Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Saturday August 19 2017, @06:04PM   Printer-friendly
from the slurp-slurp-slurp dept.

Arthur T Knackerbracket has found the following story:

Oxford researchers [...] (Vincent Taylor, Alastair Beresford and Ivan Martinovic) [...] [looked] at how the same library in two different apps could expose information from a higher-privilege app to one with lower privilege.

They write that this “intra-library collusion” (ILC) happens “when individual libraries obtain greater combined privileges on a device by virtue of being embedded within multiple apps, with each app having a distinct set of permissions granted”.

As the paper explains, shared libraries can borrow permissions an app doesn't have [...] That's a threat, because library re-use across different apps isn't a bug, it's a feature: it makes app development more efficient and keeps apps small by letting them use code pre-loaded to a device.

While noting that attackers are standardising their own libraries, the researchers focussed their effort on advertising libraries [...] handling location, app usage, device information, communication data like call logs and messages, access to storage (including, for example, a user's files which can indicate their interests), and the microphone.

Of more than 15,000 apps with more than a million downloads, the researchers went to work decompiling apps to identify the libraries they linked to. Those they successfully decompiled, they analysed for their intra-library collusion potential.

The 18 most popular libraries include familiar names:

Library% of apps
com/facebook11.9
com/google/android/gms/analytics9.8
com/flurry6.3
com/chartboost/sdk5.9
com/unity3d5.2
com/applovin3.5
com/mopub3.1
com/inmobi3.0
com/google/ads3.0
com/google/android/gcm2.7
com/tapjoy2.4
org/cocos2d2.4
com/amazon2.0
com/millennialmedia1.6
org/apache/commons1.4
com/heyzap1.4
com/nostra13/universalimageloader1.3
com/adobe/air1.0

“The main catalyst that allows ILC to happen is the failure of the Android permission system to separate the privileges of libraries and their host apps”, they write, and this at least offers opportunities for an underhanded ad network to improve their data collection without seeking extra permissions from users.

[...] Digging deeper into how advertiser libraries behaved, they found on average those libraries “leak sensitive data from a device up to 2.4 times a day and that the average user has their personal data sent to 1.7 different ad servers per day”.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Ethanol-fueled on Sunday August 20 2017, @02:10AM (1 child)

    by Ethanol-fueled (2792) on Sunday August 20 2017, @02:10AM (#556565) Homepage

    I notice a pattern here. All those services belong to companies we hate. And of course Google's crap is going to be riddled with backdoors no matter what they tell you.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Sunday August 20 2017, @04:32AM

    by Anonymous Coward on Sunday August 20 2017, @04:32AM (#556592)

    You've been backdoored many times.