2024-3-28 19:59:0 Author: research.nccgroup.com(查看原文) 阅读量:8 收藏
During the winter of 2022, Google engaged NCC Group to conduct an in-depth security review of the Aggregation Service, part of Google’s Privacy Sandbox initiative. Google describes the Aggregation Service as follows:
The Privacy Sandbox initiative aims to create technologies that both protect people’s privacy online and give companies and developers tools to build thriving digital businesses. The Privacy Sandbox reduces cross-site and cross-app tracking while helping to keep online content and services free for all. One of the proposed solutions within the initiative is the Aggregation Service. The goal of this service is to allow ad tech to generate summary reports, which include aggregated measurement data on user’s behavior collected by other Privacy Sandbox APIs; these APIs allow ad techs to collect aggregatable reports from clients. The aggregation service decrypts and combines the collected data from the aggregatable reports, adds noise, and returns a summary report. This service runs in a trusted execution environment (TEE), which is deployed on a cloud service that supports necessary security measures to protect this data. This approach is designed to provide a balance between protecting user privacy and meeting the needs of the advertising industry.
NCC Group’s evaluation included the following components:
- Web Services Assessment, which consists of dynamic testing and code review of the final design and deployment of the Privacy Sandbox Aggregation Service from the perspective of an external attacker.
- Architecture Design Review, which consists of a review of the final design of the Privacy Sandbox Aggregation Service.
- Cryptography Design and Implementation Review, which consists of a comprehensive review of the cryptography implementation for the Aggregation Service and split key features.
- Holistic Attacker-Modeled Pentest, which consists of a holistic review of the final design and implementation of the Privacy Sandbox Aggregation Service from the perspective of a malicious ad tech firm.
In spring 2023, NCC Group completed a retest on a series of fixes proposed by Google, and found that they effectively addressed all findings documented in this report.
The public report for this review may be downloaded below:
Here are some related articles you may find interesting
Android Malware Vultur Expands Its Wingspan
Authored by Joshua Kamp Executive summary The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using…
LTair: The LTE Air Interface Tool
In this blog post, we introduce LTair, a tool that allows NCC Group to perform different attacks on the LTE Control Plane via the air interface. It gives NCC the capability to assess the correct implementation of the LTE standard in operators’ systems and user equipment. LTair The LTair tool…
The Development of a Telco Attack Testing Tool
This blog details the requirement for testing Telecom networks and one of the tools developed in house to facilitate this testing. Why? Telecoms security has always been an afterthought when the first mobile networks were developed and deployed into the wild. Telecoms security has faced numerous challenges, leading to concerns…
View articles by category
如有侵权请联系:admin#unsafe.sh