Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Identify new trackers #40

Closed
U039b opened this issue Dec 28, 2017 · 130 comments

Comments

@U039b
Copy link
Contributor

@U039b U039b commented Dec 28, 2017

In https://reports.exodus-privacy.eu.org/reports/37/:

  • com/applovin/adview/AppLovinInterstitialAdDialog
  • com/avocarrot/sdk/nativeassets/model/NativeAdData
  • com/appnext/ads/
  • com/inlocomedia/android/ads/AdType
  • com/moat/analytics/mobile/aol/NativeVideoTracker
  • com/mopub/common/GpsHelper
  • com/nativex/monetization/mraid/objects/CurrentPosition
  • com/unity3d/ads/android/UnityAds
  • com/vungle/publisher/AdConfig
  • com/youappi/ai/sdk/YouAPPi
    Why the fuck this application requires org/apache/commons/math3/optimization?
@U039b

This comment has been minimized.

Copy link
Contributor Author

@U039b U039b commented Dec 28, 2017

To add a new tracker, follow this schema of description:

### Tracker name
* Website: xxxx
* Comment: xxxx
* Category: [Analytics, Advertising]
* Code signature: `xxx`
* Network signature: `xxx.com`
* Maven repository: `xxx.com`
* Artifact ID: `xxx`
* Group ID: `xxx` 
* Gradle: `xxx`
* Additional links: xxx xxx
* Notes: xxx
@U039b

This comment has been minimized.

Copy link
Contributor Author

@U039b U039b commented Dec 28, 2017

AppLovin

  • Website: https://www.applovin.com/
  • Comment: AppLovin is a mobile advertising technology company that enables brands to create mobile marketing campaigns that are fueled by data.
  • Category: Advertising
  • Code signature: com.applovin.
  • Network signature: applovin\.com
  • Maven repository: NA
  • Artifact ID: applovin-sdk
  • Group ID: com.applovin
  • Gradle: com.applovin:applovin-sdk:7.6.0
  • Additional links: Crunchbase
  • Notes: AppLovin SDK requires Google Ads Identifier com.google.android.gms.ads.identifier.*

Avocarrot

  • Website: https://www.avocarrot.com/
  • Comment: Avocarrot is a native mobile advertising platform which provides real rewards on mobile apps.
  • Category: Advertising
  • Code signature: com.avocarrot.sdk
  • Network signature: \.avocarrot\.com
  • Maven repository: https://s3.amazonaws.com/avocarrot-android-builds/dist/
  • Artifact ID: mediation-sdk-nativead
  • Group ID: com.avocarrot.sdk
  • Gradle: com.avocarrot.sdk:mediation-sdk-nativead:4.7.1
  • Additional links: Crunchbase Dev doc
  • Notes: Uses Google Ads

NativeX

  • Website: http://www.nativex.com/
  • Comment: NativeX is the leading ad technology for mobile games.
  • Category: Advertising
  • Code signature: com.nativex.
  • Network signature: mobvista\.com|nativex\.com
  • Maven repository: NC
  • Artifact ID: NC
  • Group ID: NC
  • Gradle: NC
  • Additional links: Crunchbase NativeX Android SDK Dev doc
  • Notes: Acquired by MobVista
@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 28, 2017

trying to untangle Baidu location tracking... the maps and location are so closely related in the code I've seen.

Baidu Maps

WeChat Location

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 28, 2017

A quick note - older versions of Tune tracker use the com.mobileapptracker name for the SDK.

Tune

  • Code signature: com.tune|com.mobileapptracker
@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 28, 2017

Updates to SafeGraph. Much more detail at https://github.com/YalePrivacyLab/tracker-profiles/blob/master/trackers/SafeGraph.md

SafeGraph OpenLocate

  • Website: https://www.safegraph.com, https://github.com/OpenLocate
  • Comment: SafeGraph specializes in the collection of physical location data for data mining and analytics. OpenLocate is the SDK announced in 2017.
  • Category: [Location]
  • Code signature: com.safegraph.|com.openlocate
  • Network signature: api\.safegraph\.com
  • Maven repository: https://s3-us-west-2.amazonaws.com/openlocate-android/
  • Artifact ID: openlocate-android
  • Group ID: com.openlocate
  • Gradle: com.openlocate:openlocate:1.+
  • Additional links: OpenLocate SDK repo, Crunchbase, Stanford economics paper, Washington Post, The Outline
  • Notes: SafeGraph collected 17 trillion location markers for 10 million smartphones in November 2016. OpenLocate SDK for Android is MIT/Expat licensed.
@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 29, 2017

HyperTrack

  • Website: http://hypertrack.com, https://github.com/hypertrack
  • Comment: HyperTrack implements live location sharing and activity tracking.
  • Category: [Maps, Location]
  • Code signature: com.hypertrack.|com.hypertracklive.|io.hypertrack.
  • Network signature: trck.at|hypertrack\.amazonaws.com|api\.hypertrack\.com
  • Maven repository: http://hypertrack-android-sdk.s3-website-us-west-2.amazonaws.com/
  • Artifact ID: hypertrack-live-android
  • Group ID: com.hypertrack
  • Gradle: com.hypertrack:android:0.4.22:release@aar
  • Additional links: HyperTrack SDK repo, Documentation
  • Notes: HyperTrack SDK for Android is MIT/Expat licensed.
@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 29, 2017

Uber Analytics

  • Website: https://uber.com
  • Comment: Uber Analytics tracks location and behavior as part of its suite of apps such as Uber, UberEATS, and Uber Driver.
  • Category: Location, Analytics
  • Code signature: com.ubercab.analytics.|com.ubercab.library.metrics.analytics.|com.ubercab.client.core.analytics.
  • Network signature: events.uber.com
  • Maven repository: NA
  • Artifact ID: NC
  • Group ID: com.ubercab
  • Gradle: NC
  • Additional links: Dissassembled Uber code, Reverse-engineered Uber code
  • Notes: Uber acquired map and location startup deCarta, which included data and maps from TomTom.
@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 29, 2017

Lisnr

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 29, 2017

SilverPush

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 29, 2017

Shopkick

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 29, 2017

Alphonso

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 29, 2017

Smaato

  • Website: https://smaato.com
  • Comment: Smaato is a mobile ad platform that includes video ads.
  • Category: [Advertising, Analytics]
  • Code signature: com.smaato.soma.
  • Network signature: soma.smaato.net|smaato.net
  • Maven repository: NA
  • Artifact ID: NC
  • Group ID: com.smaato.soma
  • Gradle: NC
  • Additional links: Smaato SDK Documentation
  • Notes:
@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 29, 2017

Scandit

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Dec 29, 2017

we need to decide how to handle / untangle Google Maps and Location services as well. At the least, the presence of the location services listener should be considered a tracker.

Google Maps

  • Code signature: com.google.android.gms.maps

Google Location Service

  • Code signature: com.google.android.gms.location
@U039b

This comment has been minimized.

Copy link
Contributor Author

@U039b U039b commented Jan 6, 2018

Inrix

  • Website: http://inrix.com/
  • Comment: INRIX offers real-time traffic information solutions that help develop traffic data and traffic speed for freeways, highways and arterials.
  • Category: Location
  • Code signature: com.inrix.sdk
  • Network signature: inrix\.com|inrix\.io
  • Maven repository: NC
  • Artifact ID: NC
  • Group ID: NC
  • Gradle: NC
  • Additional links: Inrix on Crunchbase, Inrix population analytics
  • Notes:
@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Jan 12, 2018

Signal360

@kaputnikGo

This comment has been minimized.

Copy link

@kaputnikGo kaputnikGo commented Jan 15, 2018

Signal360 use the Manchester decoder for logic 1s and 0s. This is probably similar methodology for other audio beacon companies.
http://ww1.microchip.com/downloads/en/AppNotes/01470A.pdf

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Jan 15, 2018

thanks for the heads up, I'm sure you're right about this being the most common method. Some of these audio beacons use amplitude, but that's very limited (FidZup's method, if we trust the patent applications). Most seem to use frequency and what they call "frequency shift keying", which is slight changes in frequencies for 0s and 1s. Hypothetically, they could do much more frequency shifts within that 18kHz to 20kHz range (LISNR claims up to 22kHz but I don't know of devices that have that capability), and then they could do hex or the alphabet even.

What's unclear to me is how they have enough bandwidth to get complex data across the wire... the amount of time that someone is in proximity to a speaker with their microphone could be very limited.

@kaputnikGo

This comment has been minimized.

Copy link

@kaputnikGo kaputnikGo commented Jan 15, 2018

one technique is this:
pulses of 1ms, for 32 ms duration == 32 bits
clock pulse (carrier-like) between logic 0 and logic 1 frequency serves as centre freq and start bit.
audio as modulated 1s and modulated 0s
20550 to 21000 for logic 0
21000 to 22000 for logic 1

so if the sdk process hears the carrier frequency it can then start listening for the repeated modulated signals, create a historical cache of recorded signals and then process them for any candidates.
If we assume the signal is unique to time and location then all the sdk needs to do is ping the server with a heard beacon message of a specific type.

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Jan 15, 2018

we should talk off-thread, but that's potentially ~24KB per minute at most? something like that?

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Jan 16, 2018

Byyd (Adfonic)

  • Website: http://byyd.com
  • Comment: Formerly Adfonic. "Find you target audience using first- and third-party data about users "
  • Category: Analytics
  • Code signature: com.adfonic.android.|com.byyd.
  • Network signature: byyd\.me|byyd-tech\.com|adfonic\.com
  • Maven repository: NA
  • Gradle: NA
  • Group ID: com.adfonic
  • Gradle: NA
  • Additional links:
  • Notes:

Mixpanel

  • Website: https://mixpanel.com
  • Comment: "Deeply understand every user's journey with instant insights for everyone on mobile and web."
  • Category: Analytics
  • Code signature: com.mixpanel.android.
  • Network signature: api.mixpanel.com|decide.mixpanel.com
  • Maven repository: NA
  • Gradle: NA
  • Group ID: com.mixpanel
  • Gradle: NA
  • Additional links:
  • Notes:

Phunware

  • Website: https://phunware.com
  • Comment: "Phunware supports every stage of mobile application lifecycle management. Create the ideal mobile application for your business, build and monetize your app’s audience, and create hyper-personalized mobile experiences with our exclusive data."
  • Category: Analytics
  • Code signature: com.phunware.analytics.
  • Network signature: cms-api.phunware.com|phunware.com
  • Maven repository: NA
  • Gradle: NA
  • Group ID: com.phunware
  • Gradle: NA
  • Additional links:
  • Notes:

Gimbal

  • Website: https://gimbal.com
  • Comment: "Gimbal helps brands and agencies perfect their marketing relevance for consumers using physical-world data."
  • Category: Analytics, Location
  • Code signature: com.gimbal.android.
  • Network signature: gimbal.com|analytics-server.gimbal.com
  • Maven repository: NA
  • Gradle: NA
  • Group ID: com.gimbal
  • Gradle: NA
  • Additional links:
  • Notes:
@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Jan 26, 2018

Google Usage Stats

  • Website: http://google.com
  • Comment: Android app usage statistics.
  • Category: Usage Statistics
  • Code signature: android.app.usage.UsageStats|android.app.usage.UsageStatsManager
  • Network signature: NA
  • Maven repository: NA
  • Gradle: NA
  • Group ID: android.app.usage
  • Gradle: NA
  • Additional links: Usage Stats, Usage Stats Manager
  • Notes:
@kheops2713

This comment has been minimized.

Copy link

@kheops2713 kheops2713 commented Jan 30, 2018

I just came across Segment (https://segment.com), a tracker that happens to be integrated into Mattermost, a self-hostable chat platform that is very popular now in the FLOSS community.

One of their client, whose use of the data looks the most cynical to me: https://segment.com/customers/xo-group

They do seem to be collecting data from Android as well: https://segment.com/docs/sources/mobile/android/. Interestingly enough, their Android client/library (I am not sure what I am talking about) seems to be open source.

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Jan 30, 2018

Thanks. We do have Segment listed as a tracker in Exodus, but it would be great if you could provide more detail in this thread so that we can fill out the tracker profile more completely. Try to take a look at some of the more detailed profiles above, or the ones we did at https://github.com/YalePrivacyLab/tracker-profiles

https://reports.exodus-privacy.eu.org/trackers/62/

@mildis

This comment has been minimized.

Copy link

@mildis mildis commented Jan 31, 2018

NewRelic

  • Website: https://www.newrelic.com
  • Comment: App usage stats
  • Category: Analytics
  • Code signature: com.newrelic.agent
  • Network signature: nr-data.net|newrelic.com
  • Maven repository:
  • Artifact ID: android-agent
  • Group ID: com.newrelic.agent.android
  • Gradle: com.newrelic.agent.android:android-agent com.newrelic.agent.android:agent-gradle-plugin
  • Additional links:
  • Notes: Requires android.permission.INTERNET and android.permission.ACCESS_NETWORK_STATE
@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Feb 2, 2018

Changes to Signal 360:

Signal360

@jawz101

This comment has been minimized.

Copy link

@jawz101 jawz101 commented Apr 3, 2018

thanks. right now I'm going through that uniq_list file and removing obfuscated portions, google and android classes, and some things that look generally innocuous. Kinda interesting. Finding some stuff I hadn't seen before.

@jawz101

This comment has been minimized.

Copy link

@jawz101 jawz101 commented Apr 27, 2018

I just went through and added/updated all of the ones I'd collected info for. Do you all expect to reanalyze the apps for any new trackers that've been identified?

And does the progress bar beside each tracker on the https://etip.exodus-privacy.eu.org site mean it won't be ready until 100% completed?

Is someone going through our entries and making fixes? Like, I know some of the gradle entries I put are probably not always going to be a particular version number and some domains are randomly generated (ex: 234234135.mobileapptracking.com or whatever) so I didn't know if they get a better rule written.

@Manu1400

This comment has been minimized.

Copy link

@Manu1400 Manu1400 commented Apr 30, 2018

Opentracker

@IzzySoft

This comment has been minimized.

Copy link

@IzzySoft IzzySoft commented Nov 14, 2018

Not sure which of these count as "trackers" (so please don't just copy them over unverified), but all of the below fall into the category "mobile analytics":

Codahale Metrics

  • Website: http://metrics.dropwizard.io/
  • Comment:
  • Category: [Analytics]
  • Code signature: com.codahale.metrics
  • Network signature:
  • Maven repository: https://mvnrepository.com/artifact/com.codahale.metrics
  • Artifact ID:
  • Group ID:
  • Gradle:
  • Additional links:
  • Notes: "Metrics is a Java library which gives you unparalleled insight into what your code does in production. Metrics provides a powerful toolkit of ways to measure the behavior of critical components in your production environment."

Microsoft Azure Analytics

Parse.com

Splunk MINT

FlowUp

Keen Java Clients

  • Website: https://github.com/keenlabs/KeenClient-Java
  • Comment:
  • Category: [Analytics]
  • Code signature: io.keen.client.java
  • Network signature:
  • Maven repository: https://mvnrepository.com/artifact/io.keen
  • Artifact ID:
  • Group ID:
  • Gradle:
  • Additional links: https://keen.io/docs
  • Notes: "The Keen Java clients enable you to record data using Keen from any Java application. The core library supports a variety of different paradigms for uploading events, including synchronous vs. asynchronous and single-event vs. batch. Different clients can be built on top of this core library to provide the right behaviors for a given platform or situation."
@kaputnikGo

This comment has been minimized.

Copy link

@kaputnikGo kaputnikGo commented Nov 14, 2018

Are you still accepting submissions here for new trackers?

@IzzySoft

This comment has been minimized.

Copy link

@IzzySoft IzzySoft commented Nov 14, 2018

@kaputnikGo with the issue not closed, I assumed so 🙀

@jawz101

This comment has been minimized.

Copy link

@jawz101 jawz101 commented Nov 15, 2018

I would just ask @uo39b for access to their etip website. I moved all of my submissions into it directly. But it doesn't look like any I did submit were ever officially added which stinks because I have several hundred more I could likely find in here :/

https://raw.githubusercontent.com/jawz101/MobileAdTrackers/master/hosts

@IzzySoft

This comment has been minimized.

Copy link

@IzzySoft IzzySoft commented Nov 15, 2018

@U039b if you're indeed no longer accept submissions here (which I hope is not the case), it might be a good idea to say so (and to close this issue) 😉

@jawz101 feel free to pick my above reported and add them from your side.

@jawz101

This comment has been minimized.

Copy link

@jawz101 jawz101 commented Nov 15, 2018

@IzzySoft @kaputnikGo There's a way to get an account on that site by emailing him here

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Nov 15, 2018

Exodus Privacy has new leadership and may just not be aware of this github issue. I can send them upstream via https://etip.exodus-privacy.eu.org but you're right, let's figure out a workflow that works for everyone. Thanks all!

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Nov 15, 2018

also, you can just put these in our YalePrivacyLab repo for tracker profiles, where we're also gathering new info... I will invite all of you as contributors.

@IzzySoft

This comment has been minimized.

Copy link

@IzzySoft IzzySoft commented Nov 15, 2018

@seandiggity I'm not sure if I'll report trackers regularly – but sure it's good to know where to put them, and they hopefully will make their way into Exodus. You also can find my full library list (which not only contains trackers, but all kinds of libraries used in Android apps) in my GitLab repo if you're interested.

Further I'm not sure if I can provide full descriptions as you keep them in your repo. Is it OK to commit partially filled samples? Do you want them submitted directly to your repo, or via PRs?

@U039b

This comment has been minimized.

Copy link
Contributor Author

@U039b U039b commented Nov 15, 2018

Hi all!
This issue should be closed since https://etip.exodus-privacy.eu.org has been developed in order to ease and centralize trackers categorization and description.
If you want an ETIP account, feel free to send me an email to exodus@0x39b.fr specifying your desired username + email address and I will send you a temporary password. Once registered, you will be able to freely contribute to the tracker identification process.

We invite you to share/sync trackers info between ETIP and the Yale Privacy lab repo.

Cheers!

@IzzySoft

This comment has been minimized.

Copy link

@IzzySoft IzzySoft commented Nov 15, 2018

Thanks for the heads-up, @U039b! Waiting for advice concerning "incomplete records" (I can't provide full ones as I've got no idea how to fill the gaps – especially network signature, Maven specifics and gradle; I'm not a dev) and "distribution guidelines". If that's permitted, I'll accept the invitation and share my findings.

Speaking of which: are there any issues with your scanner currently? For several hours now I'm always told to come back later as the queue is filled. Something hanging?

@U039b

This comment has been minimized.

Copy link
Contributor Author

@U039b U039b commented Nov 15, 2018

@IzzySoft it seems that some tasks are stuck in the queue, we will investigate ;-)

Regarding ETIP fields, network signature is a REGEX matching domain names (e.g. app-measurement.com) used by a tracker. For the other fields you mentioned, ignore them if you do not know what they mean.

@U039b

This comment has been minimized.

Copy link
Contributor Author

@U039b U039b commented Nov 15, 2018

@IzzySoft no more "come back later" ;-)

@IzzySoft

This comment has been minimized.

Copy link

@IzzySoft IzzySoft commented Nov 15, 2018

it seems that some tasks are stuck in the queue

that was my assumtion, too.

no more "come back later"

@U039b just noticed – thanks a lot! 👍 👏 🕺 🤸‍♂

Regarding ETIP fields, network signature is a REGEX matching domain names (e.g. app-measurement.com) used by a tracker.

Yes, so far I got. But it's domain names the corresponding tracker contacts, right? I've got no idea how to figure that. I'm just performing a basic static analysis of path names on the Smali, which is how I found some hundred libraries – those above trackers among them. So if I want someone else (here: you) to fill the gaps, you'd need a sample? Or could I simply skip this as well?

For the other fields you mentioned, ignore them if you do not know what they mean.

That's good to know! Maybe it would be a good idea to have a simple tutorial on the other repo, for folks like me who know enough to contribute but not enough to make "complete" submissions?

@U039b

This comment has been minimized.

Copy link
Contributor Author

@U039b U039b commented Nov 15, 2018

thanks a lot!

You are welcome!

But it's domain names the corresponding tracker contacts, right?

Domain names correspond to the remote servers contacted by the trackers to send collected data. You can find them by analyzing the network traffic of an application which uses a given tracker or by inspecting the binary looking for URLs or domains.

So if I want someone else (here: you) to fill the gaps, you'd need a sample?

Unfortunately, I am a bit busy. Anyway, once you have listed path names (you probably mean Java packages, you will find mode details here) you have to check what packages correspond to a tracker. Then, you can create a new one in ETIP and provide information you have gathered about the tracker.

Maybe it would be a good idea to have a simple tutorial

It would be nice to have tutorials for ETIP and Exodus-core, unfortunately, I do not have time :-/ But anybody can create a tutorial and we will be happy to put it at the right place ;-)

@IzzySoft

This comment has been minimized.

Copy link

@IzzySoft IzzySoft commented Nov 15, 2018

Thanks @U039b – and I know exactly what you mean by "not enough time", as that's my situation, too …

And yes, that's what I meant by "static analysis" – though I use a different tool for it.

@kaputnikGo

This comment has been minimized.

Copy link

@kaputnikGo kaputnikGo commented Nov 15, 2018

Added basic tracker submission template and first example to the Yale repo with the intention of enabling a quick and easy way to get proper new tracker info into Exodus - https://github.com/YalePrivacyLab/tracker-profiles
And also to figure out the best method to add new trackers to Exodus.

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Nov 15, 2018

That Taplytics profile looks great, thanks. Will make sure these go upstream, so if it's lower barrier-to-entry to submit to the YPL repo that's fine (then there's less reason to bother EP and @U039b for Etip accounts etc. as well).

@kaputnikGo

This comment has been minimized.

Copy link

@kaputnikGo kaputnikGo commented Nov 16, 2018

Added 8 more taken from here, will keep using the commit summary with "basic tracker" to help ID when they go up in this format. fyi i check the yale tracker list, https://reports.exodus-privacy.eu.org/trackers/ and https://etip.exodus-privacy.eu.org/ before adding them, so hopefully that covers everything.

@jawz101

This comment has been minimized.

Copy link

@jawz101 jawz101 commented Nov 16, 2018

@U039b In the past, sometimes when I entered in network signatures and gradle string, I didn't really know the regex pattern to use. Some had version numbers in the gradle files I could find so I didn't know how you put those in to scan on your end. Are you all doing any fixes to our submissions when you see them like this?

example deltaDNA: com.deltadna.android:deltadna-sdk:4.10.0 should actually need to be entered with a wildcard but I didn't know the syntax to wildcard it.

And from their network traffic they follow this pattern:

collect9903crssb.deltadna.net
collect9999rsstn.deltadna.net
engage10059bltbg.deltadna.net
engage10077vpspd.deltadna.net

but I just entered deltadna.net

@IzzySoft as for the extra fields such as

Maven repository:
Artifact id:
Group id:
Gradle:

This is where I just start googling for their developer documentation. That's where it takes a little research. Say, for deltaDNA I would search Google for blahblah sdk.

deltaDNA sdk
There's also sites devoted to junk like this such as programmableweb.com
first result takes me to their developer integration documentation where app developers get instructions on how to add the ad code into their apps.

example documentation

And then I click around until I find the android documentation and search for words like com.deltadna or whatever the code string I found is as well as gradle & maven. Sometimes I get lucky and see a maven repository link or whatever and I write that down
maven { url 'http://deltadna.bintray.com/android'
and then open the url or maybe search Google again example
a lot of them seem to use that bintray site. At this point I click around on this page and find something like this page
https://bintray.com/deltadna/android/deltadna-sdk

has a little thingy at the bottom that says maven and shows

<dependency>
<groupId>com.deltadna.android</groupId>
<artifactId>deltadna-sdk</artifactId>
<version>4.10.1</version>
<type>pom</type>
</dependency>

and a second tab called gradle that shows
compile 'com.deltadna.android:deltadna-sdk:4.10.1'

It was just all guesses to see if I could find what the etip site was looking for and all of these 3rd party companies seem to have these sorts of steps in their documentation to integrate ads & analytics

@seandiggity

This comment has been minimized.

Copy link

@seandiggity seandiggity commented Nov 16, 2018

Added 8 more taken from here, will keep using the commit summary with "basic tracker" to help ID when they go up in this format. fyi i check the yale tracker list, https://reports.exodus-privacy.eu.org/trackers/ and https://etip.exodus-privacy.eu.org/ before adding them, so hopefully that covers everything.

Right, that should. We'll be adding quite a few more to the YPL repo as part of the crowdsourcing I'm doing via Mozilla Open Leaders project.

@jawz101

This comment has been minimized.

Copy link

@jawz101 jawz101 commented Jan 7, 2019

Over the past couple of weeks I've done quite a bit of work on the etip site. Filled in a lot of blanks on existing signatures and added maybe 20-40... I can't tell. Anyways, has anyone from the project taken a look at them?

I'd like to fix my mistakes if I did anything incorrect. My main concerns are the format of the regex on the network signatures as well as what we do if the build.gradle entries could have versions. like if com.example.sdk.1.2.3 is what we find, that would assume there are other versions, so would we not use a regular expression to look for the consistent information?

Additionally, do the scans just try to look for at least one of these identifiying bits or if all of the characteristics are there (code signature, network signature, maven & gradle info must all be found or at least one of them must be found?) The reason I ask is because I went into existing entries and added maven repository information if I could find it but it looks like some tracker sdk's give instructions to proguard their code so I wonder if it may mean Exodus may never see that information on which to detect them, thus adding that information may break the detection rule if Exodus identifies a tracker only if all identifying bits are present.

Also, is there a preference to which repository to which volunteers should contribute: etip vs. YPL? It seems like doing things twice.

@jawz101

This comment has been minimized.

Copy link

@jawz101 jawz101 commented Jan 25, 2019

fwiw, I've kept adding more and occasionally looked at existing entries. For example, Unity Ads is likely underreporting. After reviewing their developer documentation, a code signature of com.unity3d.ads would just pick up their legacy sdk version. Their newer sdk would be com.unity3d.services.

Now I'm taking a look at some of the apps exodus lists as having no trackers and finding ones missed :P I don't know how to represent some of the situations as there are a lot of companies in the business of sdk's to manage an app's other trackers. As an added bonus, doing so also results in more international companies being found.

Actually, this might be a good practice moving fwd as this filter of No Tracker apps should almost be a representation of "clean" apps, which actually makes it a pretty compelling set of apps to review.

@simpnu

This comment has been minimized.

Copy link
Contributor

@simpnu simpnu commented Jan 30, 2019

Hi @jawz101 !

Over the past couple of weeks I've done quite a bit of work on the etip site. Filled in a lot of blanks on existing signatures and added maybe 20-40... I can't tell. Anyways, has anyone from the project taken a look at them?

Thanks a lot for your work (and sorry for the late reply), it is greatly appreciated by the Exodus Privacy team :). Unfortunately we have not got the time recently to look through the new entries in ETIP and import the data from ETIP to exodus. We plan to work on this and will try to find some time in the coming weeks but this is quite a tedious task.

Additionally, do the scans just try to look for at least one of these identifiying bits or if all of the characteristics are there (code signature, network signature, maven & gradle info must all be found or at least one of them must be found?) The reason I ask is because I went into existing entries and added maven repository information if I could find it but it looks like some tracker sdk's give instructions to proguard their code so I wonder if it may mean Exodus may never see that information on which to detect them, thus adding that information may break the detection rule if Exodus identifies a tracker only if all identifying bits are present.

As it is explained on this page, what we look for is the signature of the tracker. So AFAIK the maven & gradle information will not affect the tracker identification.

Cheers !

@simpnu

This comment has been minimized.

Copy link
Contributor

@simpnu simpnu commented Jan 30, 2019

This issue should be closed since https://etip.exodus-privacy.eu.org has been developed in order to ease and centralize trackers categorization and description.

We are now closing this issue.

If you want an ETIP account, feel free to send an email to etip@exodus-privacy.eu.org specifying your desired username + email address and we will send you a temporary password. Once registered, you will be able to freely contribute to the tracker identification process.

Thanks again to everyone contributing to the tracker identification :).
Cheers !

@simpnu simpnu closed this Jan 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.