Report: Aurora Mobile’s JPush SDK

Over the past 9 months, our team, with our IDAC and ICSI partners, have been tracking an SDK published by analytics and marketing company, Aurora Mobile Limited, or JiGuang, and its use in Android apps. Aurora Mobile offers developers a variety of libraries that support common mobile app features, like social sharing and login, analytics,… Continue reading


Spanish COVID-19 Apps

On April 3rd 2019, the World Health Organization (WHO) published a press release announcing the results of a coordinated effort led by the WHO Digital Health Technical Advisory Group to develop technical solutions that could trace the development of the COVID-19 infection, perform population screening, and more efficiently allocate limited medical resources. In the early… Continue reading




Why do you even need the IMEI?

The International Mobile Equipment Identity, or IMEI, is a special number that is tied to every unique mobile phone. It is used whenever the phone is registered on a mobile network. It can also be used to blacklist a phone off of the network, which happens, for example, when it is reported as stolen. Blacklisting… Continue reading


Ad IDs Behaving Badly

Persistent identifiers are the bread and butter of the online tracking industry. They allow companies to learn the websites that you visit and the apps that you use, including what you do within those apps. A persistent identifier is just a unique number that is used to either identify you or your device. Your Social Security Number and phone number are examples of persistent identifiers used in real life; cookies use persistent identifiers to identify you across websites.


Tiny Lab Responds

In our work looking at COPPA violations, one company really stood out: Tiny Lab Productions. They currently have 98 games available in the Play Store. Most of these games are in Google’s Designed for Families (DFF) program, which means that the developer is specifically marketing their apps to children under 13. We cited them in… Continue reading


Apps sending location, secretly.

One of the things we noticed when doing our large-scale study of children’s games was that way more apps were accessing location data than were seen actually sending it. In some ways this makes sense—COPPA quite explicitly forbids sending location data without verifiable parental consent, something that our testing framework did not provide. Nevertheless, since… Continue reading


We get letters

In late February of this year, we received word that an advertising company, ironSource, had obtained a leaked draft of our paper on COPPA violations in Android apps. In that version of the paper, we mentioned them (and their subsidiary, Supersonic) exactly once: in a table of advertising SDKs whose terms of service prohibit their… Continue reading