Authors:
Shuai Li, Zhemin Yang,Guangliang Yang, Hange Zhang, Nan Hua, Yurui Huang, Min Yang
Publication:
This paper is included in the Proceedings of the 32nd USENIX Security Symposium (USENIX Security), Anaheim, CA, USA, August 9-11, 2023.
Abstract:
Recent years have witnessed the rapid development of mobile services, spanning almost every field. To characterize users and provide personalized and targeted services, user tag sharing, which labels users and shares their data, is becoming increasingly popular. Its security attracts more and more attention, and a series of privacy issues have been reported in several specific services. However, up to now, there still lacked a thorough and comprehensive understanding of the characteristics and security of user tag sharing.
Motivated by this, we conduct a systematic study of user tag sharing in modern real-world mobile services. We first model user tag sharing with their three phases, and also discover that the privacy issue commonly exists in different various services. We generalize and formalize the privacy security issue as user tag spoofing. We then propose a novel network-level smart fuzzing approach, called UTSFuzzer, against user tag spoofing. The key idea behind UTSFuzzer is to explore a large number of valid user tag values from mobile services, and take them as input to imitate user tag spoofing against real-world mobile services. By applying UTSFuzzer on a large scale of real-world popular apps, we verify the effectiveness of UTSFuzzer, and unveil that 100 mobile apps (including 115 mobile services) are vulnerable to user tag spoofing. The accumulated installations of all affected apps (users) reach more than 413 million. Additionally, UTSFuzzer shows user tag spoofing can cause serious attack efforts, including economic loss, and user activities monitoring.