can be used to infer
user’s sensitive touch input (pin, password, credit card info, etc.) in two distinct attacks
scenarios, namely intra and inter-app data exfiltration. The former targets information
obtained from the app that display the in-app ads, while the latter targets every other
Android app installed on the device. Unfortunately, as in-app ads have the ability to
"piggyback" on the permissions obtained for the app’s core functionality they can also
obtain information from other sensors such as the camera, the microphone and the GPS.
To provide a comprehensive assessment of this emerging threat, we conduct a large-scale,
end-to-end, dynamic analysis of in-app ads that access mobile sensors in applications
found in Google Play. We find that in-app ads access and leak data obtained from motion
sensors in the wild and emphasize the need for a strict access control policy that should be
adopted and standardized to better protect users and the advertising ecosystem.
|
Language |
English |
Subject |
Android |
|
Digital advertising |
|
Privacy |
|
Security |
Issue date |
2021-07-30 |
Collection
|
School/Department--School of Sciences and Engineering--Department of Computer Science--Post-graduate theses
|
|
Type of Work--Post-graduate theses
|
Permanent Link |
https://elocus.lib.uoc.gr//dlib/f/7/5/metadata-dlib-1626160341-827749-2012.tkl
|
Views |
521 |
Digital Documents
|
|
No permission to view document.
It won't be available until: 2024-07-30
|