PmDroid: Permission Supervision for Android Advertising

It is well-known that Android mobile advertising networks may abuse their host applications' permission to collect private information. Since the advertising library and host app are running in the same process, the current Android permission mechanism cannot prevent an ad network from collecting private data that is out of an ad network's permission range. In this paper, we propose PmDroid to protect the data that is not under the scope of the ad network's permission set. PmDroid can block the data from being sent to advertising servers at the occurrence of permission violation in ad networks. Moreover, we utilize PmDroid to assess how serious the permission violation problem is in the ad networks. We first implement 53 sample apps using a single ad network library. We grant all permissions of Android 4.3 to these apps and record the data sent to the Internet. Then, we further analyze 430 published market apps. In total, there are 76 ad networks identified in our experiments. We compare the permission of data received by these ad networks with their official documents. Our experimental results indicate that the permission violation is a real problem in existing ad network markets.