Closed mpowloka-list closed 5 years ago
There is no manifest checking.
The PilferShush Jammer is an open source research app that queries package names requested from the PackageManager that contain matches to known NUHF and ACR package names. "dv" is a match for the company called dov-e which uses the microphone for NUHF. This function is intended to indicate to the user that an app may require more investigation. Looking at the app scanner will tell them whether the app has Record Audio, boot, services and receivers. Using all this information can then help inform the user whether they should be concerned about the app in question. So if your app has a package name containing "dv", has record audio permission, runs at boot, has services and receivers then i would assume your app is something i should send off to Exodus Privacy ( https://reports.exodus-privacy.eu.org/en/analysis/submit/ ) to satisfy my suspicions.
The only "more credible way of detecting these SDKs" would involve decompiling the apk, examining the code base and checking for a number of specific functions and then extrapolating their purpose and probable use. This is way too invasive and is probably not a sensible option for the common user of Android phones.
Hello,
Querying PackageManager and looking for services that contain 'dv' in the name is totally unreliable. What is more, this application does not mark such applications as 'require more investigation', but it marks them as 'containing NUHF SDK' without any sufficient proof.
The application I work with, for example, does not even declare any permission for recording audio. It is still marked as 'NUHF SDK: true' only because of declaring custom service 'AdvertLogingService.
Look, I don't try to attack you here. If you want your application to query applications for the possibility of containing NUHF SDK, then go. But provide a user with real info. Not 'NUHF SDK: true', but something like 'this app contains services with names similar to some known NUHF SDKs providers, but it is not certain if it does'. Alternatively, query for more specific packages - find full package declaration and query for matches with that. Right now, this application provides the user with false information and this is unethical.
Please consider my objections.
I have. the next update will have better wording to account for false positives etc. should be ready to roll out this week.
Hi,
One user recently reported that application I work on contains NUHF SDK according to this app. After investigation, I found that your application is querying manifest declared services and if any of them contains phrase from audio_sdk_names.txt it marks it as one using NUHF SDK.
For example, an application that declares a service containing 'dv' in its name is marked as an application containing NUHF SDK - what is obviously incorrect. My application contains service named AdvertLoggingService and because of that, it has been marked as one containing NUHF sdk.
Please, use a more credible way of detecting these SDKs.