{"504131":{"#nid":"504131","#data":{"type":"news","title":"Georgia Tech Discovers How Mobile Ads Leak Personal Data","body":[{"value":"\u003Cp\u003E\u003Cstrong\u003EATLANTA \u2013 February 22, 2016\u003C\/strong\u003E \u003Cstrong\u003E\u2013\u003C\/strong\u003E The personal information of millions of smartphone users is at risk due to in-app advertising that can leak potentially sensitive user information between ad networks and mobile app developers, according to a new study by the \u003Ca href=\u0022http:\/\/www.scs.gatech.edu\/\u0022\u003ESchool of Computer Science\u003C\/a\u003E at the Georgia Institute of Technology.\u003C\/p\u003E\u003Cp\u003EResults will be presented Tuesday, Feb. 23 at the \u003Ca href=\u0022http:\/\/www.internetsociety.org\/events\/ndss-symposium-2016\u0022\u003E2016 Network and Distributed System Security Symposium (NDSS \u002716)\u003C\/a\u003E in San Diego, Calif., by researchers \u003Cstrong\u003EWei Meng\u003C\/strong\u003E, \u003Cstrong\u003ERen Ding\u003C\/strong\u003E, \u003Cstrong\u003ESimon Chung\u003C\/strong\u003E, and \u003Cstrong\u003ESteven Han\u003C\/strong\u003E under the direction of Professor \u003Ca href=\u0022http:\/\/www.iisp.gatech.edu\/wenke-lee\u0022\u003E\u003Cstrong\u003EWenke Lee\u003C\/strong\u003E\u003C\/a\u003E.\u003C\/p\u003E\u003Cp\u003EThe study examined more than 200 participants who used a custom-built app for Android-based smartphones, which account for 52 percent of the U.S. smartphone market according to \u003Ca href=\u0022https:\/\/www.comscore.com\/Insights\/Market-Rankings\/comScore-Reports-April-2015-U.S.-Smartphone-Subscriber-Market-Share\u0022\u003EcomScore\u2019s April 2015 report\u003C\/a\u003E. Georgia Tech researchers reviewed the accuracy of personalized ads that were served to test subjects from the Google AdNetwork based upon their personal interests and demographic profiles; and secondly, examined how much a mobile app creator could uncover about users because of the personalized ads served to them.\u003C\/p\u003E\u003Cp\u003EResearchers found that 73 percent of ad impressions for 92 percent of users are correctly aligned with their demographic profiles. Researchers also found that, based on ads shown, a mobile app developer could learn a user\u2019s:\u003C\/p\u003E\u003Cul\u003E\u003Cli\u003Egender with 75 percent accuracy,\u003C\/li\u003E\u003Cli\u003Eparental status with 66 percent accuracy,\u003C\/li\u003E\u003Cli\u003Eage group with 54 percent accuracy, and\u003C\/li\u003E\u003Cli\u003Ecould also predict income, political affiliation, marital status, with higher accuracy than random guesses.\u003C\/li\u003E\u003C\/ul\u003E\u003Cp\u003ESome personal information is deemed so sensitive that Google explicitly states those factors are not used for personalization, yet the study found that app developers still can discover this information due to leakage between ad networks and app developers.\u003C\/p\u003E\u003Cp\u003E\u201cFree smart phone apps are not really free,\u201d says Wei Meng, lead researcher and a graduate student studying computer science. \u201cApps \u2013 especially malicious apps \u2013 can be used to collect potentially sensitive information about someone simply by hosting ads in the app and observing what is received by a user. Mobile, personalized in-app ads absolutely present a new privacy threat.\u201d\u003C\/p\u003E\u003Ch6\u003E\u003Cstrong\u003EHow it Works\u003C\/strong\u003E\u003C\/h6\u003E\u003Cul\u003E\u003Cli\u003EMobile app developers choose to accept in-app ads inside their app.\u003C\/li\u003E\u003Cli\u003EAd networks pay a fee to app developers in order to show ads and monitor user activity \u2013 collecting app lists, device models, geo-locations, etc. This aggregate information is made available to help advertisers choose where to place ads.\u003C\/li\u003E\u003Cli\u003EAdvertisers instruct an ad network to show their ads based on topic targeting (such as \u201cAutos \u0026amp; Vehicles\u201d), interest targeting (such as user usage patterns and previous click thrus), and demographic targeting (such as estimated age range).\u003C\/li\u003E\u003Cli\u003EThe ad network displays ads to appropriate mobile app users and receives payment from advertisers for successful views or click thrus by the recipient of the ad.\u003C\/li\u003E\u003Cli\u003EIn-app ads are displayed unencrypted as part of the app\u2019s graphical user interface. Therefore, mobile app developers can access the targeted ad content delivered to its own app users and then reverse engineer that data to construct a profile of their app customer.\u003C\/li\u003E\u003C\/ul\u003E\u003Cp\u003EUnlike advertising on a website page, where personalized ad content is protected from publishers and other third parties by the \u003Ca href=\u0022https:\/\/en.wikipedia.org\/wiki\/Same-origin_policy\u0022\u003ESame Origin Policy\u003C\/a\u003E, there is no isolation of personalized ad content from the mobile app developer.\u003C\/p\u003E\u003Cp\u003EFor the smartphone dependent population \u2013 the 7 percent of largely low-income Americans, defined by \u003Ca href=\u0022http:\/\/www.pewinternet.org\/2015\/04\/01\/us-smartphone-use-in-2015\/\u0022\u003EPew Internet (\u0022U.S. Smartphone Use in 2015\u0022)\u003C\/a\u003E, who have neither traditional broadband at home nor any other online alternative \u2013 their personal information may be particularly at risk.\u003C\/p\u003E\u003Cp\u003E\u201cPeople use their smartphones now for online dating, banking, and social media every day,\u201d said Wenke Lee, professor of computer science and co-director of the Institute for Information Security \u0026amp; Privacy at Georgia Tech. \u201cMobile devices are intimate to users, so safeguarding personal information from malicious parties is more important than ever.\u201d\u003C\/p\u003E\u003Cp\u003EThe study acknowledges that the online advertising industry is taking steps to protect users\u2019 information by improving the HTTPS protocol, but researchers believe the threat to user privacy is greater than HTTPS protection can provide under a mobile scenario.\u003C\/p\u003E\u003Cp\u003EThe researchers contacted Google AdNetworks about their finding.\u003C\/p\u003E\u003Ch6\u003E\u003Cstrong\u003E\u003Ca href=\u0022http:\/\/www.cc.gatech.edu\/%7Ewmeng6\/ndss16_mobile_ad.pdf\u0022\u003EDownload\u003C\/a\u003E the complete research paper.\u003C\/strong\u003E\u003C\/h6\u003E\u003Cp\u003E\u0026nbsp;\u003C\/p\u003E\u003Ch5\u003E\u003Cstrong\u003EAdditional research at NDSS \u002716\u003C\/strong\u003E\u003C\/h5\u003E\u003Cp\u003E\u003Cem\u003EGeorgia Tech\u0027s School of Computer Science will present three additional papers at the conference. \u003C\/em\u003E\u003C\/p\u003E\u003Cul\u003E\u003Cli\u003E\u0022\u003Ca href=\u0022https:\/\/taesoo.gtisc.gatech.edu\/pubs\/2016\/kdfi\/kdfi.pdf\u0022\u003EEnforcing Kernel Security Invariants with Data Flow Integrity\u003C\/a\u003E\u0022 by Chengyu Song, Byoungyoung Lee, Kangjie Lu, William Harris, and Wenke Lee\u003C\/li\u003E\u003Cli\u003E\u0022\u003Ca href=\u0022http:\/\/www.cc.gatech.edu\/%7Eklu38\/publications\/runtimeaslr-ndss16.pdf\u0022\u003EHow to Make ASLR Win the Clone Wars: Runtime Re-Randomization\u003C\/a\u003E\u003Cem\u003E\u0022 \u003C\/em\u003Eby Kangjie Lu, Stefan Nurnberger, Michael Backes, and Wenke Lee\u003C\/li\u003E\u003Cli\u003E\u0022\u003Ca href=\u0022https:\/\/taesoo.gtisc.gatech.edu\/pubs\/2016\/opensgx\/opensgx.pdf\u0022\u003EOpenSGX: \u0026nbsp;An Open Platform for SGX Research\u003C\/a\u003E\u003Cem\u003E\u0022 \u003C\/em\u003Eby Prerit Jain, Soham Desai, Ming-Wei Shih, and Taesoo Kim in partnership with KAIST of South Korea researchers Seongmin Kim, JaeHyuk Lee, Changho Choi, Youjung Shin, Brent Byunghoon Kang, and Dongsu Han\u003C\/li\u003E\u003C\/ul\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003ESchool of Computer Science researchers find that personalized in-app ads can leak sensitive profile information between developers and ad networks. Their study will be presented Feb. 23 at the 2016 Network and Distributed System Symposium in San Diego, Calif.\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"School of Computer Science researchers find that personalized in-app ads can leak sensitive profile information between developers and ad networks."}],"uid":"27490","created_gmt":"2016-02-22 09:49:40","changed_gmt":"2016-10-08 03:20:49","author":"Tara La Bouff","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2016-02-22T00:00:00-05:00","iso_date":"2016-02-22T00:00:00-05:00","tz":"America\/New_York"},"extras":[],"hg_media":{"504141":{"id":"504141","type":"image","title":"Researchers Wei Meng and Ren Ding","body":null,"created":"1456167600","gmt_created":"2016-02-22 19:00:00","changed":"1475895263","gmt_changed":"2016-10-08 02:54:23","alt":"Researchers Wei Meng and Ren Ding","file":{"fid":"205913","name":"ndss_presenters_meng_-_ding.jpg","image_path":"\/sites\/default\/files\/images\/ndss_presenters_meng_-_ding_0.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/images\/ndss_presenters_meng_-_ding_0.jpg","mime":"image\/jpeg","size":246676,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/ndss_presenters_meng_-_ding_0.jpg?itok=QeMZDNbk"}},"504151":{"id":"504151","type":"image","title":"Mobile App Ad Delivery","body":null,"created":"1456167600","gmt_created":"2016-02-22 19:00:00","changed":"1475895263","gmt_changed":"2016-10-08 02:54:23","alt":"Mobile App Ad Delivery","file":{"fid":"205914","name":"mobile_app_ad_ecosystem_crop.jpg","image_path":"\/sites\/default\/files\/images\/mobile_app_ad_ecosystem_crop_0.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/images\/mobile_app_ad_ecosystem_crop_0.jpg","mime":"image\/jpeg","size":339404,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/images\/mobile_app_ad_ecosystem_crop_0.jpg?itok=p-PBEP5k"}}},"media_ids":["504141","504151"],"groups":[{"id":"47223","name":"College of Computing"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"}],"keywords":[{"id":"1404","name":"Cybersecurity"},{"id":"34741","name":"mobile app"},{"id":"166941","name":"School of Computer Science"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"},{"id":"39501","name":"People and Technology"}],"news_room_topics":[{"id":"71881","name":"Science and Technology"},{"id":"71901","name":"Society and Culture"}],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003ETara La Bouff\u003C\/p\u003E\u003Cp\u003E602.770.0264\u003C\/p\u003E","format":"limited_html"}],"email":["tlabouff@cc.gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}