By now we all know that mobile advertisements aren't secure. How would an attacker take advantage of that, though, and spy on people without their consent, knowledge or interaction, and how do we defend against it? Let's take a journey through the demand-side of advertising as we put ourselves in the role of an attacker, build an ad-based surveillance system, and unleash it on the masses. I'll demonstrate how, using the built-in features of advertising Demand Side Platforms (DSPs), it's easy to build a surveillance system that can track unsuspecting people. I'll demonstrate that some platforms make it much easier than it needs to be, and I'll show that there's more than just geo-locations at risk here. Finally I will discuss some ways that everyone can help mitigate this, from the users, all the way up to the ad networks and software developers. Like every good spy story, this one includes Russian ad networks, hastily written code, and GPS coordinates - lots of GPS coordinates. By now if you're still clinging desperately to the hope that your location is safe then this talk is for you!
Mark Milhouse is a Computer Forensics Investigator at Edelson PC where he investigates high-profile tech-related consumer class action cases (namely digital privacy, security and fraud) and supports ongoing litigation. Prior to his current position he served in the United States Marines as a 2651 (Intelligence Systems), deploying to Iraq, and supporting various elements within II Marine Expeditionary Force. In his free time he enjoys cycling, traveling, and endless projects like building obscure web apps.