*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Atlanta, GA | Posted: February 22, 2016
ATLANTA – February 22, 2016 – The personal information of millions of smartphone users is at risk due to in-app advertising that can leak potentially sensitive user information between ad networks and mobile app developers, according to a new study by the School of Computer Science at the Georgia Institute of Technology.
Results will be presented Tuesday, Feb. 23 at the 2016 Network and Distributed System Security Symposium (NDSS '16) in San Diego, Calif., by researchers Wei Meng, Ren Ding, Simon Chung, and Steven Han under the direction of Professor Wenke Lee.
The study examined more than 200 participants who used a custom-built app for Android-based smartphones, which account for 52 percent of the U.S. smartphone market according to comScore’s April 2015 report. Georgia Tech researchers reviewed the accuracy of personalized ads that were served to test subjects from the Google AdNetwork based upon their personal interests and demographic profiles; and secondly, examined how much a mobile app creator could uncover about users because of the personalized ads served to them.
Researchers found that 73 percent of ad impressions for 92 percent of users are correctly aligned with their demographic profiles. Researchers also found that, based on ads shown, a mobile app developer could learn a user’s:
Some personal information is deemed so sensitive that Google explicitly states those factors are not used for personalization, yet the study found that app developers still can discover this information due to leakage between ad networks and app developers.
“Free smart phone apps are not really free,” says Wei Meng, lead researcher and a graduate student studying computer science. “Apps – especially malicious apps – can be used to collect potentially sensitive information about someone simply by hosting ads in the app and observing what is received by a user. Mobile, personalized in-app ads absolutely present a new privacy threat.”
Unlike advertising on a website page, where personalized ad content is protected from publishers and other third parties by the Same Origin Policy, there is no isolation of personalized ad content from the mobile app developer.
For the smartphone dependent population – the 7 percent of largely low-income Americans, defined by Pew Internet ("U.S. Smartphone Use in 2015"), who have neither traditional broadband at home nor any other online alternative – their personal information may be particularly at risk.
“People use their smartphones now for online dating, banking, and social media every day,” said Wenke Lee, professor of computer science and co-director of the Institute for Information Security & Privacy at Georgia Tech. “Mobile devices are intimate to users, so safeguarding personal information from malicious parties is more important than ever.”
The study acknowledges that the online advertising industry is taking steps to protect users’ information by improving the HTTPS protocol, but researchers believe the threat to user privacy is greater than HTTPS protection can provide under a mobile scenario.
The researchers contacted Google AdNetworks about their finding.
Georgia Tech's School of Computer Science will present three additional papers at the conference.