Information sent to AdSDK providers (AdSDK) or advertisers (Ads)AdSDKFine LocAndroid IDH(Android ID)AdMob  MoPub AdSDK, AdsAdSDKAirPush AdSDKAdSDK, AdsAdMarvel  AdSDK Ads, Ads GAIDModelAdSDKAdSDKAdSDK , Ads , Ads AdSDKAdSDKH(IMEI)AdSDKAdSDK, AdsAdSDK, AdsAdSDK, AdsInformation sent only if Google Play Services are present on the device.Information sent only if Google Play Services are not present on the device.TABLE II: Tracking information available to advertisers and AdSDK providerscan reset their identifiers to avoid tracking. We don’tknow whether users are aware of this or do in fact resetthis identifier. In any case, location itself is a strongdeanonymizer [20, 31, 55]. Furthermore, on devices without Google Play Services, fixed hash values of permanentAndroid identifiers are used instead of GAID. Wheneverlocation is paired with a semi-permanent or permanentidentifier, the advertiser can infer the device’s trajectory(see Section VI-E).III.Advertising software stack on AndroidA. AdSDKs and WebViewDevelopers of ad-supported mobile apps integrateAdSDK code into their apps and request permissionsneeded by AdSDKs. When the user runs an ad-supportedapp, the included AdSDK fetches advertising creatives bysending a GET or POST HTTP(S) request to its provider’sservers. As explained in Section II-C, AdSDK may attachdevice identifier and location to these requests.Depending on the AdSDK, the response from the servermay be in JSON, XML, or HTML. AdSDK extracts an advertising creative from this response. AdSDK then createsa WebView instance and loads the extracted creative intothis instance. WebView is an Android class designed todisplay webpages inside apps .Figure 2 shows a banner impression from the AdMobAdSDK and an interstitial impression from the MoPubAdSDK, both displayed within WebView (and deliberatelyblurred).Fig. 2: Examples of mobile advertising impressionsin access control for external storage. First, reading external storage requires the READ EXTERNAL STORAGE permission (implicitly granted by WRITE EXTERNAL STORAGE). Second, each app has its owndirectory on external storage, allowing it to manage itsdata without any storage permissions. Apps with the READ EXTERNAL STORAGE permission can read datafrom the directories managed by other apps, but cannotwrite into them.MoPub, AirPush, and AdMarvel all instruct app developers to request WRITE EXTERNAL STORAGE sothat their AdSDKs can function properly. This automatically grants the READ EXTERNAL STORAGE permission. Furthermore, READ EXTERNAL STORAGEis one of the top four permissions requested by apps inpopular categories . Therefore, we assume that mostad-supported mobile apps can read external storage.B. External storageIt is critical for AdSDKs to reduce latency when delivering advertising creatives to mobile devices and to minimizenetwork data usage. AdSDKs thus need to cache files,images, and advertising videos on the device. They useexternal storage for this purpose.Android supports devices with external storage ,typically an SD card. External storage is protected by thepermission system. Prior to Android 4.4 KitKat, readingdata from external storage did not require any permissions; writing required the WRITE EXTERNAL STORAGE permission. Android 4.4 made two major changesC. Mobile ad isolationAs explained in Section II-B, mobile ads must betreated as potentially malicious. Even prominent Internet sites have been affected by malicious advertisingimpressions . Furthermore, many AdSDK providers,including AdMob, MoPub, and AdMarvel, serve ads overHTTP. Therefore, a man-in-the-middle attacker can injectmalicious code into ads as they travel over the network.4
Mobile advertising helps developers of mobile apps obtain revenue without directly charging users. Therefore, advertising is a key component of the mobile app ecosys-tem. Mobile advertising is typically integrated into mobile apps via an advertising library or SDK (AdSDK), which fetches and displays mobile ads while the app is running.