隨著數位廣告的興起,大量投放廣告在網站及各個行動應用程式中已經成為日常生活中的常態,已獲取利益或使用者個資。為與之抗衡,市面上興起各式各樣的廣告阻擋軟體。本論文提出一個全系統廣告阻擋的概念,探討目前全系統廣告阻擋軟體在隱私及安全上的議題,並指出其可能面臨的三個挑戰:網域名稱加密、基於網域名稱的廣告阻擋效益,以及阻擋效率。我們首先探討新興的DNS-over-HTTPS(DoH)機制。DoH針對網域名稱進行加密,可能大幅壓抑廣告阻檔的功能。我們提供一個概念實驗以與DoH抗衡。我們接下來分析基於URL或網域名稱的黑名單廣告阻擋,並比較其阻擋成效。而我們發現兩者差異尚可接受(網域名稱比URL只少擋了9.8%~17%)。因此在行動裝置上,即使無法檢查應用層的URL路徑,僅查看DNS請求應已足夠阻擋廣告流量。我們最後實做一個基於Android VPN服務的全系統廣告阻擋機制,能同時兼顧安全性(不需中間人解密HTTPS流量)與阻擋成效(只檢查域名就能阻擋8成以上的廣告)。
With the rise of digital advertising, it is common to place advertisements on websites and mobile applications to gain profit or obtain user information. To counteract this, a variety of ad-blocking software has emerged on the market. In this paper, we discuss the risks and challenges of implementing a system-wide ad-blocking mechanism on Android. We discuss system-wide ad-blocking solutions' privacy and security issues and point out three significant challenges: domain name encryption, domain-name only blocking effectiveness, and blocking efficiency. We first discuss the emerging development of DNS over HTTPS (DoH), which encrypts domain names and could significantly impair ad-blocking functions. We then provide a proof-of-concept to counteract this. Second, we analyze the effectiveness of ad-blocking using URL-based or Domain-based blacklist. Our evaluation results show that the difference between the two is not significant (domain-based is less 9.8 ~ 17% lower than URL-based). Therefore, even if it not feasible to check the URL paths at the application layer, it would be sufficient to perform ad-blocking based only on DNS requests. Finally, we implement our proposed approach as a VPN service in Android, which balances the security (no content decryption in the middle) and blocking effectiveness (domain-based blocking with more than 80% accuracy) for system-wide ad-blocking.