Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Saturday August 19 2017, @06:04PM   Printer-friendly
from the slurp-slurp-slurp dept.

Arthur T Knackerbracket has found the following story:

Oxford researchers [...] (Vincent Taylor, Alastair Beresford and Ivan Martinovic) [...] [looked] at how the same library in two different apps could expose information from a higher-privilege app to one with lower privilege.

They write that this “intra-library collusion” (ILC) happens “when individual libraries obtain greater combined privileges on a device by virtue of being embedded within multiple apps, with each app having a distinct set of permissions granted”.

As the paper explains, shared libraries can borrow permissions an app doesn't have [...] That's a threat, because library re-use across different apps isn't a bug, it's a feature: it makes app development more efficient and keeps apps small by letting them use code pre-loaded to a device.

While noting that attackers are standardising their own libraries, the researchers focussed their effort on advertising libraries [...] handling location, app usage, device information, communication data like call logs and messages, access to storage (including, for example, a user's files which can indicate their interests), and the microphone.

Of more than 15,000 apps with more than a million downloads, the researchers went to work decompiling apps to identify the libraries they linked to. Those they successfully decompiled, they analysed for their intra-library collusion potential.

The 18 most popular libraries include familiar names:

Library% of apps
com/facebook11.9
com/google/android/gms/analytics9.8
com/flurry6.3
com/chartboost/sdk5.9
com/unity3d5.2
com/applovin3.5
com/mopub3.1
com/inmobi3.0
com/google/ads3.0
com/google/android/gcm2.7
com/tapjoy2.4
org/cocos2d2.4
com/amazon2.0
com/millennialmedia1.6
org/apache/commons1.4
com/heyzap1.4
com/nostra13/universalimageloader1.3
com/adobe/air1.0

“The main catalyst that allows ILC to happen is the failure of the Android permission system to separate the privileges of libraries and their host apps”, they write, and this at least offers opportunities for an underhanded ad network to improve their data collection without seeking extra permissions from users.

[...] Digging deeper into how advertiser libraries behaved, they found on average those libraries “leak sensitive data from a device up to 2.4 times a day and that the average user has their personal data sent to 1.7 different ad servers per day”.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by RamiK on Saturday August 19 2017, @07:37PM

    by RamiK (1813) on Saturday August 19 2017, @07:37PM (#556450)

    Back in the day, Open Whisper Systems' Signal was forked over the usage of google APIs for trivial wake up events and the like. Eventually, Moxie voiced his displeasure about the fork using their server infrastructure and so the project died. Well, following this study, there was reasons to be concerned after all: By using Google's libraries, Signal is effectively handing Google access to contacts, non-encrypted SMSs, encrypted messages' metadata, etc...

    Well, at least it's better then Allo.

    --
    compiling...
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2