Does it block Sensor Tower, App Annie, Flurry?

[msft013]

I tried checking the lists briefly but didn't see anything. If it doesn't block it already can you add support for all the various app analytics SDKs that are being used?

There's a lot of tracker companies out there. Check out this site: https://whotracks.me/trackers.html

I don't think the blocking lists block enough of them.

[hijohnnylin]

We do block Flurry. I'm not aware that App Annie or Sensor Tower has trackers. Are they called something else? AFAIK Sensor Tower and App Annie get their metrics from developers connecting their App Store Connect accounts, and they just pull metrics from Apple that way. Please correct me if I'm wrong.

[hijohnnylin]

Closing as there was no response in 17 days.

[chronic]

@hijohnnylin - App Annie and SensorTower also run VPN apps in the App Store in order to track people. Unfortunately, they use a Packet Tunnel Provider, so if you wanted to do something like warn users who install such an app, it would be ineffective because their VPN Configuration would take over control from the Lockdown Configuration.

[hijohnnylin]

@chronic thanks for the heads up on this! do you know the names of the tracking apps by App Annie and Sensor Tower? i'd like to do more analysis + testing to find a resolution for these cases.

[chronic]

@hijohnnylin Sure thing. Here are the ones I know off hand.

App Annie:

• https://apps.apple.com/us/app/my-data-manager-vpn-security/id477865384
• https://apps.apple.com/us/app/phone-guardian-mobile-security/id1016814119

SensorTower had their app removed finally. They now ask people to install a VPN profile and a root Certificate Authority, pretty gross: https://emban-networks.com/install

[chronic]

@hijohnnylin - Also some URLs they contact, if helpful:

• common-api.smart-sense.org
• capi.smart-sense.org

[hijohnnylin]

@chronic thank you! addressed in 211ee7f and in v1.1.8, rolling out now. still looking into solutions for the conflicting VPN Configurations.

[chronic]

I am afraid you may not have much luck there, because of the current state of Apple's APIs.

You know how y'all use the NETunnelProviderManager ("VPN Configuration") for your host blocking as well as host whitelisting/passthrough, and then NEVPNManager ("Personal VPN") to catch all the rest of the traffic for your VPN tunnel?

These folks who collect data through VPNs all use the "VPN Configuration" route. For the same reason that it works the way Lockdown intends for its own capabilities, it also means there data collecting VPNs will have their "VPN Configuration" get first dibs on outbound packets.

There is one possibility which you could make use of, as I haven't verified if this is the case - If any such company like SensorTower or App Annie don't think to have their Packet Tunnel Provider catch traffic going to their own domains, then naturally the smart-sense connections for example would, I believe, route through Lockdown's VPN (the "Personal VPN").

So as long as you also update your server-side firewall rule list (I think you are using Suricata for this already?) like you did for the in-app list, then you may be able to help thwart some of these. That said, it's no panacea as such sketchy VPNs can wise up and make sure to route their own telemetry, or could be even more crafty (In the past, I had found that Facebook's now-defunct Onavo VPN was specifically routing certain analytics only through it's VPN tunnel, likely to thwart detection via intercepting proxies: https://9to5mac.com/2018/03/06/facebook-protect-vpn/).

Not to be discouraging by any means! Just want to be as clear as I can that it is unfortunately a bit of an uphill battle, on iOS anyway, to try to fight a bad VPN with a good VPN.