Closed licaon-kter closed 2 years ago
Schoumi
commented
6 years ago App are not test by android app, only filtered. Yes if you install from apk, we can't know from where you have it and if the report is still valid. Trackers may not be exist in your version. We try to add more method to identify a source but for now this is the only one.
Tonat
commented
6 years ago AdAway has a feature called "Scan for adware" which -- as far as I can see from their source code does the following:
It inspects all the activities, receivers and services of all installed packages and compares them to a list of sdk names of known advertising companies. They hardcode a list AD_PACKAGE_PREFIXES, but maybe Exodus could to the same thing with a dynamic, downloaded list containing known prefixes of ad and tracking sdks?
It's not bulletproof of course, but it's a start :)
MF-Debug
commented
6 years ago i download all my apps from yalpstore. & AFAIK the apps are straight downloaded from google play. so, it would be really helpful to add yalpstore for checking besides google play.
Schoumi
commented
6 years ago Yalp doesn't install app by itself and the source set for installation is Android Installer. The same used by F-Droid and when you install from apk. For now i can't distinguish source like that and i don't want to show false report in order to avoid any company to sue us or to discredit us.
Schoumi
commented
6 years ago @Tonat this is not the goal of this app. This app will not analyse anything. Maybe we make another to make some analysis but not this one.
lionirdeadman
commented
6 years ago I think you should use the hash + package name to tell the server if it scanned it or not instead of what app it got installed from. This would make it much less reliant on it being installed by the Gplay application and still verify that the trackers are really there.
(The exception to the rule would be beta updates but then the scan would not be reflecting reality anyways so it doesn't matter)
counter-reverse
commented
5 years ago @licaon-kter
How does the app detect them?
Interesting question. You can get all the answers you want by reading the source code of the core of the application at the adress: https://github.com/Exodus-Privacy/exodus-core.
The executable binary code is read statically (with not any execution). You can learn that the full command is 'dexdump
I have to understand the command too. I will make you stay tuned on this issue.
Eg. I have ACR installed from APK yet I get a screen with no apps from source.
No idea.
What are the conditions? Google Play store enabled/installed? Can't you track by hash? Signature?
I worked on the icon. APK icon comes from the folder where exodus-core is installed. if the APK icon does not exist yet, then the application icon is installed by gplaycli, the command line interface of google play. if it does not exists, it is downloaded from internet. I imagine it is similar with the apk file.
If you are interested in download an apk file manually to check it from your computer, fell free to go to https://apkpure.com/.
You migth ask to add more ways to detect trackers on exodus privacy core. I continue to learn on APK analysis.
Jean-BaptisteC
commented
2 years ago
How does the app detect them?
Eg. I have ACR installed from APK yet I get a screen with no apps from source.
What are the conditions? Google Play store enabled/installed? Can't you track by hash? Signature?
/LE: Ok, so you check what app installed the package and if it's
com.android.vendingthen you consider them for testing.