Report: Aurora Mobile’s JPush SDK
Over the past 9 months, our team, with our IDAC and ICSI partners, have been tracking an SDK published by analytics and marketing company, Aurora Mobile Limited, or JiGuang, and its use in Android apps. Aurora Mobile offers developers a variety of libraries that support common mobile app features, like social sharing and login, analytics, and SMS verification codes. However, its push notification library, JPush, is what first caught our attention, with behavior that seems to stretch beyond the bounds of providing push notification functionality, and which raises questions about utility libraries like JPush in the app and developer ecosystem.
Our analysis, which you can read in detail in our newly-published report, examines 31 apps that contain the JPush SDK, and the problematic behaviors they exhibit with respect to the security and privacy of users and their data:
Invasive Personal Data Collection
Many of the apps we tested transmitted data to Aurora Mobile’s servers that can be used to uniquely identify and track users, such as IMEI numbers, MAC addresses, serial numbers, and precise location data. Some of the unique identifiers transmitted (e.g., IMEI) can only be changed through means that are typically unavailable or cumbersome to the average user (e.g., rooting the device), or are available through side-channels that improperly reveal device information (e.g., MAC address). However, surprisingly, JPush also collects behavioural information about its users, by collecting the names of installed apps, and notifying Aurora Mobile’s servers whenever a new app is installed, or an existing one is removed.
While Android is continually evolving to provide better built-in privacy protections for this kind of data, changes take time to propagate through the Android user base, allowing problems to persist. Meanwhile, SDKs like JPush are able to continue to collect sensitive information about users and their devices and give Aurora Mobile the opportunity to track users without their knowledge or consent (practically speaking).
During our testing, we noticed that several apps transmitted data to Aurora Mobile’s servers without the user directly interacting with those apps. For example, after installing an app, rebooting the device, and unlocking the screen, we observed transmissions of location and other data to Aurora Mobile from apps with the JPush SDK embedded in them.
Many of the features the Android system provides are mitigated by a system of “permissions”, such as access to GPS sensor data (i.e., to capture the device’s location) or the video feed from the device’s camera. The potential for some of these permissions to allow invasive behaviour is less obvious, such as the RECEIVE_USER_PRESENT permission, which lets apps know when the user turns on and unlocks their screen. The JPush SDK documentation recommends declaring and requesting this permission to developers in its documentation, and suggests that it is required for use within the provided code samples.
Unusual Security Practices
Looking deep into the construction of JPush, our team uncovered several unusual practices concerning code obfuscation and methods for encrypting and transmitting data, some of which mirror the evasive techniques commonly found in malware.
In some versions of the JPush SDK that we examined, data was transmitted to Aurora Mobile’s servers using a non-standard encryption mechanism (a practice which is almost always discouraged), which was inherently broken due to the decryption key being available within the same transmission as the encrypted data. (We found similar implementations across versions, some using UDP or TCP, but not QUIC or HTTP+TLS, as expected, and others using HTTP+TLS in addition to the aforementioned encryption system.)
We also noticed an attempt to frustrate third-party examinations of the JPush SDK. The JPush “byte code” (what most Android apps are made of) was found to be obfuscated using a customized algorithm. Obfuscation is a practice that makes the inspection of code and data more difficult. However, the techniques we observed in the JPush SDKs embedded in some of the apps we examined were ultimately ineffective, and added bloat to the app, due to extra memory and processing requirements to use it.
While third-party SDKs are meant to make software development easier and less error-prone, the Android ecosystem is full of examples that demand more scrutiny with regard to protecting users’ privacy. Aurora Mobile’s JPush SDK is one such example, providing push notification functionality to developers, but also collecting a variety of sensitive user data through unofficial means (that are likely prohibited by Google’s Play Store policies), and attempting to mask its construction and data transmission techniques.
According to metadata available on the Google Play Store, JPush is embedded in apps that are installed on tens of millions of devices worldwide. Aurora Mobile’s ability to use JPush to harvest user data (not even considering its other offerings, JAnalytics, JMessage, JSMS, and JShare) is therefore vast.
For more details about the list of apps we examined, the data they collect, and in depth discussion about JPush’s behaviors and construction, read our newly-published report.