More Web Proxy on the site http://driver.im/

research-article

Re-identification of mobile devices using real-time bidding advertising networks

Authors:

Mark D. Corner,

Brian N. LevineAuthors Info & Claims

MobiCom '20: Proceedings of the 26th Annual International Conference on Mobile Computing and Networking

Article No.: 48, Pages 1 - 13

https://doi.org/10.1145/3372224.3419205

Published: 18 September 2020 Publication History

Abstract

Advertisers gather data about users and their mobile devices through ads placed within Android and iOS apps. Most of the time, location, device, and app information are linked to the same device using a unique advertising ID (Ad ID). If the Ad ID is not available, advertisers can still use geo-coordinates or IP address to infer links in data gathered from different ad placements.

Even though the Ad ID can be disabled by users on both OSes, we demonstrate that advertisers can leave their own unique strings (marks) in the app storage, and use these strings to link information collected from ads. Users cannot clear these marks without losing all data within the app. Because advertising platforms allow connection filtering and geofencing, users who either connect using a non-cellular IP address or allow location access to the app are substantially easier to be rediscovered by the advertiser.

We carried out many large-scale experiments on iOS and Android devices involving hundreds of thousands of impressions. We found that on average 49% of impressions from an iOS device, and 59% of Android impressions could be re-identified for less than $5/day per device using this strategy. We subsequently verified this method on 1,727 devices and recovered 660 of them within 48 hours for $86.73. Finally, we explore the behavior of privacy-seeking VPN users. We found that for the majority, their clearnet IP address and location could be unmasked easily using ads.

References

[1]

Advertising id. https://support.google.com/googleplay/android-developer/answer/6048248.

[2]

Gridded population of the world, version 4 (gpwv4): Population count grid. Accessed: 2019-09-19.

[3]

https://developer.android.com/reference/android/webkit/.

[4]

https://developer.apple.com/app-store/user-privacy-and-data-use/.

[5]

https://developer.chrome.com/apps/offline_storage. Accessed: 2020-03-24.

[6]

https://stackoverflow.com/questions/8500334/how-to-remove-html5-local-storage-of-an-ios-app-using-uiwebview.

[7]

https://support.appsflyer.com/hc/en-us/articles/115003734626-FAQ-Impact-of-Apple-Limit-Ad-Tracking-on-attribution.

[8]

https://support.appsflyer.com/hc/en-us/articles/115003734626-FAQ-Impact-of-Apple-Limit-Ad-Tracking-on-attribution.

[9]

https://www.adpushup.com/blog/explainer-the-four-types-of-programmatic-deals/.

[10]

https://www.census.gov/data/tables/time-series/demo/popest/2010s-total-metro-and-micro-statistical-areas.html#par_textimage_1139876276.

[11]

https://www.ip2location.com/. Accessed: 2020-03-24.

[12]

https://www.maxmind.com/. Accessed: 2020-03-24.

[13]

https://www.mediapost.com/publications/article/341573/83-days-until-christmas-when-will-marketers-spe.html.

[14]

https://www.verve.com/limit-ad-tracking/.

[15]

https://www.visualcapitalist.com/the-covid-19-impact-on-advertising-spend/.

[16]

Andrés, M. E., Bordenabe, N. E., Chatzikokolakis, K., and Palamidessi, C. Geo-indistinguishability: Differential privacy for location-based systems. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (2013), ACM, pp. 901--914.

Digital Library

[17]

Balakrishnan, M., Mohomed, I., and Ramasubramanian, V. Where's that phone? Geolocating IP addresses on 3G networks. In ACM IMC (2009), pp. 294--300.

[18]

Bashir, M. A., Arshad, S., Robertson, W., and Wilson, C. Tracing information flows between ad exchanges using retargeted ads. In USENIX Security Symposium (2016), pp. 481--496.

[19]

Cao, Y., Li, S., Wijmans, E., et al. (cross-) browser fingerprinting via os and hardware level features. In NDSS (2017).

[20]

Corner, M. D., and Levine, B. N. Micromobile: Leveraging mobile advertising for large-scale experimentation. In Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services (2018), ACM, pp. 310--322.

Digital Library

[21]

Corner, M. D., Levine, B. N., Ismail, O., and Upreti, A. Advertising-based measurement: A platform of 7 billion mobile devices. In Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking (2017), ACM, pp. 435--447.

Digital Library

[22]

Das, A., Borisov, N., and Caesar, M. Tracking mobile web users through motion sensors: Attacks and defenses. In NDSS (2016).

[23]

Eckersley, P. How unique is your web browser? In International Symposium on Privacy Enhancing Technologies Symposium (2010), Springer, pp. 1--18.

Digital Library

[24]

Gómez-Boix, A., Laperdrix, P., and Baudry, B. Hiding in the crowd: an analysis of the effectiveness of browser fingerprinting at large scale. In Proceedings of the 2018 World Wide Web Conference (2018), International World Wide Web Conferences Steering Committee, pp. 309--318.

[25]

Ikram, M., Vallina-Rodriguez, N., Seneviratne, S., Kaafar, M. A., and Paxson, V. An analysis of the privacy and security risks of android vpn permission-enabled apps. In Proceedings of the 2016 Internet Measurement Conference (New York, NY, USA, 2016), IMC '16, Association for Computing Machinery, pp. 349--364.

[26]

Kamkar, S. evercookie.

[27]

Kigerl, A. C. Infringing nations: Predicting software piracy rates, bittorrent tracker hosting, and p2p file sharing client downloads between countries. International Journal of Cyber Criminology 7, 1 (2013), 62.

[28]

Mozilla. Apple: Rotate tracking ids on iphone each month. https://foundation.mozilla.org/en/campaigns/privacy-thats-iphone-but-is-it/.

[29]

Ndhlovu, L. Facing internet restrictions, journalists turn to vpns. https://ijnet.org/en/story/facing-internet-restrictions-journalists-turn-vpns Accessed: 2020-03-24.

[30]

Olejnik, L., Minh-Dung, T., and Castelluccia, C. Selling off privacy at auction.

[31]

Open Standards for Real-Time Bidding (RTB). OpenRTB Mobile RTB API v1.0, Feb 2011.

[32]

Perta, V. C., Barbera, M. V., Tyson, G., Haddadi, H., and Mei., A. A glance through the vpn looking glass: Ipv6 leakage and dns hijacking in commercial vpn clients. In Proc. PETS (2015).

[33]

Raghavan, B., Kohno, T., Snoeren, A. C., and Wetherall, D. Enlisting isps to improve online privacy: Ip address mixing by default. In International Symposium on Privacy Enhancing Technologies Symposium (2009), Springer, pp. 143--163.

Digital Library

[34]

Smith, M., Disselkoen, C., Narayan, S., Brown, F., and Stefan, D. Browser history re: visited. In 12th {USENIX} Workshop on Offensive Technologies ({WOOT} 18) (2018).

Digital Library

[35]

U.S. Dept. of Justice. The National Strategy for Child Exploitation Prevention and Interdiction: A Report to Congress. https://www.justice.gov/psc/file/842411/download, April 2016.

[36]

Vines, P., Roesner, F., and Kohno, T. Exploring adint: Using ad targeting for surveillance on a budget-or-how alice can buy ads to track bob. In Proceedings of the 2017 on Workshop on Privacy in the Electronic Society (2017), ACM, pp. 153--164.

Digital Library

[37]

Zimmeck, S., Li, J. S., Kim, H., Bellovin, S. M., and Jebara, T. A privacy analysis of cross-device tracking. In 26th {USENIX} Security Symposium ({USENIX} Security 17) (2017), pp. 1391--1408.

Cited By

Xinyu LZe JJiaxi LWei LXiaoxi WQixu L(2023)ANDetect: A Third-party Ad Network Libraries Detection Framework for Android ApplicationsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627182(98-112)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627182
Huang Y(2022)Mixed Training Mode of Business English Cloud Classroom Based on Mobile APP with Shared SDK2022 International Conference on Electronics and Renewable Systems (ICEARS)10.1109/ICEARS53579.2022.9751874(792-795)Online publication date: 16-Mar-2022
https://doi.org/10.1109/ICEARS53579.2022.9751874
Liu XZhao WChen LLiu Q(2022)DroidFP: A Zero-Permission Detection Framework for Android Devices Based on Gated Recurrent UnitScience of Cyber Security10.1007/978-3-031-17551-0_24(364-374)Online publication date: 30-Sep-2022
https://doi.org/10.1007/978-3-031-17551-0_24
Show More Cited By

Index Terms

Re-identification of mobile devices using real-time bidding advertising networks
1. Security and privacy
  1. Network security
    1. Mobile and wireless security
  2. Software and application security
    1. Software security engineering

Recommendations

Recommendation for advertising messages on mobile devices
WWW '14 Companion: Proceedings of the 23rd International Conference on World Wide Web

Mobile devices, especially smart phones, have been popular in recent years. With users spending much time on mobile devices, service providers deliver advertising messages to mobile device users and look forward to increasing their revenue. However, ...
Real-Time Bidding in Online Display Advertising

Display advertising is a major source of revenue for many online publishers and content providers. Historically, display advertising impressions have been sold through prenegotiated contracts, known as reservation contracts, between publishers and ...
Modeling and Analyzing User Contexts for Mobile Advertising

Context-aware advertising is one of the most critical components in the Internet ecosystem today because most WWW publisher revenue highly depends on the relevance of the displayed advertisement to the context of the user interaction. Existing research ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

MobiCom '20: Proceedings of the 26th Annual International Conference on Mobile Computing and Networking

April 2020

621 pages

ISBN:9781450370851

DOI:10.1145/3372224

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 September 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

MobiCom '20

Sponsor:

SIGMOBILE

MobiCom '20: The 26th Annual International Conference on Mobile Computing and Networking

September 21 - 25, 2020

London, United Kingdom

Acceptance Rates

Overall Acceptance Rate 440 of 2,972 submissions, 15%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
557
Total Downloads

Downloads (Last 12 months)57
Downloads (Last 6 weeks)12

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Xinyu LZe JJiaxi LWei LXiaoxi WQixu L(2023)ANDetect: A Third-party Ad Network Libraries Detection Framework for Android ApplicationsProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627182(98-112)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627182
Huang Y(2022)Mixed Training Mode of Business English Cloud Classroom Based on Mobile APP with Shared SDK2022 International Conference on Electronics and Renewable Systems (ICEARS)10.1109/ICEARS53579.2022.9751874(792-795)Online publication date: 16-Mar-2022
https://doi.org/10.1109/ICEARS53579.2022.9751874
Liu XZhao WChen LLiu Q(2022)DroidFP: A Zero-Permission Detection Framework for Android Devices Based on Gated Recurrent UnitScience of Cyber Security10.1007/978-3-031-17551-0_24(364-374)Online publication date: 30-Sep-2022
https://doi.org/10.1007/978-3-031-17551-0_24
Diamantaris MMoustakas SSun LIoannidis SPolakis JKim YKim JVigna GShi E(2021)This Sneaky Piggy Went to the Android Ad Market: Misusing Mobile Sensors for Stealthy Data ExfiltrationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3485366(1065-1081)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3485366

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents