Beware those snooping mods!

Ad modules in Android apps are a daily fact. Same can be said for Analytic modules. Only few of all those are really fully harmless. But some are especially bold, and are better avoided:

The following list is far from being complete; these are just modules that have come to my „special attention“. Some apps contain up to ten or more of those ad/analytics modules. Which that are in each case can, if the app in question is listed in the Google Playstore, found out by a click on the Appbrain Icon next to its name. Also see: Ad-Modules and Privacy Checker in the app lists.

Developers: The excuse of „I didn't know“ or „I wasn't aware“ at maximum counts in cases where the permissions have not been that obvious. But as soon as you had to explicitly request things accessing PII it must be assumed you don't care for the privacy of your users – so those concerned for their privacy should be advised not to use any of your apps, as you probably didn't care there either.

General links

• How—And Why—Apple, Google, And Facebook Follow You Around In Real Life (12/2017)
• Staggering Variety of Clandestine Trackers Found in Popular Android Apps (11/2017)

Contents

• Analytics
  • AppsFlyer
  • Crashlytics
  • Dynamic Yield
  • Facebook
  • Firebase
  • Flurry Analytics
  • Google Analytics
  • Mixpanel
  • Sense360
  • Tealium
  • Umeng
• Advertisement
  • AdMarvel
  • AdMob
  • AdsMogo
  • Airpush
  • Avocarrot
  • Burstly
  • CallDorado
  • Cartboost
  • DoubleClick
  • inMobi
  • LeadBolt
  • LiveRail
  • Millenial Media
  • Mobclix/Axonix
  • MobFox
  • mobilCore
  • MobPartner
  • mOcean
  • Moolah
  • MoPub
  • RevMob
  • sellAring
  • Smaato
  • Tap for Tap
  • Tapjoy
  • Tencent Social Ads
  • Upside
  • YouMi

---

Analytics

AppsFlyer

On the surface, AppsFlyer seems to be pretty sensitive. On their blog they encourage developers to find a good balance and don't collect what they don't need – explicitly warning about the dangers involved with collecting PII in detail.

Their privacy policy informs about data they collect:

The data collected by the SDK includes information such as IP address, User agent, platform, SDK version, anonymous User ID, time stamp Developer Key, application version, device identifiers such as: IDFA (Identifier For Advertisers), Android ID (Android device), Google Advertiser ID, device model, manufacture, OS version, in-app events, and network status (WiFi/3G).

If it's really restricted to that, it sounds not that bad. Concerning sharing collected data, this seems to be restricted for internal use and the dev's Dashboard (with the exception of „lawful demand“). Additionally, data is stored encrypted to keep it safe. They however keep the option to share „aggregated data“ with their business-partners.

And now guess who those might be. Exodus Privacy provides a list of them, which is rather long (and even that one is abbreviated). Prominent names include (but are not restricted to) Google, Facebook, Flurry, Tapjoy, Tencent…

Further, the AppsFlyer framework enables apps to work around security measures, which was e.g. used by shady devs to install malware from the Soraka network.

It also fingerprints devices by their IDs, tracks users across datasets to circumvent the fragmentation caused by users with different devices, and tracks which users install which apps (The Intercept).

Permissions required by AppsFlyer:

• required: INTERNET ACCESS_NETWORK_STATE ACCESS_WIFI_STATE
• optional: READ_PHONE_STATE

---

Crashlytics

The name suggests a combination of two words, and so this library is intended for „crash analytics“ – i.e. analyse why an app crashed. But then, why does it send data even there was no crash – for example right at the start of an app? And what for are identifiers like the device's Android_ID included? At least questionable.

Information gathered includes a.o.: Developer-Token, API-Key, OS version, client version, an Installation-ID, Android_ID and GAID. The Intercept further points out that Crashlytics can also link users across multiple cookies and devices.

Permissions required by Crashlytics:
INTERNET

---

Dynamic Yield

According to Exodus Privacy:

• Targets user location and proximity via geofencing, geotargeting, using GPS/WiFi/location data
• Alters app functionality based upon user profiles
• Loads (targeted) advertisements; Location-based ad pushing, Real-world location targeting
• Targeted advertising based on consumer actions
• Targets across devices, channels and/or platforms
• Analytics AI and machine learning, Audience segmenting
• Collects Personally Identifiable Information (PII) and Sensitive Personal Information (SPI)
• Identifies users via Google ID (AAID) / iOS ID (IDFA)
• Offers analytics activity and reports to app developers
• Performs cross-device identification
• Profiles users via Personally Identifiable Information (PII) and Sensitive Personal Information (SPI)
• Stores personal profile data (name, address, phone)

So this belongs to Analytics as well as Advertisement; a real bummer.

---

Facebook

Let me translate what security expert Mike Kuketz wrote:

… I find that almost every app integrates a »Facebook-Bug«. Regardless whether you have a Facebook-Account or not, at each and every start of the app and while it is running, a connection to »graph.facebook.com« is established. Via that, a.o. the following details are transmitted:

Google Advertising ID, whether Ad-Tracking is activated / allowd, package name & version number of the app, Android version number, device model, country code, time zone, display resolution …

Above mentioned details are sufficient for Facebook to determine you are using this specific app. You don't believe this? Look here: Leserfrage: Warum weiß Facebook welche Apps ich nutze?

And that's just the „peak of the iceberg“. For example, just by above mentioned details Facebook cannot only determine that you're using that specific app – but also how often, at what times, and more.

Note that Facebook is one of the biggest data collectors, so I'd definitely count this a „privacy intrusion“.

Luckily I don't need to list all privacy scandals here myself (I couldn't possibly manage to keep that list up-to-date as they happen faster than I can type): Someone already does that. Go here to find out how many days have passed since the last one. Seems to be rarely more than a week.

---

Firebase

This is a frequently used module, as it offers convenient „cloud processing“. However, its main tasks seem to be Analytics and Ads: Firebase Analytics is the core component, and Admob is also part of Firebase.

• Firebase data is stored outside EU (it's cloud storage/hosting plus Analytics, Ads (Admob integration), CloudMessaging (FCM) plus more) and not covered even by Privacy Shield (see here), whatever good that would do.
• Firebase TOS obliges the dev to not transmit PII (section 7: privacy; the use policy explicitly requires to get an opt-in from the user). It doesn't, however, disclose what data is collected. Some is mentioned on its help page on data collection („e.g., Android Advertising ID”, but also device model, geography, app opens, app updates, in-app purchases), others with their help page on automatically collected user properties (age, gender, interests, language, app version, country, device type/brand/model). Seeing this it's rather questionable how that corresponds with „not transmitting PII”: given the specific age, gender, interests, language and location narrows down things quite a lot. Some things are always tracked automatically.
• Firebase can be connected to Google Analytics.
• Firebase can be used to send ads to your notifications, even while the app is in background.
• mobile apps leaking sensitive personal and business data from unsecured Firebase databases

---

Flurry Analytics

Analytics should help developers understand how their apps are used, so they can make them even better. Flurry offers a really deep analysis – at the cost of your privacy. It doesn't even stick to the app in question, but also sniffs on the outside: what other apps are there? how often do you call them? Usually, the user is not informed on the details of those actions, neither of what data will be shipped off-device.

What's worse: Flurry is also active in the advertising sector (hint: Flurry belongs to Yahoo). So there's more than just a theoretical danger of being observed cross-app (and maybe even cross-device) – and of someone building up a profile on you and sell those data to other parties. For details, please read:

• Flurry: An Affront to Privacy (4/2014)
• Termsfeed: Privacy Policy for Flurry

Information collected by Flurry:

These a.o. include all of your screen views and clicks within the app, plus OS version, unique phone identifiers, your location. It further seems to track when you launch and use any app on your device, even those that do not use Flurry. Flurry shares aggregate information about your behavior across all apps with all its customers, not just the ones whose apps you agreed to install.

In order to opt-out it seems you first have to create an account with them (the page asked to log-in), and then provide them with your device ID. Which in other terms means: now they can even connect your device to you, by the details provided at account creation. Not sure what affect that opt-out does, as the introduction did not include those details and I didn't dare to create an account.

Permissions required/used by Flurry:
INTERNET ACCESS_NETWORK_STATE WRITE_EXTERNAL_STORAGE ACCESS_FINE_LOCATION

---

Google Analytics

Many websites carry it, and many Android apps as well. Allows the developers deep insights on how their applications perform, which is a good thing. But it also collects a lot of personal data. Considering who stores them, they make very good profiles – especially of Android users having a Google account in use. LunaMetrics describes how to perform collecting, „advanced tracking“ and targeting with Google Analytics.

Google Analytics e.g. uses „persistent cookies“ to track you around the web (see Google Analytics EU Cookie Law for details). While cookies apply to browsers, on Android there are other means. As the module doesn't request permission to access the device ID, it probably uses the Advertizing ID (see: Android Identifiers: How Android devices and their users are identified), which you could reset from time to time. The abuse of privacy through Google analytics has resulted in litigation in the EU (see: Investigations into Consumers Preferences Concerning Privacy: An Initial Step Towards the Development of Modern and Consistent Privacy Protections Around the Globe, 2014, page 6).

If you think of some „Payback“, take a look at the article How to Sanction Google for their Aggressive Behavior. The suggestions might not be all for you, but give you some ideas nevertheless.

Permissions required/used by Google Analytics:
INTERNET ACCESS_NETWORK_STATE

---

MixPanel

Mixpanel modules often, next to „anonymous metadata“, also collect a bunch of personal details. This can include your mail address, full name and health details in a diabetes app. Though fixed now, between 3/2017 and 2/2018 data sent could even include passwords (also see here. Of course, this might not all be Mixpanel's fault; app developers also have their share in how they've set it up. Though that certainly does not apply to the password harvesting – which rather implies the SDK actively harvests „some data“ via a feature called „AutoTrack“. That might indeed be a mistake without malicious intent – but who knows what else is slurped up that way?

Mixpanel's privacy policy is even more vague as Google's on what data is collected. It's a rather long text with few details to grasp.

Further see:

• Tracking company Mixpanel knows who you are... yes, you specifically
• Mixpanel was found in adverse context many times at security-expert Mike Kuketz' Kuketz-Blog.DE

Permissions required by MixPanel:
INTERNET ACCESS_NETWORK_STATE BLUETOOTH

---

Sense360

… uses the mobile sensors built into smartphones to understand a user’s location and activity. We have trained our algorithms with millions of real-world consumer examples from GPS, accelerometer, gyroscope, barometer, wifi, ambient light, and many other sensors. This provides us with an anonymous, but highly accurate understanding of where, how, and when people interact with physical locations and businesses.

Our sensor-technology is on nearly one hundred apps and millions of mobile devices in the US. Our panel generates more than a terabyte of sensor data every single day and provides a detailed view of more than 100 million anonymous visits a month. We carefully curate our panel to ensure that it is highly reflective of the general population across geography, gender, ethnicity, age, and household income.

(source)

It is claimed the data is „anonym“. But with that grade of details, it's quite unlikely De-anonymization should be very hard, simply by cross-referencing. True, granularity would be needed for research purposes – but then it should be based on the users opting in by an informed decision. Which is often lacking, as companies do not enforce this but leave the decision to developers (who often ignore it). A stashed opt-out (which is available for Sense360) is irresponsible, as most users aren't even aware of being tracked.

• How Sense360 aims to make mobile data more accessible (8/2015)
  „The platform collects data from the numerous sensors in our phones, whether that’s from our accelerometer, our gyroscope, our GPS or the various other sensors our phone is equipped with. „This data is then processed according to the needs of app developers. They then add a few lines of code to the backend that allows Sense360 to access the raw data collected from the phone. […]
  „With all data anonymous, the developers hope to allay any security and privacy issues that users may have, as it’s impossible to identify users from the data your sensors give off.“
  Comment found on that page: „The thing is, this whole argument around companies like this not knowing who we are based upon the data has been made so many times before, and each time it's actually proved really easy to see who we are from this meta data. And to be honest, that worries me greatly.“
• Data, including health data, are often stored in the cloud (which is the case here as well). And ever so often we see one of those cloud storages hacked.
• Apps 'Constantly' Sending Location Data to Data Monetization Firms (9/2018)
  „The data is being sent to companies that include Reveal, Sense360, Cuebiq, Teemo, Mobiquity, and Fysical. These companies denied wrongdoing, suggested customers were able to opt out at any time, and said that developers are required to inform customers about the data collection.
  „Some of the apps in question do indeed have clear data collection notices when opening them up for the first time, but data monetization firms do not make sure apps are following disclosure policies and not all do.
  „'None of these companies appear to be legally accountable for their claims and practices, instead there is some sort of self-regulation they claim to enforce,' said Strafach.“

With data as sensitive as these, this module must be mentioned here regardless of how the collection is consciously used. It's just too dangerous to collect them without explicit consent.

---

Tealium

According to Exodus Privacy, Tealium collects both PII and non-PII from individuals visiting its website or using its services. They „may make use of, or make such Aggregated Data available to, third parties, in any manner in our sole discretion“. Tealium shares data with service providers, affiliates, partners and affiliated businesses not controlled by Tealium, billing, and when compelled by authorities. Data is retained „for as long as needed to provide our Services, comply with our legal obligations, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, and enforce our agreements“ – which could as well mean forever (wicked tongues might ask why „provide our Services“ is mentioned separately from „pursue legitimate business purposes“; my answer would be because, again, users aren't asked for their explicit consent).

Tealium was found collecting Facebook user data (4/2018), though their CMO disputes that.

Truth be told, I found several sites claiming Tealium's „enhanced privacy“ – but how much would you believe such a report on a page owned by the ad and tracking industry itself, or one containing five or more trackers? One even claimed that no data would be collected by Tealium – which not even Tealium itself claims.

---

Umeng

Belonging to the Alibaba Group, Umeng is called the Flurry of China, the leading mobile app analytical platform in China, and rival of Tapjoy.

I couldn’t exactly figure out which data it collects, but I guess that updates a remote “application log” via the company’s API at alog.umeng.co/app_log.

In its headers the request contained a X-Umeng-Sdk field with operating system version, app version and smartphone model.

(Manuel D'Orso: Some MiFit app analysis)

There is also an entry in VirusTotal on this domain as a malicious URL. See: h–ps://www.virustotal.com/en/domain/www.umeng.com/information/ Thus we can confirm that the app posts encrypted personal data to a malicious url.

(Analysis: Android SMS Malware (PhotoViewer))

Besides, Symantec rates this module as „high risk“.

However Umeng, a mobile analytics provider, is becoming more and more complex. It has many tools beyond analysis, like statistics, report, SSO, social network share, notification push, advertisement and many other functionalities. So it rather seems to become the „Facebook of China“.

Permissions required/used by Umeng:
INTERNET ACCESS_NETWORK_STATE ACCESS_WIFI_STATE READ_PHONE_STATE

---

Advertisement

AdMarvel

AdMarvel is owned by Opera. As a Cornelly study found out:

We found that the AdMarvel AdSDK satisfies the WebView-related conditions even on post-4.1 Android, i.e., it allows files loaded by ads to access any file on the device. This enables any ad shown in an AdMarvel-supported app to steal local files from external storage.

Keep in mind that for apps dealing with sensitive content themselves (banking, health etc.), this might include sensitive details (especially from that app itself) you might not wish to be transferred to any third party. Examples can be found in the Cornelly study just quoted (starting at page 9).

So this ad module explicitly exposes users to malicious ads. Note this vulnerability has been patched in recent versions of the AdMarvel and AdMob SDKs (i.e. apps compiled 2017 or later should no longer be affected) – but is possibly still open for Airpush and MoPub.

Permissions required by AdMarvel:

• required: INTERNET ACCESS_NETWORK_STATE WRITE_EXTERNAL_STORAGE
• optional: ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION WRITE_CALENDAR RECORD_AUDIO

---

AdMob

In 2013, a Court Partially Dismisses Google Mobile App Spyware Case, Citing Lack of Damages because „failed to adequately allege that the company's actions damaged them“. Read: not because they weren´t found guilty, but because the court decided it was no material harm done.

The plaintiffs alleged that Google and mobile advertising companies AdMob Inc. and AdWhirl Inc. used code hidden in mobile apps to secretly collect their names, gender, ZIP codes, app activity information, geolocation data, and the universally unique device identifiers of their phones. They also alleged that Google misrepresented that their PII would be anonymized.

Which the court found is as life is today – that is, according to some „social norm“:

The court said the plaintiffs' allegations that the defendants violated their constitutional right to privacy “are not sufficient to allege that the Google Defendants' conduct constitutes an egregious breach of social norms.“

Two years earlier they've also been under fire: Android Faces Lawsuit For Knowing Too Much About The Users (6/2011; Admob):

Google’s Android smartphone has become a Big Brother and knows more about the users, than their family and friends does. A federal class-action lawsuit filed by a Charleston attorney, has alleged Google and Android phone apps of keeping track of user’s personal information and selling them to advertising companies. According to the lawsuit, Android apps keep track of customer’s personal information ranging from his physical location, to his sexual orientation and monthly income.

Also see Characterising User Targeting For In-App Mobile Ads (PDF, 2013) for some insights.

Permissions required by AdMob:

• required: INTERNET ACCESS_NETWORK_STATE
• optional: ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION

---

AdsMogo

Like Leadbolt and AirPush, AdsMogo performs package name obfuscation and generate random package names for different developers to avoid detection (see: here. Its presence in malware apps is twice as high as in non-malware apps. McAfee e.g. reports:

We found that adsmogo and leadbolt are two ad libraries that we found seldom appear without malware.

AdsMogo seems to allow certain malware libraries to stealthily hide themselves, as e.g. reported here. Those apps then stealthily record audio and video, monitor and upload device location, exfiltrate data to remote servers, and more.

---

Airpush

Airpush was especially nasty – as you could not easily determine the app which suddenly popped up ads in unexpected places, such as your device's notification area (disguised as notification) or on your homescreen. To get rid of the culprit, one had explicitly to opt out; either by installing a specific „opt-out app“, or by entering IDs of the affected devices directly on their website.

Permissions required by this ad module suggest they use your device's identifiers (of course to opt you out), but also track your location (surely just to show you ads relevant to the area you're in, with an accuracy of 5m or so – which is why they want your FINE location, i.e. GPS). According to this paper, Airpush a.o. sends AndroidID, phone number, location and SIM operator to its servers.

Also see Details described for AdMarvel on „enabling malicious ads to steal data“.

Further readings:

• Lookout calls out shady Android ad networks (6/2013)
• Mobile ads can hijack your phone and steal your contacts (7/2012)
• Lookout Releases Push Ad Detector To Help Fight Off Airpush, Startapp, LeadBolt, And Other Annoying Ad Networks (2/2012)

Permissions required/used by Airpush:
ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION ACCESS_NETWORK_STATE ACCESS_WIFI_STATE INTERNET READ_PHONE_STATE WRITE_EXTERNAL_STORAGE

---

Avocarrot

Avocarrot is a mediator. According to their Privacy Policy, they collect:

Information about your device, such as the type and model, manufacturer, operating system (e.g. iOS or Android), carrier name, IP address, mobile browser, applications using Avocarrot and the version of such applications, and identifiers assigned to your device, such as its iOS Identifier for Advertising (IDFA), Android Advertising ID, or unique device identifier (a number uniquely allocated to your device by your device manufacturer).

Log information, including the app or website visited, session start/stop time, time zone, language, and network connection type. The geolocation of your device (using GPS or other data), when location services have been enabled for the mobile app or website that uses Avocarrot.

Data is shared with advertisers and customers. It is stored and processed on Amazon servers. And looking at their own servers, they only get rated F (8/2018) for lack of security.

Also see: Mobile Applications and Access to Private Data 11/2017

Permissions required by Avocarrot:
INTERNET [ACCESS_NETWORK_PERMISSIONS]

Additionally, Avocarrot uses location data when accessible by the host app.

---

Burstly

The Fireye report security reimagined names Burstly, now a subsidiary of Apple, as one of the most aggressive ad libraries. According to the report Burstly a.o. collects Age, Number of children, Education, Ethnicity, Gender, Height, Income, Users’ interests, Location, Marital status, Sexual orientation, Political affiliation, ZIP code.

Judging by the permissions, that list seems to be far from complete and most likely also includes unique device identifiers and more. Symantec marks it as „potentially unwanted app“, and in its details fills the gap – saying Burstly sends device information such as International Mobile Station Equipment Identity (IMEI), kernel version, phone manufacturer, or phone model details as well as network operator information to a remote location.

Permissions required by Burstly:

• required: ACCESS_WIFI_STATE ACCESS_NETWORK_STATE INTERNET READ_PHONE_STATE WRITE_EXTERNAL_STORAGE
• optional: ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION CALL_PHONE

---

CallDorado

CallDorado supplies CallerID and injects ads there. Mediator for Admob, Facebook, Smaato, inMobi, MoPub, Flurry … According to their „privacy policy“, collect e.g. IP, DeviceID, IMEI, MAC, CallNumbers (in/out) w/ call statistics, location, contact lists, user interactions with ads. Data is shared with „sub-suppliers“ (i.e. the other networks mediated for), and possible other „third parties“ not specified in detail. User implicitly agrees by „using the Services“.

Permissions required by CallDorado:
INTERNET ACCESS_NETWORK_STATE ACCESS_WIFI_STATE READ_PHONE_STATE ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION WRITE_EXTERNAL_STORAGE RECEIVE_BOOT_COMPLETED READ_CONTACTS WRITE_CONTACTS PROCESS_OUTGOING_CALLS SYSTEM_ALERT_WINDOW

---

Chartboost

When an ad is served through our Online Services, we may collect the following from your end users' devices: bundle ID, language ID, operating system version, device model, software developer kit (SDK) version, unique device identifier, IP address, and Media Access Control (MAC) address. In addition, when an end user accesses a video ad, we may collect additional stats about videos and video playback such as: start/boot-up information, amount played/session length information, memory on device used for our video cache, videos cached on a device and complete view event. We identify an end user’s device using Chartboost’s internal device ID, which is linked to an end user’s Apple IDFA, Google Advertising ID (GAID), or Android ID, as applicable.

[…] We also receive information about end users from advertisers or advertising services companies such as mobile device identifiers, IP addresses, website cookie information and usage data. We combine the information we collect about end users with additional demographic, geolocation and interest-based segment data, along with cookie information, from third-party providers.

[…] The information shared with these third parties may be used, among other things, for industry analysis, tracking ad conversions or demographic profiling. […] Finally, we may share aggregate or anonymous information about you or your end users with advertisers, publishers, business partners, sponsors, and other third parties.

(source: Chartboost Privacy Policy)

** Permissions required by Chartboost:**

• required: INTERNET ACCESS_NETWORK_STATE
• optional: WRITE_EXTERNAL_STORAGE ACCESS_WIFI_STATE READ_PHONE_STATE

---

DoubleClick

Quoting from Wikipedia:

DoubleClick is often linked with the controversy over spyware because browser HTTP cookies are set to track users as they travel from website to website and record which commercial advertisements they view and select while browsing. DoubleClick has also been criticized for misleading users by offering an opt-out option that is effectively useless. According to a San Francisco IT consulting group, although the opt-out option affects cookies, DoubleClick does not allow users to opt out of IP address-based tracking. DoubleClick and MSN were shown serving malware via drive-by download exploits by a group of attackers for some time in December 2010.

DoubleClick, together with several other advertisers, is also known to not respect users' privacy wishes – as e.g. reported by MediaPost in an article in 8/2016.

• DoubleClick is part of the Google Ads framework.
• Google performs cross-device identification (via Google Attribution) Search Engine Land
• Google connects data to personally identifiable information ProPublica
• Google Attribution integrates information from several Google ad services, including DoubleClick, to evaluate the effectiveness of ads, from search to store visits
• Aggregate data is shared with 3rd parties., Anonymous data is shared with 3rd parties., PII data is shared with 3rd parties., Sensitive data is shared with 3rd parties. Ghostery
• the DoubleClick cookie ID—which tracks a user’s activity on the third-party webpages—is another purportedly “user anonymous” identifier that Google can associate to a user’s Google account. It works when a user accesses a Google application in the same browser in which a third-party webpage was accessed previously. Study

Also see:

• DoubleClick (Google): What is it and what does it do? at The Guardian.
• More details on DoubleClick at Exodus Privacy

Permissions required by DoubleClick:
INTERNET ACCESS_NETWORK_STATE

---

inMobi

inMobi has a history of intruding privacy – be it annoying popup ads, or tracking your whereabouts. You should definitely keep your fingers off apps using inMobi while having access to your microphon and/or calendars. Background readings:

• Track or treat? InMobi’s location tracking ignored consumers’ privacy settings (6/2016)
  follow-up: A deep dive into mobile app location privacy following the InMobi settlement (8/2016)
• Firm pays 0,000 penalty for using Wi-Fi signals to secretly track phone users (6/2016)
• A deep dive into mobile app location privacy following the InMobi settlement (8/2016)
• The Gory Details of Mobile Ad Tracking (8/2016)

According to A Measurement Study of Tracking in Paid Mobile Applications, inMobi is one of the two ad networks collecting most user data. Further, Underestimated Privacy Implications of the ACCESS_WIFI_STATE Android Permission (2014, PDF) reports it collecting WiFi APs in reach and sending those data home.

In addition, Is Smartphone App Privacy Groundhog Day for Regulators? notes:

More alarming were two other ad libraries, mOcean and Inmobi, that were able to make phone calls from users’ phones without any prior interaction with the user. Inmobi could also send SMS texts without notifying the user.

Investigating User Privacy in Android Ad Libraries points out:

The mOcean and Inmobi ad libraries contain functionality to start phone calls and add events to a user’s calendar without user interaction. Additionally, mOcean can send SMS messages without user interaction. These largely undocumented “features” are quite alarming.

Permissions required/used by inMobi:

• required: INTERNET ACCESS_NETWORK_STATE
• used if available: ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION ACCESS_WIFI_STATE CHANGE_WIFI_STATE READ_LOGS VIBRATE RECORD_AUDIO WRITE_EXTERNAL_STORAGE ACTIVITY_RECOGNITION READ_CALENDAR WRITE_CALENDAR

---

LeadBolt

Like Flurry, this one was known for ads appearing out of context – e.g. as popups, in the notification bar, as icons on the desktop. At the same time the boss of LeadBolt says „his company takes privacy seriously“ (to me that looks like a missing comma: „takes privacy, seriously“, i.e. away). Furthermore, quoting Hyphenet (emphasis mine):

AirPush and Leadbolt have gained quite a poor reputation for their “aggressive marketing practices,” which include placing ads to the notification/status bar, placing ad-enabled search icons on your mobile desk, and collecting user information.

Which confirms my suspicion. McAfee remarks:

We found that Adsmogo and LeadBolt are two ad libraries that we found seldom appear without malware.

Even more cause for caution – though it admits exceptions. LeadBolt is the worst offender when it comes to invading your privacy. In the same report: 50% of the time, LeadBolt is associated with Malware.

Permissions required by LeadBolt:
INTERNET ACCESS_NETWORK_STATE

In addition to information available via those two permissions, LeadBolt encourages developers to also transmit e.g. age and gender of their users. I'm not sure whether it also transmits additional information made available by its „host app“ and the permissions available to that.

---

LiveRail

LiveRail belongs to Facebook, and serves video ads. Q3 2014 Internet & Digital Media Market Snapshot points out:

[LiveRail] Drives user engagement and ad revenue by combining Facebook's collection of user data with LiveRail's targeting technology.

Facebook seems to combine here, suggests a Study on future trends and business models in communication services:

We do note that Facebook uses three types of advertising platforms: LiveRail specialises in video ads, Atlas focuses on cross-device advertising, and Audience Network allows advertisers to run Facebook ads on other mobile apps.

According to this report, LiveRail was shut down in 2016 – though it's still reported as if alive in 11/2017 (but their hosts no longer resolve).

---

Millennia Media

Data Mining Mobile Devices, page 71:

Millenia Media´s MYDAS technology engine leverages unrefined user data and aggregates it into actionable audience profiles based on key behavior, location and content trends. These profiles, when coupled with multiple layers of mobiles data, create specific and targetable audiences for advertisers via app.

According to A Measurement Study of Tracking in Paid Mobile Applications, Millennia Media a.o. collects your location, AndroidID, IMEI, OS build info, connectivity info, operator info.

Permissions required by Millennia Media:
INTERNET ACCESS_NETWORK_STATE ACCESS_WIFI_STATE ACCESS_FINE_LOCATION WRITE_EXTERNAL_STORAGE NFC BLUETOOTH WRITE_CALENDAR VIBRATE RECORD_AUDIO

---

Mobclix/Axonix

MWR Security revealed that a one-off app it built sent text messages from the user's phone, their call log and contacts' details to an advertising company called MobClix, which has not responded to comment requests.

(Android app permissions silently duplicated to advertisers)

That is, if the host app has requested the corresponding permissions. The Addon itself, according to instructions, doesn't explicitly require them. Moreover, Mobclix is reported to give running ads access to smartphone data/APIs.

Mobclix was renamed to Axonix around 2014.

Permissions required by Mobclix:
INTERNET ACCESS_NETWORK_STATE

---

MobFox

MobFox belongs to Matomy. It also absorbed mAdserver. From MobFox's Terms of Service:

Matomy collects personal information from mobile applications and devices, subject to permission, such as your gender, age, location and other attributes. Further collected data includes your device attributes (such as model, make, device agent details, device ID) and traffic/session information, including session durations, IP address and additional activity information. Matomy may use additional users’ statistical analysis-driven data, such as your age group, areas of interest and general location.

Matomy uses this information to analyze trends, understand users’ activities and gather demographic information to enable, manage and develop its interest-based ads related services, and share data with affiliates and business partners.

Matomy retains your information in accordance with Matomy’s legitimate business purposes for processing the information. Thereafter the data is removed, archived for restricted legitimate interests, or anonymized. Non-identifying information may be kept without time and use limitations.

They offern an opt-out and speak of „anonymizing PII“ – but as usual, an opt-in and not collecting PII in the first place would be the better privacy choice.

Permissions required by MobFox:
INTERNET ACCESS_NETWORK_STATE

---

mobileCore

According to MobileAppScrutinator, mobileCore collects and sends AndroidID, IMEI and WiFi-MAC address to their servers in clear-text. Their privacy policy outlines collected information may include

version of the SDK available as part of the Developer Apps that are installed on your users’ device, information regarding their device, their Android advertising identifier and/or IDFA, as applicable, their IP address, their device’s operating system details and Media Access Control (MAC) address and other statistical and technical information […] third parties applications installed on your users’ device, their age and gender

Further it states:

We may share your and/or the users’ information with third parties with whom we have a strategic relationship, such as advertisers. We currently use Amazon Web Services, Inc. servers to process your information.

It also says they store the information „password-protected/encrypted“ – and you can request your data stored there to be deleted, to which they'll comply within 30 days.

Permissions required by mobileCore:
INTERNET ACCESS_NETWORK_STATE ACCESS_WIFI_STATE READ_PHONE_STATE WRITE_EXTERNAL_STORAGE WAKE_LOCK

---

MobPartner

Owned by Cheetah Mobile – which alone already makes it suspicious. Their RTB Privacy states it collects e.g. names, physical addresses, email addresses, telephone, information stored within your Device and other information you transmit or receive using the Service – but also claims to not share any end-users Personal Information.

As with other mobile optimising businesses like Onavo (which Facebook acquired), products like Clean Master, CM Browser (a light internet browser) and Battery Doctor (a smartphone battery life extending app for iOS and Android) give Cheetah a large trove of data about mobile usage.

Matching this up with MobPartner’s business will give the latter product far greater reach and potential. While Cheetah has already been trying to do this, MobPartner will provide a more effective front end suite of services to utilize this data.

(Cheetah Mobile Buys MobPartner For M As Ad Tech Consolidates, 03/2015)

Cheetah Mobile does not play fair. Many of their apps are bogus. So they claim their app Clean Master drastically improves your mobile's performance. But in two interviews they fail to proof or even explain that „fact“. On the other hand they are fast to discredit competition:

Apus said in July it was taking legal action in China against the company for unfair competition. It claimed that two of Cheetah Mobile's utility apps were misleading users into uninstalling the Apus launcher app by portraying it as more resource-consuming and battery draining than it in fact is. […]

(Chinese app developer Cheetah Mobile throws down gauntlet to mobile advertising platforms, 8/2015)

So don'*t even expect their ads to be fair – and even less their dealing with your data.

Permissions required by MobPartner:
INTERNET ACCESS_NETWORK_STATE ACCESS_WIFI_STATE READ_PHONE_STATE WRITE_EXTERNAL_STORAGE

---

mOcean

Is Smartphone App Privacy Groundhog Day for Regulators? notes:

More alarming were two other ad libraries, mOcean and Inmobi, that were able to make phone calls from users’ phones without any prior interaction with the user. Inmobi could also send SMS texts without notifying the user.

Investigating User Privacy in Android Ad Libraries writes:

The mOcean and Inmobi ad libraries contain functionality to start phone calls and add events to a user’s calendar without user interaction. Additionally, mOcean can send SMS messages without user interaction. These largely undocumented “features” are quite alarming. […]

From the mOcean ad library, we were able to initiate a phone call to an arbitrary number with no user interaction. An attacker could monetize this exploit by initiating phone calls to 0900 numbers on victims’ devices. We were also able to obtain the device’s location and start the email application with a pre-populated address, subject, and message from the mOcean ad library.

Permissions required by mOcean:

• mandatory: INTERNET ACCESS_NETWORK_STATE READ_PHONE_STATE
• optional: CAMERA CALL_PHONE WRITE_EXTERNAL_STORAGE READ_CALENDAR WRITE_CALENDAR SEND_SMS READ_LOGS ACCESS_FINE_LOCATION

---

Moolah

Moolah seems to belong into the same category as Airpush and LeadBolt, as e.g. Mobile ads can hijack your phone and steal your contacts points out:

Other ad networks Lookout considers aggressive include Moolah Media and Leadbolt, which publish apps for both Android and iOS.

Attack of the covert commercials complements that by:

Lookout, a mobile-security company, has analysed Google's Android ecosystem and spotlighted ten ad providers, including Moolah Media (which did not respond to requests for comment) and LeadBolt, that use one or more monetisation strategies it considers “aggressive”. These include making ads appear outside apps (for instance, in the notification bar usually reserved for a person's text messages); altering mobile desktops and browsers so that, among other things, new icons appear that display ads when they are clicked on; and gaining access to personal information without giving a clear warning.

Permissions required by Moolah:

• mandatory: INTERNET ACCESS_NETWORK_STATE WRITE_EXTERNAL_STORAGE
• optional: ACCESS_FINE_LOCATION ACCESS_COARSE_LOCATION READ_CALENDAR WRITE_CALENDAR

---

MoPub

MoPub is a „mediator“, i.e. it acts as a gateway to several other ad networks. Like RevMob, which was already mentioned on this page. MoPub is owned by Twitter. And of course closely interacts with it. You certainly don't wonder that it's tracking you across devices even. How that might work? See the links below.

• Leakage of Geolocation Data by Mobile Ad Networks (10/2016)
• Mobile Advertiser MoPub Faces Privacy Class Action Lawsuit (11/2015)
• Privacy Advocates Freak Out as MoPub Exchange Dips Into Verizon’s (Tracking) Cookie Jar (11/2014)
• Here's How Twitter Can Track You on All of Your Devices (9/2013)
• Mobile Advertising Insights from MoPub & Opera (11/2012)

What data MoPub collects can be seen by an example URL given by the first document linked. To make it clearer, I've split it up:

http://ads.mopub.com/m/ad?v=8: Unencrypted (note the http://)
&udid=ifa:90E*****CC9-4**C-B7B8-6D24*****B54: the device ID (here sanitized)
&id=agltb3B1Yi1pbmNyDAsSBFNpdGUYorkhDA&nv=1.17.2.0:
&q=m_gender:m,m_age:21: gender and age
&o=p&sc=2.0&z=0400
&ll=40.69770885046903,-73.99321115040379: location (longitude and latitude)
&lla=65&mr=1&ct=2&av=2.2.2
&cn=Verizon&iso=us&mnc=480&mcc=311: mobile carrier data
&dn=iPhone7%2C2: device brand/model

Also see Details described for AdMarvel on „enabling malicious ads to steal data“. As an additional risk, MoPub often uses unsafe connections.

Permissions required by MoPub:
INTERNET ACCESS_NETWORK_STATE ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION WRITE_EXTERNAL_STORAGE

---

RevMob

RevMob was caught transferring PII (Personal Identifying Information) without asking for the user's consent, at which place Google even banned apps using their SDK from the Play Store – probably the only reason for their fixing that specific issue. To find out what it accesses, even the developer documentation, you first have to register with your personal details – which is why the permissions list below was posted to a Gist for easier access. Requiring the READ_PHONE_STATE permission suggests they still want to get to your device identifications (IMEI, serial etc.). And so this analysis confirms that AndroidID, IMEI and Device Serial are sent to their servers.

Further readings:

• Google Play removed app due to Revmob (5/2016)
• Lookout calls out shady Android ad networks (6/2013)

Permissions required/used by RevMob:
ACCESS_NETWORK_STATE ACCESS_WIFI_STATE INTERNET READ_PHONE_STATE

---

sellAring

The name essentially says it: this adware replaces your „ring, ring“ by audio ads. A softpedia article describes:

Furthermore, the advertisements played back to the user should stop when the person who's being called answers, but that doesn’t always happen. In some cases, the ad is played during the call, making conversation nearly impossible.

An annoying thing about the post-call sellAring ads is that they remain on screen for over a minute, making the task of making quick phone calls more difficult.

Although sellAring claims that it’s not collecting any user information, in reality, researchers have found that IMEI and MEID are collected. Last, but not least, Android applications bundled with sellAring eat up a lot of the device’s resources.

While I couldn't find which permissions it exactly requires (except for CALL_PHONE and PROCESS_OUTGOING_CALLS), an XDA post points out:

Sellaring is annoying for users and requieres alot of permission which leads to the thing that some users title apps with sellaring as spyware / malware.

---

Smaato

A quick search didn't reveal any horror stories, but a look at the requested permissions might let your hair stand on end:

Permissions required/used by Smaato:
INTERNET ACCESS_NETWORK_STATE READ_PHONE_STATE ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION READ_CALENDAR WRITE_CALENDAR WRITE_EXTERNAL_STORAGE

---

StartApp

StartApp can get quite intrusive: popups, search icon on your homescreen, affecting the performance of your apps… And besides it sends quite a few of your private data home to its makers: IP, AndroidID, carrier, app details, device manufacturer, location, IMEI. So better avoid it.

Permissions required by StartApp:
INTERNET ACCESS_NETWORK_STATE ACCESS_WIFI_STATE

Optional (but „highly recommended for better performance“):
ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION BLUETOOTH RECEIVE_BOOT_COMPLETED

---

Tap for Tap

Again an advertiser that's relatively unknown, and not much to find about. But the permission list is alarming:

Permissions required by Tap for Tap:
INTERNET ACCESS_NETWORK_STATE ACCESS_WIFI_STATE READ_PHONE_STATE ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION WRITE_EXTERNAL_STORAGE GET_TASKS GET_ACCOUNTS ACTIVITY_RECOGNITION CALL_PHONE WAKE_LOCK GCM

---

Tapjoy

Wired writes:

Networks like Tapjoy and Flurry’s AppCircle pay app publishers for sending traffic, registrations, and in some cases installations to other app publishers.

This means those libraries will unnecessarily eat your data (sending traffic) and might lead to unwanted app installs. Moreover, in 1/2017, TapJoy, AdColony, Chartboost, Vungle, IronSource, InMobi, and others faced a lawsuit for exporting personal data without asking first.

People also experienced Tapjoy adding pictures to their gallery and other nasty stuff.

Only recently (11/2017), Tapjoy stopped collecting the IMEI and removed the READ_PHONE_STATE permission requirement – despite of having already in 11/2014 to have switched to the GAID.

Permissions required by Tapjoy:
INTERNET ACCESS_NETWORK_STATE ACCESS_WIFI_STATE

---

Tencent Social Ads

Of course, this again is all about vast amounts of user data, as officially admitted. How those are acquired can be guessed by the permissions needed. Examples? From the linked article:

If Tencent knows that a user is planning a vacation to the United States in a month’s time, for example, an advertiser can use that information to target campaigns in the weeks leading up to the trip.

Well. That sounds like they respect your privacy, right?

Permissions required by Tencent Social Ads:
INTERNET ACCESS_NETWORK_STATE ACCESS_WIFI_STATE READ_PHONE_STATE ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION WRITE_EXTERNAL_STORAGE RECORD_AUDIO

---

Upsight

According to Threadpost, Heise and others, a lawsuit was filed against a.o. Upsight for violating COPPA (having collected PII of children).

Permissions required by Upsight:

• mandatory: INTERNET ACCESS_NETWORK_STATE
• optional (used if available): ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION GCM

---

VServ

VServ is not only excessive concerning permissions it officially uses – but also reported to use more than those when found. By the permissions it's known to use, it can safely be assumed aggressively burgling into your privacy:

Permissions required by VServ:

• mandatory: INTERNET
• optional: ACCESS_COARSE_LOCATION ACCESS_WIFI_STATE WRITE_EXTERNAL_STORAGE READ_PHONE_STATE WRITE_CALENDAR READ_CALENDAR CALL_PHONE [USE_CREDENTIALS] WRITE_CONTACTS READ_CONTACTS SEND_SMS
• used secretly when available: ACCESS_FINE_LOCATION

---

YouMi

YouMi has been reported to have secretly sent user data to their servers – even without the app developers knowing. Those data included user information, device IDs, apps installed and more.

Computer Science & Information Technology reports in a study, using their malware vetting system DMIA:

For apps using [the YouMi] SDK, the proportion of malware in is much higher than others. Especially, almost all of the app texts containing youmi.com are judged to be abnormal by DMIA. So we suspect that the issue is in Youmi SDK. We download Youmi SDK from its official website and program a demo app according to its instructions. Then we test this demo with DMIA. And we get a total of 3221 lines information, of which 153 line involving private API. But it had unauthorized network transmission only when starting the app, and the requests at the rest of the time are all normal.

The iRiS project had similar findings:

To verify our concern, we downloaded the library, built a dummy application with it and analyzed the application using iRiS. As we expected, the application exhibited similar behavior to APPs and sent user information to this advertisement service provider. It is worth noting that in the advertisement serving library, the Objective-C class names and method names are all obfuscated to random meaningless strings, probably to thwart the effort of manual analysis.

Though the above was reported on iOS, it's not restricted to that. MalwareTips asks: What can an advertising SDK do to steal your privacy? – and answers it, based upon the YouMi SDK, with a 10 item list, including: get a list of all apps installed, a list of all running processes (what are you doing), which apps you're using right now, which apps you've recently used, gather app usage details, get your location, your device's IMEI, AndroidID, MAC address. So it can track your device across apps and sessions, while collecting information on you.

2019-12-23