Block me if you can!

Download PDF
8 downloads 324658 Views 406KB Size Report
Comment
In-App ads/tracking: add. sensitive information. Block me if you can! | Markus Huber | IEEE ... Sample: Android apps. 10k Android apps. – 3 DNS blocklists ...
Block Me If You Can! A Large-Scale Study of Tracker-Blocking Tools Georg Merzdovnik, Markus Huber, Damjan Buhov, Nick Nikiforakis, Sebastian Neuner, Martin Schmiedecker, Edgar Weippl

Euro S&P 2017, Paris, 27.04.2017

Motivation  Tracking: major impact on online privacy & security  Past research: „everyone tracks“  Opt-Out cookies and DNT header do not work –

Blocking tools only option for users



Effectiveness of blocking tools?

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

2/18

brief background

Types of online tracking  Stateful tracking –

HTTP cookies, „supercookies“

 Stateless tracking aka. fingerprinting –

Re-identify users based on their devices/software

 Mobile tracking –

In-App ads/tracking: add. sensitive information

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

4/18

Blocking Tools  DNS-based –

Entire domains, http://news.com/track.js

 Proxy-based –

Focus on HTTP traffic, https://facebook.com/like.php

 Browser-extensions –

Most effective tools (not applicable to in-app tracking)

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

5/18

Blocking Rules  Community-driven –

EasyList, EasyPrivacy, ...

 Centralized –

Ghostery, Disconnect, ...

 Algorithmic –

EFF Privacy Badger

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

6/18

experiments

Sample: browser extensions  Alexa Top 200k – – –

3 subpages each 4.25% failed 5 extensions

 Extension settings – –

Default settings (except Ghostery) Privacy Badger trained with Alexa Top 1k

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

8/18

CRAWLIUM framework

– – –

Scalable (12h for dataset) Parallel collection for temporal effects CRAWLIUM vs. OpenWPM

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

9/18

Sample: Android apps  10k Android apps – –

3 DNS blocklists (EasyList, AdAway, MoABB) dynamic instrumentation ●



Genymotion + monkeyrunner

90.61% successful

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

10/18

results: effectiveness

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

11/18

results: fingerprinting

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

12/18

findings

Tracking and Security  Less trackers == less risk –

Attacks via Drive-by-Downloads



Piggybacking on user tracking

 Third parties and TLS –

60% in our sample HTTP only



HTTP injection attacks



Might change due to let‘s encrypt

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

14/18

Future Tracking Defense  Filterrules –

Centralized: best protection , Community: small trackers



Algorithmic: false positives



New heuristic-based approaches

 Blind Spots –

Social Widgets (often weak protection)



Fingerprinting Services on the rise



Mobile apps (In-App tracking)

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

15/18

future challenges

Future challenges  Blocker / Anti-Blocker Arms Race –

Number of websites block adblock users



Methods for detection/blockng of Adblock-Blocker



under- / overblocking of different approaches

 Provide for mobile devices –

Android: alternative browser (soon in Chrome)



In-App tracker blocker without rooting

Block me if you can! | Markus Huber | IEEE Euro S&P, Paris 2017

17/18

Questions? [email protected] https://keybase.io/nysos