Closed U039b closed 5 years ago
To add a new tracker, follow this schema of description:
### Tracker name
* Website: xxxx
* Comment: xxxx
* Category: [Analytics, Advertising]
* Code signature: `xxx`
* Network signature: `xxx.com`
* Maven repository: `xxx.com`
* Artifact ID: `xxx`
* Group ID: `xxx`
* Gradle: `xxx`
* Additional links: xxx xxx
* Notes: xxx
com.applovin.
applovin\.com
NA
applovin-sdk
com.applovin
com.applovin:applovin-sdk:7.6.0
com.google.android.gms.ads.identifier.*
com.avocarrot.sdk
\.avocarrot\.com
https://s3.amazonaws.com/avocarrot-android-builds/dist/
mediation-sdk-nativead
com.avocarrot.sdk
com.avocarrot.sdk:mediation-sdk-nativead:4.7.1
com.nativex.
mobvista\.com|nativex\.com
NC
NC
NC
NC
trying to untangle Baidu location tracking... the maps and location are so closely related in the code I've seen.
com.baidu.BaiduMap
map.baidu\.com
NA
NC
com.baidu
NC
com.tencent.map.geolocation|com.tencent.mm.plugin.location.|com.tencent.mm.plugin.location_soso.|com.tencent.mm.plugin.location_google.
map.qq\.com
NA
NC
com.tencent
NC
A quick note - older versions of Tune tracker use the com.mobileapptracker name for the SDK.
com.tune|com.mobileapptracker
Updates to SafeGraph. Much more detail at https://github.com/YalePrivacyLab/tracker-profiles/blob/master/trackers/SafeGraph.md
com.safegraph.|com.openlocate
api\.safegraph\.com
https://s3-us-west-2.amazonaws.com/openlocate-android/
openlocate-android
com.openlocate
com.openlocate:openlocate:1.+
com.hypertrack.|com.hypertracklive.|io.hypertrack.
trck.at|hypertrack\.amazonaws.com|api\.hypertrack\.com
http://hypertrack-android-sdk.s3-website-us-west-2.amazonaws.com/
hypertrack-live-android
com.hypertrack
com.hypertrack:android:0.4.22:release@aar
com.ubercab.analytics.|com.ubercab.library.metrics.analytics.|com.ubercab.client.core.analytics.
events.uber.com
NA
NC
com.ubercab
NC
com.lisnr.|com.lisnr.sdk.
lisnr\.com
NA
NC
com.lisnr.sdk
com.lisnr.sdk:sdk:5.0.0.+
com.silverpush.|com.silverpush.location|com.silverpush.sdk.android.SPService
silverpush\.co|silverpush\.com|54.243.73.253:8080/SilverPush/
NA
NC
com.silverpush
NC
com.shopkick.sdk.api.|com.shopkick.fetchers.
shopkick\.com|shopkick\.de|sdk.shopkick.com
NA
NC
com.shopkick
NC
tv.alphonso.service
prov.alphonso.tv|api.alphonso.tv
NA
NC
tv.alphonso
NC
com.smaato.soma.
soma.smaato.net|smaato.net
NA
NC
com.smaato.soma
NC
com.scandit.
scandit\.com
NA
scanditsdk-android
com.scandit
ScanditBarcodeScanner
we need to decide how to handle / untangle Google Maps and Location services as well. At the least, the presence of the location services listener should be considered a tracker.
com.google.android.gms.maps
com.google.android.gms.location
com.inrix.sdk
inrix\.com|inrix\.io
NC
NC
NC
NC
com.signal360.sdk.core.|com.sonicnotify.sdk.core.|com.rnsignal360|
signal360\.com|sonicnotify\.com
NA
NA
com.signal360.sdk
NA
Signal360 use the Manchester decoder for logic 1s and 0s. This is probably similar methodology for other audio beacon companies. http://ww1.microchip.com/downloads/en/AppNotes/01470A.pdf
thanks for the heads up, I'm sure you're right about this being the most common method. Some of these audio beacons use amplitude, but that's very limited (FidZup's method, if we trust the patent applications). Most seem to use frequency and what they call "frequency shift keying", which is slight changes in frequencies for 0s and 1s. Hypothetically, they could do much more frequency shifts within that 18kHz to 20kHz range (LISNR claims up to 22kHz but I don't know of devices that have that capability), and then they could do hex or the alphabet even.
What's unclear to me is how they have enough bandwidth to get complex data across the wire... the amount of time that someone is in proximity to a speaker with their microphone could be very limited.
one technique is this: pulses of 1ms, for 32 ms duration == 32 bits clock pulse (carrier-like) between logic 0 and logic 1 frequency serves as centre freq and start bit. audio as modulated 1s and modulated 0s 20550 to 21000 for logic 0 21000 to 22000 for logic 1
so if the sdk process hears the carrier frequency it can then start listening for the repeated modulated signals, create a historical cache of recorded signals and then process them for any candidates. If we assume the signal is unique to time and location then all the sdk needs to do is ping the server with a heard beacon message of a specific type.
we should talk off-thread, but that's potentially ~24KB per minute at most? something like that?
com.adfonic.android.|com.byyd.
byyd\.me|byyd-tech\.com|adfonic\.com
NA
NA
com.adfonic
NA
com.mixpanel.android.
api.mixpanel.com|decide.mixpanel.com
NA
NA
com.mixpanel
NA
com.phunware.analytics.
cms-api.phunware.com|phunware.com
NA
NA
com.phunware
NA
com.gimbal.android.
gimbal.com|analytics-server.gimbal.com
NA
NA
com.gimbal
NA
android.app.usage.UsageStats|android.app.usage.UsageStatsManager
NA
NA
NA
android.app.usage
NA
I just came across Segment (https://segment.com), a tracker that happens to be integrated into Mattermost, a self-hostable chat platform that is very popular now in the FLOSS community.
One of their client, whose use of the data looks the most cynical to me: https://segment.com/customers/xo-group
They do seem to be collecting data from Android as well: https://segment.com/docs/sources/mobile/android/. Interestingly enough, their Android client/library (I am not sure what I am talking about) seems to be open source.
Thanks. We do have Segment listed as a tracker in Exodus, but it would be great if you could provide more detail in this thread so that we can fill out the tracker profile more completely. Try to take a look at some of the more detailed profiles above, or the ones we did at https://github.com/YalePrivacyLab/tracker-profiles
com.newrelic.agent
nr-data.net|newrelic.com
android-agent
com.newrelic.agent.android
com.newrelic.agent.android:android-agent
com.newrelic.agent.android:agent-gradle-plugin
android.permission.INTERNET
and android.permission.ACCESS_NETWORK_STATE
Changes to Signal 360:
com.signal360|com.sonicnotify|com.rnsignal360|
signal360\.com|sonicnotify\.com
NA
NA
com.signal360
NA
org.piwik|org.piwik.mobile|org.matomo
matomo\.org
NA
NA
org.piwik
NA
add new code signature due to new sdk lib, 6.1.0.0:
We've got LISNR here: https://reports.exodus-privacy.eu.org/trackers/79/
And the related Signal360: https://reports.exodus-privacy.eu.org/trackers/86/
LISNR and Signal360 have some kind of business relationship, and it shows in apps by developer YinzCam like this one: https://reports.exodus-privacy.eu.org/reports/1351/
The other big LISNR developer is Aloompa. Please e-mail me with any of their apps we might have missed from the Exodus list above and we'll scan them.
com.appbrain
?
?
NA
NA
com.appbrain:appbrain-sdk:+@aar
io.appanalytics.sdk
?
?
?
?
NA
com.appsee
?
NA
?
?
com.appsee:appsee-android:+
ly.count.android
xxx.com
http://dl.bintray.com/countly/maven
xxx
ly.count.android
xxx
com.mixpanel
api\.mixpanel\.com|decide\.mixpanel\.com|switchboard\.mixpanel\.com|mixpanel\.com
NA
xxx
xxx
com.mixpanel.android:mixpanel-android:5.+
Our secret? Trillions of data points. To be both useful and accurate, world-class machine learning models require massive amounts of data to learn from. Luckily, Mixpanel ingests more than seven trillion data points every year. With each new piece of data, our algorithms get smarter, and you get answers faster.
Required Permissions INTERNET/ACCESS_NETWORK_STATE/BLUETOOTH
com.apptentive
?
?
?
?
com.apptentive:apptentive-android:5.0.2
?
api.beaconforstore.com
?
?
?
?
com.carnival.sdk, com.carnivalmobile
xxx.com
xxx.com
xxx
xxx
xxx
xxx.com
xxx
xxx
xxx
https://github.com/taplytics/Taplytics-Android-SDK/raw/master/AndroidStudio/
com.snowplowanalytics , com.snowplowanalytics.snowplow
xxx.com
xxx
xxx
xxx
com.estimote.
xxx.com
xxx
xxx
xxx
com.estimote:proximity-sdk:0.3.2
com.adobe.mobile
xxx.com
xxx
xxx
xxx
com.adobe.mobile:adobeMobileLibrary:4.13.7
com.radiusnetworks
proximitykit.radiusnetworks.com
[edited by U+039b]xxx.com
AndroidIBeaconLibrary
com.radiusnetworks
org.altbeacon:android-beacon-library:2+
com.facebook.accountkit
N/A
com.facebook.android:account-kit-sdk:4.+
since @Atavic referenced this from my host file repo, I don't know if the network signature are what DNS record strings are contained within an app or if its based on what domains are seen in a live test of an app. If it's based on live traffic, the host file on the repo he referenced has a bunch of additional subdomains for some of these companies that might help with detections. I'd been gathering them on my phone via Adaway and NetGuard logs for a few years.
also, the domain for FB's accountkit is graph.accountkit.com I just turned on logging in NetGuard and ran a few apps I know have the library and that's the domain it connects to.
Adobe Mobile Marketing 's domain traffic goes to 2o7.net Gimbal connects to analytics-server.gimbal.com, api.gimbal.com Tapylitics: api.taplytics.com, ping.taplytics.com Mixpanel has a few at mixpanel.com as well as cdn.mxpnl.com ... and so on.
I've wanted to reach out to VirusTotal to see if they could pull together some sort of collection of url's the've seen in apk files to see if I could find all of the analytic companies but I doubt they'd do that :/
com.mngads.sdk|com.mngads.views|com.mngads.
NC
NC
NC
NC
NC
com.retency.sdk.android
NC
NC
NC
NC
NC
@jawz101 network signature is a regex matching domains where collected data is sent to.
com.telequid.
mars\.telequid\.com
xxx.com
xxx
xxx
xxx
TAAS (Telequid Augmented Advertising Server) can be embedded in an existing app to detect images in any printed document or TV spots and display related multimedia content on mobile screen.
UNKNOWN
xxx.com
xxx.com
com.smartwhere:android-eu-sdk:16364.2
xxx
xxx
No matter what industry or market you’re in, we can help you discover the proximity technology solution that fits your needs, from marketing to logistics. Use the right combination of proximity technologies, from Beacons, Geofencing and Wi-Fi to, NFC and QR, to make your campaign succeed.
@jawz101 Not a bad idea, but not possible all the time. Sometimes we're working backwards from the SDK information we find online (from vendor/tracking company documentation or available source code).
SafeGraph/OpenLocate is a good example, where we have yet to find the SDK in apps but we know a lot about it through news stories and published source. In a case like that, we want Exodus to have the signature and be prepared to find it in submitted apps.
In https://reports.exodus-privacy.eu.org/reports/37/:
com/applovin/adview/AppLovinInterstitialAdDialog
com/avocarrot/sdk/nativeassets/model/NativeAdData
com/appnext/ads/
com/inlocomedia/android/ads/AdType
com/moat/analytics/mobile/aol/NativeVideoTracker
com/mopub/common/GpsHelper
com/nativex/monetization/mraid/objects/CurrentPosition
com/unity3d/ads/android/UnityAds
com/vungle/publisher/AdConfig
com/youappi/ai/sdk/YouAPPi
Why the fuck this application requiresorg/apache/commons/math3/optimization
?