Joel Reardon

What the Huq?

Huq Industries is a UK company that provides location-based services and mobility data, some of which is collected via an SDK that is integrated with various apps. From Huq’s marketing materials: “The most accurate grade of mobility data is derived from the mobile OS via (A-)GPS using a first-party specialised SDK such as ours.” We had previously seen Huq’s SDK present in a number of apps, collecting precise GPS location, as well as both connected… Continue Reading

Joel Reardon

Why Google Should Stop Logging Contact-Tracing Data

Earlier, we wrote about some attacks that can be done in GAEN-based contact-tracing systems, which is the Google-Apple Exposure Notification system that is used by many countries and regions worldwide to do digitally-assisted contact tracing. Recently, we found that Google’s implementation of GAEN logs crucial pieces of information to the system log, which can be read by hundreds of third-party apps and used for the privacy attacks that we previously warned about. We’ll start with… Continue Reading

Joel Reardon

Proximity Tracing in an Ecosystem of Surveillance Capitalism

Co-written with Paul-Olivier Dehaye and Bobby Richter There are billions of smartphones around the world and many are close to their owners at all times. For this reason, they have been recruited to help with contact tracing for the COVID-19 pandemic as they are able to record every proximate encounter you have with a friend, acquaintance, or a stranger. Your phone can detect other nearby phones using wireless technologies like Bluetooth, and this means it… Continue Reading

Bobby Richter

Snapshot of Privacy Behaviors in the Australian Android App Ecosystem

ACCC’s press release can be found on the ACCC website and a direct link to the published report can be found here. In October, as part of its Digital Platform Services Inquiry and ongoing efforts to protect consumers and promote competition, the Australian Competition and Consumer Commission (ACCC) published our report detailing the behaviors of 1,000 of the most popular apps available in the Australian Android app market, including 103 Health-related apps, 100 Kids’ apps,… Continue Reading

Bobby Richter

Report: Aurora Mobile’s JPush SDK

Over the past 9 months, our team, with our IDAC and ICSI partners, have been tracking an SDK published by analytics and marketing company, Aurora Mobile Limited, or JiGuang, and its use in Android apps. Aurora Mobile offers developers a variety of libraries that support common mobile app features, like social sharing and login, analytics, and SMS verification codes. However, its push notification library, JPush, is what first caught our attention, with behavior that seems… Continue Reading

Serge Egelman

Spanish COVID-19 Apps

On April 3rd 2019, the World Health Organization (WHO) published a press release announcing the results of a coordinated effort led by the WHO Digital Health Technical Advisory Group to develop technical solutions that could trace the development of the COVID-19 infection, perform population screening, and more efficiently allocate limited medical resources. In the early days of the COVID-19 pandemic outbreak, countries like Singapore, South Korea, Taiwan, Italy and Spain released—either at a regional or… Continue Reading

Joel Reardon

Baidu and Salmonads Saving IMEI on the Filesystem

We discussed the rampant collection of IMEI earlier, and actually we found something even stranger about apps so casually sending the IMEI: we noticed that a few apps were sending the IMEI to 3rd parties but they didn’t have the permission they needed to access it! This is definitely not supposed to happen. What’s going on? Could there be a security bug in Android that’s being exploited? Or maybe the app gets the IMEI from… Continue Reading

Joel Reardon

Apps Using Side and Covert Channels

The 2019 USENIX Security Symposium includes our study on the use of side and covert channels by apps in order to circumvent the permission system. In addition to our paper, we are writing a series of blog posts to explain our main findings. In this post, the first in the series, we provide the names, versions, and MD5 hashes of the affected apps (Android APKs). Baidu As we noted in a previous post, every phone… Continue Reading

Joel Reardon

Why do you even need the IMEI?

The International Mobile Equipment Identity, or IMEI, is a special number that is tied to every unique mobile phone. It is used whenever the phone is registered on a mobile network. It can also be used to blacklist a phone off of the network, which happens, for example, when it is reported as stolen. Blacklisting keeps phones off the network even if the SIM card or telephone number changes. For it to be effective for… Continue Reading

Serge Egelman

Ad IDs Behaving Badly

The Ad ID Persistent identifiers are the bread and butter of the online tracking industry. They allow companies to learn the websites that you visit and the apps that you use, including what you do within those apps. A persistent identifier is just a unique number that is used to either identify you or your device. Your Social Security Number and phone number are examples of persistent identifiers used in real life; cookies use persistent… Continue Reading