search

Exodus-Privacy / exodus

Platform to audit trackers used by Android application
https://reports.exodus-privacy.eu.org/
GNU Affero General Public License v3.0
645 stars 63 forks source link

Scan for more components than just trackers #378

Closed yoshimo closed 2 years ago

yoshimo commented 4 years ago

It shouldn't be too hard to add signatures for other components used by apps. There are all kinds of SDKs and libraries that are used in different versions and it would be interesting to see statistics of those as well.

jawz101 commented 4 years ago

I submit anything I dig into, to be honest. Most tend to be analytics but if you can get an account the signature submission page is here https://etip.exodus-privacy.eu.org

Basically anything that represents a developer uses someone else's code within their own app is something I question.

pnu-s commented 4 years ago

That's an interesting topic.

For now, we are defining tracker as the following:

A tracker is a piece of software whose task is to gather information on the person using the application, on how they use it, or on the smartphone being used

See: https://reports.exodus-privacy.eu.org/en/info/trackers/

Gu1nness commented 4 years ago

@yoshimo What do you mean by other components than just trackers? With our broad definition, I guess all the tracking components are included, but if you have an example/idea of what could be added, we'd be happy to here about it!

yoshimo commented 4 years ago

If we look at AddonScanner (which has the advantage to be able to scan paid apps locally) we have the following categories and samples on this testphone: Crash-Submission (sentry, BugSnag,Crashlytics, HockyApp,ACRA,Bugfender,Instabug) Analytics(Firebase, Answers, MixPanel,Branch, Adjust, InfOnline,GoogleAnalytics,AppBoy, Braze,AppMetrica, Flurry,Amplitude,Segment,OpenCensus,Countly, Call Screen Ads Cross-Platform Toolkits (React Native, Cordova J2ObC, OpenTK, Xamarin) Developer Toolkits (AndroidNDK, Bolts, Dagger, Fresco, Timber, Protobuf Licensing (Google Licensing Service, GoogleInAppBilling,anjlab-android-inapp-billing,Amazon inapp billing) Game Engines (Unity3d) Gaming (Google Play Games) Advertising (Google Mobile Ads, IronSource)

The interesting parts here are the developer toolkits , which inspired this report. OKHTTP is a common library to do web requests and its version number is interesting to see what web protocols the app can support. This would help also with #379 if done manually

pnu-s commented 3 years ago

I think we need to be careful here if we change what we call a tracker.

Another option would be to create a separate category of "other things", but as always I'm afraid of what it would imply for the user experience of most of our users (which are mostly interested in permissions and trackers).

yoshimo commented 3 years ago

If those aren't counted as trackers and don't turn the badges yellow and red I think a few more lines won't hurt.

yoshimo commented 2 years ago

Another component that would be nice to integrate is https://github.com/rednaga/APKiD Not only but also because of the root-check detection, which is kind of annoying these days and scare people without reason. Would be nice to know if an app does this kind of checks when choosing which application to take.

U039b commented 2 years ago

Not the purpose of εxodus.