2600 Magazine_ The Hacker Quarterly - Digital Edition - Summer 2011 - 2600 Magazine [64]
So, the ads being served through various apps were fairly easy to pick up, although there was one false positive ( tapjoyads.com , used to authenticate purchases; the Wolfram Alpha app does the same). The ad servers that I saw in the squid access.log (which logs every request passing through squid along with whether it was served from the squid cache, a primary use of squid) were added to a blacklist file. This was included in the squid config file with the lines
>> include /opt/local/etc/squid/blacklist.txt >> http_access deny BlackList
The blacklist.txt file contained a list of the servers to block, each one a regular expression, albeit trivial ones, like
acl BlackList url_regex -i google-analytics.com
acl BlackList url_regex -i googlesyndication.com
acl BlackList url_regex -i doubleclick.net
acl BlackList url_regex -i admob.com
acl BlackList url_regex -i ads.mp.mydas.mobi
acl BlackList url_regex -i google_custom_search_watermark.gif
acl BlackList url_regex -i greystripe.com
...
The other servers currently in my blacklist are
iphone.playhaven.com
m.pinger.com
ads.pinger.com
serve.vdopia.com
www.fluik.com
www.jampaq.com
www.myprivatebrowserapp.com
analytics.medu.com
cloudfront.net
adwhirl.com
medialytics.com
imrworldwide.com
2mdn.net
Not all of these servers are ad servers per se, but some provide tracking of various kinds (e.g., google-analytics.com ) and so were denied too. The cloudfront.net servers are used to provide content hosted on Amazon's cloud services and could conceivably serve up useful content, and so this regex might need some refining, but in all of the cases I saw, they were being used for ads. Seen in the logs but missing from this list was the server tapjoyads.com , used by the Doodle Buddy app, a free drawing application which contains themed sets of stencils, backgrounds, and stamps, to check for purchased sets (you get one free); it also contains banner ads, but these were served by greystripe.com . Note to developers: please don't use servers with the term "ads.com" in them for serving legitimate content. It's disingenuous. As another example, the BBC news app ads were served by ad.mo.doubleclick.net . All easily dealt with using the above blacklist; from their frequency, it appears that either greystripe, doubleclick, or admob are serving ads from the iAd system (Apple's in-app ad server), or perhaps more than one of these.
Of note is www.myprivatebrowser.com . This free web browser promises "a simple web browser built for the iPad that removes all your web browser cookies and history when you open and close the browser." Not all that secure, but better than nothing, right? Well, when you open it, the default (unchangeable) home page is a custom Google search form, which immediately runs off and requests http://www.myprivatebrowserapp.com/app/big.gif . Nice statistics gathering, Cooply Apps! Welcome to the blacklist!
So, ads come from all over the place (including the usual suspects), and (at least at home) you can set up a proxy to deal with them. What other strange requests are going out over the airwaves from your iDevice? Only your unique device identifier (UDID). Only to ad servers (well, not only). Requests were made to the following servers which passed my iPad's UDID in GET requests:
ads2.greystripe.com
adsx.greystripe.com
mayhem.eamobile.com
serve.vdopia.com/adserver/...
ws.tapjoyads.com
Gah! Well, tapjoyads.com , checking what in-app add-ons I'd purchased... okay. EA games ( eamobile.com ), seemingly informing them of in-game achievements... okay. But greystripe? WTF? And here's an interesting one (line breaks inserted before each GET variable; x's added for anonymity):
>> http://ads.mp.mydas.mobi/getAd.php5?sdkapid=18754
&auid=b4585xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx23463
&mmisdk=3.5.8-10.6.29.i