Εκμετάλλευση του διαφημιστικού οικοσυστήματος με σκοπό την ταυτοποίηση συσκευών και τον γεωγραφικό εντοπισμό
Abusing mobile advertising ecosystems for device identification and geolocation
View/
Keywords
MAID ; ADINT ; Advertising intelligenceAbstract
This thesis attempts to highlight the risks involved in the misuse of advertising mechanisms for user tracking purposes. This technique, also known as Advertising Intelligence (ADINT), is examined and analyzed, not only theoretically, but also through an experimental implementation. The Proof-of-Concept that was designed demonstrates how a malicious actor manages to target and locate devices by utilizing only open-source tools and native functions of the operating systems of smart devices.
The system collects the Mobile Advertising ID (MAID) and applies fingerprinting techniques, combining device characteristics with sensor data. The identification is based on a score-based comparison system, and if a similarity is detected, the display of a seemingly innocent banner is triggered. By touching the banner, the game, or any application that uses the system, gains access to the geographical location through the Android Location APIs, even if the user is using a VPN. For cases where the device does not provide access to GPS, there is an alternative location estimation mechanism through latency measurements and traceroute of intermediate nodes, which operates silently in the background.
All the data is stored in a MySQL database and allows for the correlation of MAID, as well as geographic and behavioral data. The research highlights the weakness of existing privacy protection tools (e.g. VPN, MAID reset), and suggests countermeasures both at a technical level and in a regulatory framework.
Finally, this thesis is proof of how seemingly innocent applications, such as a simple mobile game, can be transformed into highly accurate monitoring tools. The line between advertising and surveillance is now very thin. Unless there is a stricter control over the use of advertising SDKs and access permissions to sensitive APIs, users’ everyday lives risk becoming a continuous surveillance experiment, without users knowing it.