Identify new trackers

[U039b]

In https://reports.exodus-privacy.eu.org/reports/37/:

• com/applovin/adview/AppLovinInterstitialAdDialog
• com/avocarrot/sdk/nativeassets/model/NativeAdData
• com/appnext/ads/
• com/inlocomedia/android/ads/AdType
• com/moat/analytics/mobile/aol/NativeVideoTracker
• com/mopub/common/GpsHelper
• com/nativex/monetization/mraid/objects/CurrentPosition
• com/unity3d/ads/android/UnityAds
• com/vungle/publisher/AdConfig
• com/youappi/ai/sdk/YouAPPi
  Why the fuck this application requires org/apache/commons/math3/optimization?

[U039b]

To add a new tracker, follow this schema of description:

### Tracker name
* Website: xxxx
* Comment: xxxx
* Category: [Analytics, Advertising]
* Code signature: `xxx`
* Network signature: `xxx.com`
* Maven repository: `xxx.com`
* Artifact ID: `xxx`
* Group ID: `xxx` 
* Gradle: `xxx`
* Additional links: xxx xxx
* Notes: xxx

[U039b]

AppLovin

• Website: https://www.applovin.com/
• Comment: AppLovin is a mobile advertising technology company that enables brands to create mobile marketing campaigns that are fueled by data.
• Category: Advertising
• Code signature: com.applovin.
• Network signature: applovin\.com
• Maven repository: NA
• Artifact ID: applovin-sdk
• Group ID: com.applovin
• Gradle: com.applovin:applovin-sdk:7.6.0
• Additional links: Crunchbase
• Notes: AppLovin SDK requires Google Ads Identifier com.google.android.gms.ads.identifier.*

Avocarrot

• Website: https://www.avocarrot.com/
• Comment: Avocarrot is a native mobile advertising platform which provides real rewards on mobile apps.
• Category: Advertising
• Code signature: com.avocarrot.sdk
• Network signature: \.avocarrot\.com
• Maven repository: https://s3.amazonaws.com/avocarrot-android-builds/dist/
• Artifact ID: mediation-sdk-nativead
• Group ID: com.avocarrot.sdk
• Gradle: com.avocarrot.sdk:mediation-sdk-nativead:4.7.1
• Additional links: Crunchbase Dev doc
• Notes: Uses Google Ads

NativeX

• Website: http://www.nativex.com/
• Comment: NativeX is the leading ad technology for mobile games.
• Category: Advertising
• Code signature: com.nativex.
• Network signature: mobvista\.com|nativex\.com
• Maven repository: NC
• Artifact ID: NC
• Group ID: NC
• Gradle: NC
• Additional links: Crunchbase NativeX Android SDK Dev doc
• Notes: Acquired by MobVista

[profdiggity]

trying to untangle Baidu location tracking... the maps and location are so closely related in the code I've seen.

Baidu Maps

• Website: https://map.baidu.com
• Comment: Baidu is the Web giant in China, the homegrown counterpart to Google.
• Category: Maps, Location
• Code signature: com.baidu.BaiduMap
• Network signature: map.baidu\.com
• Maven repository: NA
• Artifact ID: NC
• Group ID: com.baidu
• Gradle: NC
• Additional links: Android SDK documentation, iOS SDK
• Notes: "Baidu uses millions of users’ location data to make predictions", New Scientist

WeChat Location

• Website: https://wechat.com, https://weixin.qq.com
• Comment: WeChat is the most popular chat client in China and may become the official app for state identification.
• Category: Maps, Location
• Code signature: com.tencent.map.geolocation|com.tencent.mm.plugin.location.|com.tencent.mm.plugin.location_soso.|com.tencent.mm.plugin.location_google.
• Network signature: map.qq\.com
• Maven repository: NA
• Artifact ID: NC
• Group ID: com.tencent
• Gradle: NC
• Additional links: Reverse-engineered WeChat code
• Notes: "WeChat poised to become China’s official electronic ID system", South China Morning Post

[profdiggity]

A quick note - older versions of Tune tracker use the com.mobileapptracker name for the SDK.

Tune

• Code signature: com.tune|com.mobileapptracker

[profdiggity]

Updates to SafeGraph. Much more detail at https://github.com/YalePrivacyLab/tracker-profiles/blob/master/trackers/SafeGraph.md

SafeGraph OpenLocate

• Website: https://www.safegraph.com, https://github.com/OpenLocate
• Comment: SafeGraph specializes in the collection of physical location data for data mining and analytics. OpenLocate is the SDK announced in 2017.
• Category: [Location]
• Code signature: com.safegraph.|com.openlocate
• Network signature: api\.safegraph\.com
• Maven repository: https://s3-us-west-2.amazonaws.com/openlocate-android/
• Artifact ID: openlocate-android
• Group ID: com.openlocate
• Gradle: com.openlocate:openlocate:1.+
• Additional links: OpenLocate SDK repo, Crunchbase, Stanford economics paper, Washington Post, The Outline
• Notes: SafeGraph collected 17 trillion location markers for 10 million smartphones in November 2016. OpenLocate SDK for Android is MIT/Expat licensed.

[profdiggity]

HyperTrack

• Website: http://hypertrack.com, https://github.com/hypertrack
• Comment: HyperTrack implements live location sharing and activity tracking.
• Category: [Maps, Location]
• Code signature: com.hypertrack.|com.hypertracklive.|io.hypertrack.
• Network signature: trck.at|hypertrack\.amazonaws.com|api\.hypertrack\.com
• Maven repository: http://hypertrack-android-sdk.s3-website-us-west-2.amazonaws.com/
• Artifact ID: hypertrack-live-android
• Group ID: com.hypertrack
• Gradle: com.hypertrack:android:0.4.22:release@aar
• Additional links: HyperTrack SDK repo, Documentation
• Notes: HyperTrack SDK for Android is MIT/Expat licensed.

[profdiggity]

Uber Analytics

• Website: https://uber.com
• Comment: Uber Analytics tracks location and behavior as part of its suite of apps such as Uber, UberEATS, and Uber Driver.
• Category: Location, Analytics
• Code signature: com.ubercab.analytics.|com.ubercab.library.metrics.analytics.|com.ubercab.client.core.analytics.
• Network signature: events.uber.com
• Maven repository: NA
• Artifact ID: NC
• Group ID: com.ubercab
• Gradle: NC
• Additional links: Dissassembled Uber code, Reverse-engineered Uber code
• Notes: Uber acquired map and location startup deCarta, which included data and maps from TomTom.

[profdiggity]

Lisnr

• Website: http://lisnr.com
• Comment: LISNR tracks users via audio beacons in retail outlets, as well as collecting behavioral data on a mobile device. Retailers broadcast a "Smart Tone" on speaker systems and LISNR reacts to the sound.
• Category: [Audio Beacon, Analytics]
• Code signature: com.lisnr.|com.lisnr.sdk.
• Network signature: lisnr\.com
• Maven repository: NA
• Artifact ID: NC
• Group ID: com.lisnr.sdk
• Gradle: com.lisnr.sdk:sdk:5.0.0.+
• Additional links: LISNR demo app repo, "Privacy Threats through Ultrasonic Side Channels on Mobile Devices", Technische Universit at Braunschweig
• Notes:

[profdiggity]

SilverPush

• Website: http://silverpush.co, http://silverpush.com
• Comment: SilverPush tracks users via audio beacons in retail outlets, as well as collecting behavioral and location data on a mobile device. Retailers broadcast a ultrasonic tone on speaker systems and SilverPush reacts to the sound.
• Category: [Audio Beacon, Analytics]
• Code signature: com.silverpush.|com.silverpush.location|com.silverpush.sdk.android.SPService
• Network signature: silverpush\.co|silverpush\.com|54.243.73.253:8080/SilverPush/
• Maven repository: NA
• Artifact ID: NC
• Group ID: com.silverpush
• Gradle: NC
• Additional links: "SilverPush Unmasked" repo, "Privacy Threats through Ultrasonic Side Channels on Mobile Devices", Technische Universit at Braunschweig
• Notes:

[profdiggity]

Shopkick

• Website: https://shopkick.com
• Comment: Shopkick tracks users via "shopBeacon" beacons (Apple iBeacons) in retail outlets, as well as collecting behavioral and location data on a mobile device.
• Category: [Audio Beacon, Bluetooth Beacon, Analytics]
• Code signature: com.shopkick.sdk.api.|com.shopkick.fetchers.
• Network signature: shopkick\.com|shopkick\.de|sdk.shopkick.com
• Maven repository: NA
• Artifact ID: NC
• Group ID: com.shopkick
• Gradle: NC
• Additional links: Shopkick on Github, Shopkick on Anaconda Cloud, Shopkick on Docker Hub, "Privacy Threats through Ultrasonic Side Channels on Mobile Devices", Technische Universit at Braunschweig
• Notes: Shopkick is a very popular shopping app "companion" used by millions. Shopkick has a close relationship with Scandit barcode scanner SDK.

[profdiggity]

Alphonso

• Website: http://alphonso.tv
• Comment: Alphonso listens to audio signals in TV advertisements and is included in games and other apps for children.
• Category: [Audio Beacon, Analytics]
• Code signature: tv.alphonso.service
• Network signature: prov.alphonso.tv|api.alphonso.tv
• Maven repository: NA
• Artifact ID: NC
• Group ID: tv.alphonso
• Gradle: NC
• Additional links: Presentation about TV ads data from Alphonso, "That Game on Your Phone May Be Tracking What You’re Watching on TV", New York Times
• Notes: Alphonso SDK makes heavy use of the Google Admob mediation service.

[profdiggity]

Smaato

• Website: https://smaato.com
• Comment: Smaato is a mobile ad platform that includes video ads.
• Category: [Advertising, Analytics]
• Code signature: com.smaato.soma.
• Network signature: soma.smaato.net|smaato.net
• Maven repository: NA
• Artifact ID: NC
• Group ID: com.smaato.soma
• Gradle: NC
• Additional links: Smaato SDK Documentation
• Notes:

[profdiggity]

Scandit

• Website: https://scandit.com
• Comment: Scandit is a barcode scanner SDK that offers real-time analytics ("scanalytics") to track what barcodes users have scanned and profile users for targeted advertising.
• Category: [Barcode Scanner, Analytics]
• Code signature: com.scandit.
• Network signature: scandit\.com
• Maven repository: NA
• Artifact ID: scanditsdk-android
• Group ID: com.scandit
• Gradle: ScanditBarcodeScanner
• Additional links: Scandit SDK Documentation, "Scandit launches first-of-its-kind barcode scanning analytics", Analytics Magazine, "Shopkick Partners with Scandit to Boost Consumer Engagement with Products in Store", PRWeb, Shopkick Case Study
• Notes: Shopkick is a close partner with Scandit.

[profdiggity]

we need to decide how to handle / untangle Google Maps and Location services as well. At the least, the presence of the location services listener should be considered a tracker.

Google Maps

• Code signature: com.google.android.gms.maps

Google Location Service

• Code signature: com.google.android.gms.location

[U039b]

Inrix

• Website: http://inrix.com/
• Comment: INRIX offers real-time traffic information solutions that help develop traffic data and traffic speed for freeways, highways and arterials.
• Category: Location
• Code signature: com.inrix.sdk
• Network signature: inrix\.com|inrix\.io
• Maven repository: NC
• Artifact ID: NC
• Group ID: NC
• Gradle: NC
• Additional links: Inrix on Crunchbase, Inrix population analytics
• Notes:

[profdiggity]

Signal360

• Website: http://www.signal360.com
• Comment: Signal360 (formerly Sonic Notify) is a leader in proximity marketing via audio beacons and bluetooth beacons in sports stadiums, retail outlets, and vending machines.
• Category: [Audio Beacon, Bluetooth Beacon]
• Code signature: com.signal360.sdk.core.|com.sonicnotify.sdk.core.|com.rnsignal360|
• Network signature: signal360\.com|sonicnotify\.com
• Maven repository: NA
• Gradle: NA
• Group ID: com.signal360.sdk
• Gradle: NA
• Additional links: React Native Bridge for Signal 360 SDK on Github, "Signal360 Is Bringing Sponsor Messaging To NBA Teams And Here’s How To Get Creative With It", Sport Techie
• Notes: Signal360 has partnerships with PlayNetwork, YinzCam, and Coca-Cola Amatil.

[kaputnikGo]

Signal360 use the Manchester decoder for logic 1s and 0s. This is probably similar methodology for other audio beacon companies.
http://ww1.microchip.com/downloads/en/AppNotes/01470A.pdf

[profdiggity]

thanks for the heads up, I'm sure you're right about this being the most common method. Some of these audio beacons use amplitude, but that's very limited (FidZup's method, if we trust the patent applications). Most seem to use frequency and what they call "frequency shift keying", which is slight changes in frequencies for 0s and 1s. Hypothetically, they could do much more frequency shifts within that 18kHz to 20kHz range (LISNR claims up to 22kHz but I don't know of devices that have that capability), and then they could do hex or the alphabet even.

What's unclear to me is how they have enough bandwidth to get complex data across the wire... the amount of time that someone is in proximity to a speaker with their microphone could be very limited.

[kaputnikGo]

one technique is this:
pulses of 1ms, for 32 ms duration == 32 bits
clock pulse (carrier-like) between logic 0 and logic 1 frequency serves as centre freq and start bit.
audio as modulated 1s and modulated 0s
20550 to 21000 for logic 0
21000 to 22000 for logic 1

so if the sdk process hears the carrier frequency it can then start listening for the repeated modulated signals, create a historical cache of recorded signals and then process them for any candidates.
If we assume the signal is unique to time and location then all the sdk needs to do is ping the server with a heard beacon message of a specific type.

[profdiggity]

we should talk off-thread, but that's potentially ~24KB per minute at most? something like that?

[profdiggity]

Byyd (Adfonic)

• Website: http://byyd.com
• Comment: Formerly Adfonic. "Find you target audience using first- and third-party data about users "
• Category: Analytics
• Code signature: com.adfonic.android.|com.byyd.
• Network signature: byyd\.me|byyd-tech\.com|adfonic\.com
• Maven repository: NA
• Gradle: NA
• Group ID: com.adfonic
• Gradle: NA
• Additional links:
• Notes:

Mixpanel

• Website: https://mixpanel.com
• Comment: "Deeply understand every user's journey with instant insights for everyone on mobile and web."
• Category: Analytics
• Code signature: com.mixpanel.android.
• Network signature: api.mixpanel.com|decide.mixpanel.com
• Maven repository: NA
• Gradle: NA
• Group ID: com.mixpanel
• Gradle: NA
• Additional links:
• Notes:

Phunware

• Website: https://phunware.com
• Comment: "Phunware supports every stage of mobile application lifecycle management. Create the ideal mobile application for your business, build and monetize your app’s audience, and create hyper-personalized mobile experiences with our exclusive data."
• Category: Analytics
• Code signature: com.phunware.analytics.
• Network signature: cms-api.phunware.com|phunware.com
• Maven repository: NA
• Gradle: NA
• Group ID: com.phunware
• Gradle: NA
• Additional links:
• Notes:

Gimbal

• Website: https://gimbal.com
• Comment: "Gimbal helps brands and agencies perfect their marketing relevance for consumers using physical-world data."
• Category: Analytics, Location
• Code signature: com.gimbal.android.
• Network signature: gimbal.com|analytics-server.gimbal.com
• Maven repository: NA
• Gradle: NA
• Group ID: com.gimbal
• Gradle: NA
• Additional links:
• Notes:

[profdiggity]

Google Usage Stats

• Website: http://google.com
• Comment: Android app usage statistics.
• Category: Usage Statistics
• Code signature: android.app.usage.UsageStats|android.app.usage.UsageStatsManager
• Network signature: NA
• Maven repository: NA
• Gradle: NA
• Group ID: android.app.usage
• Gradle: NA
• Additional links: Usage Stats, Usage Stats Manager
• Notes:

[kheops2713]

I just came across Segment (https://segment.com), a tracker that happens to be integrated into Mattermost, a self-hostable chat platform that is very popular now in the FLOSS community.

One of their client, whose use of the data looks the most cynical to me: https://segment.com/customers/xo-group

They do seem to be collecting data from Android as well: https://segment.com/docs/sources/mobile/android/. Interestingly enough, their Android client/library (I am not sure what I am talking about) seems to be open source.

[profdiggity]

Thanks. We do have Segment listed as a tracker in Exodus, but it would be great if you could provide more detail in this thread so that we can fill out the tracker profile more completely. Try to take a look at some of the more detailed profiles above, or the ones we did at https://github.com/YalePrivacyLab/tracker-profiles

https://reports.exodus-privacy.eu.org/trackers/62/

[mildis]

NewRelic

• Website: https://www.newrelic.com
• Comment: App usage stats
• Category: Analytics
• Code signature: com.newrelic.agent
• Network signature: nr-data.net|newrelic.com
• Maven repository:
• Artifact ID: android-agent
• Group ID: com.newrelic.agent.android
• Gradle: com.newrelic.agent.android:android-agent com.newrelic.agent.android:agent-gradle-plugin
• Additional links:
• Notes: Requires android.permission.INTERNET and android.permission.ACCESS_NETWORK_STATE

[profdiggity]

Changes to Signal 360:

Signal360

• Website: http://www.signal360.com
• Comment: Signal360 (formerly Sonic Notify) is a leader in proximity marketing via audio beacons and bluetooth beacons in sports stadiums, retail outlets, and vending machines.
• Category: Audio Beacon, Bluetooth Beacon
• Code signature: com.signal360|com.sonicnotify|com.rnsignal360|
• Network signature: signal360\.com|sonicnotify\.com
• Maven repository: NA
• Gradle: NA
• Group ID: com.signal360
• Gradle: NA
• Additional links: React Native Bridge for Signal 360 SDK on Github, "Signal360 Is Bringing Sponsor Messaging To NBA Teams And Here’s How To Get Creative With It", Sport Techie
• Notes: Signal360 has partnerships with PlayNetwork, YinzCam, and Coca-Cola Amatil.

[jawz101]

thanks. right now I'm going through that uniq_list file and removing obfuscated portions, google and android classes, and some things that look generally innocuous. Kinda interesting. Finding some stuff I hadn't seen before.

[jawz101]

I just went through and added/updated all of the ones I'd collected info for. Do you all expect to reanalyze the apps for any new trackers that've been identified?

And does the progress bar beside each tracker on the https://etip.exodus-privacy.eu.org site mean it won't be ready until 100% completed?

Is someone going through our entries and making fixes? Like, I know some of the gradle entries I put are probably not always going to be a particular version number and some domains are randomly generated (ex: 234234135.mobileapptracking.com or whatever) so I didn't know if they get a better rule written.

[Manu1400]

Opentracker

• Website: https://www.opentracker.net
• Comment:
• Category: [Analytics]
• Code signature: net.opentracker.android
• Network signature: http://log.opentracker.net
• Maven repository: xxx.com
• Artifact ID: xxx
• Group ID: net.opentracker.android
• Gradle: xxx
• Additional links: Documentation (Android app tracking)
• Notes:

[IzzySoft]

Not sure which of these count as "trackers" (so please don't just copy them over unverified), but all of the below fall into the category "mobile analytics":

Codahale Metrics

• Website: http://metrics.dropwizard.io/
• Comment:
• Category: [Analytics]
• Code signature: com.codahale.metrics
• Network signature:
• Maven repository: https://mvnrepository.com/artifact/com.codahale.metrics
• Artifact ID:
• Group ID:
• Gradle:
• Additional links:
• Notes: "Metrics is a Java library which gives you unparalleled insight into what your code does in production. Metrics provides a powerful toolkit of ways to measure the behavior of critical components in your production environment."

Microsoft Azure Analytics

• Website: https://docs.microsoft.com/en-us/mobile-center/sdk/getting-started/android
• Comment:
• Category: [Analytics]
• Code signature: com.microsoft.azure.mobile.analytics
• Network signature:
• Maven repository: https://mvnrepository.com/artifact/com.microsoft.azure.mobile
• Artifact ID:
• Group ID:
• Gradle:
• Additional links:
• Notes: "collect session, device properties, events etc... for your application."

Parse.com

• Website: https://parse.com/docs/cn/android/guide
• Comment:
• Category: [Analytics]
• Code signature: com.parse
• Network signature:
• Maven repository: https://mvnrepository.com/artifact/com.parse
• Artifact ID:
• Group ID:
• Gradle:
• Additional links: https://parseplatform.org/ https://en.wikipedia.org/wiki/Parse_(platform)
• Notes: "gives you access to the powerful Parse cloud platform from your Android app."

Splunk MINT

• Website: http://docs.splunk.com/Documentation/MintAndroidSDK
• Comment:
• Category: [Analytics]
• Code signature: com.splunk.mint
• Network signature:
• Maven repository: https://mvnrepository.com/artifact/com.splunk
• Artifact ID:
• Group ID:
• Gradle:
• Additional links:
• Notes: "gives developers a platform for monitoring their apps' usage and performance."

FlowUp

• Website: https://flowup.io/
• Comment:
• Category: [Analytics]
• Code signature: io.flowup
• Network signature:
• Maven repository: https://mvnrepository.com/artifact/io.flowup
• Artifact ID:
• Group ID:
• Gradle:
• Additional links:
• Notes: "Android SDK to collect performance metrics."

Keen Java Clients

• Website: https://github.com/keenlabs/KeenClient-Java
• Comment:
• Category: [Analytics]
• Code signature: io.keen.client.java
• Network signature:
• Maven repository: https://mvnrepository.com/artifact/io.keen
• Artifact ID:
• Group ID:
• Gradle:
• Additional links: https://keen.io/docs
• Notes: "The Keen Java clients enable you to record data using Keen from any Java application. The core library supports a variety of different paradigms for uploading events, including synchronous vs. asynchronous and single-event vs. batch. Different clients can be built on top of this core library to provide the right behaviors for a given platform or situation."

[kaputnikGo]

Are you still accepting submissions here for new trackers?

[IzzySoft]

@kaputnikGo with the issue not closed, I assumed so 🙀

[jawz101]

I would just ask @uo39b for access to their etip website. I moved all of my submissions into it directly. But it doesn't look like any I did submit were ever officially added which stinks because I have several hundred more I could likely find in here :/

https://raw.githubusercontent.com/jawz101/MobileAdTrackers/master/hosts

[IzzySoft]

@U039b if you're indeed no longer accept submissions here (which I hope is not the case), it might be a good idea to say so (and to close this issue) 😉

@jawz101 feel free to pick my above reported and add them from your side.

[jawz101]

@IzzySoft @kaputnikGo There's a way to get an account on that site by emailing him here

[profdiggity]

Exodus Privacy has new leadership and may just not be aware of this github issue. I can send them upstream via https://etip.exodus-privacy.eu.org but you're right, let's figure out a workflow that works for everyone. Thanks all!

[profdiggity]

also, you can just put these in our YalePrivacyLab repo for tracker profiles, where we're also gathering new info... I will invite all of you as contributors.

[IzzySoft]

@seandiggity I'm not sure if I'll report trackers regularly – but sure it's good to know where to put them, and they hopefully will make their way into Exodus. You also can find my full library list (which not only contains trackers, but all kinds of libraries used in Android apps) in my GitLab repo if you're interested.

Further I'm not sure if I can provide full descriptions as you keep them in your repo. Is it OK to commit partially filled samples? Do you want them submitted directly to your repo, or via PRs?

[U039b]

Hi all!
This issue should be closed since https://etip.exodus-privacy.eu.org has been developed in order to ease and centralize trackers categorization and description.
If you want an ETIP account, feel free to send me an email to [email protected] specifying your desired username + email address and I will send you a temporary password. Once registered, you will be able to freely contribute to the tracker identification process.

We invite you to share/sync trackers info between ETIP and the Yale Privacy lab repo.

Cheers!

[IzzySoft]

Thanks for the heads-up, @U039b! Waiting for advice concerning "incomplete records" (I can't provide full ones as I've got no idea how to fill the gaps – especially network signature, Maven specifics and gradle; I'm not a dev) and "distribution guidelines". If that's permitted, I'll accept the invitation and share my findings.

Speaking of which: are there any issues with your scanner currently? For several hours now I'm always told to come back later as the queue is filled. Something hanging?

[U039b]

@IzzySoft it seems that some tasks are stuck in the queue, we will investigate ;-)

Regarding ETIP fields, network signature is a REGEX matching domain names (e.g. app-measurement.com) used by a tracker. For the other fields you mentioned, ignore them if you do not know what they mean.

[U039b]

@IzzySoft no more "come back later" ;-)

[IzzySoft]

it seems that some tasks are stuck in the queue

that was my assumtion, too.

no more "come back later"

@U039b just noticed – thanks a lot! 👍 👏 🕺 🤸‍♂️

Regarding ETIP fields, network signature is a REGEX matching domain names (e.g. app-measurement.com) used by a tracker.

Yes, so far I got. But it's domain names the corresponding tracker contacts, right? I've got no idea how to figure that. I'm just performing a basic static analysis of path names on the Smali, which is how I found some hundred libraries – those above trackers among them. So if I want someone else (here: you) to fill the gaps, you'd need a sample? Or could I simply skip this as well?

For the other fields you mentioned, ignore them if you do not know what they mean.

That's good to know! Maybe it would be a good idea to have a simple tutorial on the other repo, for folks like me who know enough to contribute but not enough to make "complete" submissions?

[U039b]

thanks a lot!

You are welcome!

But it's domain names the corresponding tracker contacts, right?

Domain names correspond to the remote servers contacted by the trackers to send collected data. You can find them by analyzing the network traffic of an application which uses a given tracker or by inspecting the binary looking for URLs or domains.

So if I want someone else (here: you) to fill the gaps, you'd need a sample?

Unfortunately, I am a bit busy. Anyway, once you have listed path names (you probably mean Java packages, you will find mode details here) you have to check what packages correspond to a tracker. Then, you can create a new one in ETIP and provide information you have gathered about the tracker.

Maybe it would be a good idea to have a simple tutorial

It would be nice to have tutorials for ETIP and Exodus-core, unfortunately, I do not have time :-/ But anybody can create a tutorial and we will be happy to put it at the right place ;-)

[IzzySoft]

Thanks @U039b – and I know exactly what you mean by "not enough time", as that's my situation, too …

And yes, that's what I meant by "static analysis" – though I use a different tool for it.

[kaputnikGo]

Added basic tracker submission template and first example to the Yale repo with the intention of enabling a quick and easy way to get proper new tracker info into Exodus - https://github.com/YalePrivacyLab/tracker-profiles
And also to figure out the best method to add new trackers to Exodus.

[profdiggity]

That Taplytics profile looks great, thanks. Will make sure these go upstream, so if it's lower barrier-to-entry to submit to the YPL repo that's fine (then there's less reason to bother EP and @U039b for Etip accounts etc. as well).

[kaputnikGo]

Added 8 more taken from here, will keep using the commit summary with "basic tracker" to help ID when they go up in this format. fyi i check the yale tracker list, https://reports.exodus-privacy.eu.org/trackers/ and https://etip.exodus-privacy.eu.org/ before adding them, so hopefully that covers everything.

[jawz101]

@U039b In the past, sometimes when I entered in network signatures and gradle string, I didn't really know the regex pattern to use. Some had version numbers in the gradle files I could find so I didn't know how you put those in to scan on your end. Are you all doing any fixes to our submissions when you see them like this?

example deltaDNA: com.deltadna.android:deltadna-sdk:4.10.0 should actually need to be entered with a wildcard but I didn't know the syntax to wildcard it.

And from their network traffic they follow this pattern:

collect9903crssb.deltadna.net
collect9999rsstn.deltadna.net
engage10059bltbg.deltadna.net
engage10077vpspd.deltadna.net

but I just entered deltadna.net

@IzzySoft as for the extra fields such as

Maven repository:
Artifact id:
Group id:
Gradle:

This is where I just start googling for their developer documentation. That's where it takes a little research. Say, for deltaDNA I would search Google for blahblah sdk.

deltaDNA sdk
There's also sites devoted to junk like this such as programmableweb.com
first result takes me to their developer integration documentation where app developers get instructions on how to add the ad code into their apps.

example documentation

And then I click around until I find the android documentation and search for words like com.deltadna or whatever the code string I found is as well as gradle & maven. Sometimes I get lucky and see a maven repository link or whatever and I write that down
maven { url 'http://deltadna.bintray.com/android'
and then open the url or maybe search Google again example
a lot of them seem to use that bintray site. At this point I click around on this page and find something like this page
https://bintray.com/deltadna/android/deltadna-sdk

has a little thingy at the bottom that says maven and shows

<dependency>
<groupId>com.deltadna.android</groupId>
<artifactId>deltadna-sdk</artifactId>
<version>4.10.1</version>
<type>pom</type>
</dependency>

and a second tab called gradle that shows
compile 'com.deltadna.android:deltadna-sdk:4.10.1'

It was just all guesses to see if I could find what the etip site was looking for and all of these 3rd party companies seem to have these sorts of steps in their documentation to integrate ads & analytics

[profdiggity]

Added 8 more taken from here, will keep using the commit summary with "basic tracker" to help ID when they go up in this format. fyi i check the yale tracker list, https://reports.exodus-privacy.eu.org/trackers/ and https://etip.exodus-privacy.eu.org/ before adding them, so hopefully that covers everything.

Right, that should. We'll be adding quite a few more to the YPL repo as part of the crowdsourcing I'm doing via Mozilla Open Leaders project.

[jawz101]

Over the past couple of weeks I've done quite a bit of work on the etip site. Filled in a lot of blanks on existing signatures and added maybe 20-40... I can't tell. Anyways, has anyone from the project taken a look at them?

I'd like to fix my mistakes if I did anything incorrect. My main concerns are the format of the regex on the network signatures as well as what we do if the build.gradle entries could have versions. like if com.example.sdk.1.2.3 is what we find, that would assume there are other versions, so would we not use a regular expression to look for the consistent information?

Additionally, do the scans just try to look for at least one of these identifiying bits or if all of the characteristics are there (code signature, network signature, maven & gradle info must all be found or at least one of them must be found?) The reason I ask is because I went into existing entries and added maven repository information if I could find it but it looks like some tracker sdk's give instructions to proguard their code so I wonder if it may mean Exodus may never see that information on which to detect them, thus adding that information may break the detection rule if Exodus identifies a tracker only if all identifying bits are present.

Also, is there a preference to which repository to which volunteers should contribute: etip vs. YPL? It seems like doing things twice.

[jawz101]

fwiw, I've kept adding more and occasionally looked at existing entries. For example, Unity Ads is likely underreporting. After reviewing their developer documentation, a code signature of com.unity3d.ads would just pick up their legacy sdk version. Their newer sdk would be com.unity3d.services.

Now I'm taking a look at some of the apps exodus lists as having no trackers and finding ones missed :P I don't know how to represent some of the situations as there are a lot of companies in the business of sdk's to manage an app's other trackers. As an added bonus, doing so also results in more international companies being found.

Actually, this might be a good practice moving fwd as this filter of No Tracker apps should almost be a representation of "clean" apps, which actually makes it a pretty compelling set of apps to review.

[pnu-s]

Hi @jawz101 !

Over the past couple of weeks I've done quite a bit of work on the etip site. Filled in a lot of blanks on existing signatures and added maybe 20-40... I can't tell. Anyways, has anyone from the project taken a look at them?

Thanks a lot for your work (and sorry for the late reply), it is greatly appreciated by the Exodus Privacy team :). Unfortunately we have not got the time recently to look through the new entries in ETIP and import the data from ETIP to exodus. We plan to work on this and will try to find some time in the coming weeks but this is quite a tedious task.

Additionally, do the scans just try to look for at least one of these identifiying bits or if all of the characteristics are there (code signature, network signature, maven & gradle info must all be found or at least one of them must be found?) The reason I ask is because I went into existing entries and added maven repository information if I could find it but it looks like some tracker sdk's give instructions to proguard their code so I wonder if it may mean Exodus may never see that information on which to detect them, thus adding that information may break the detection rule if Exodus identifies a tracker only if all identifying bits are present.

As it is explained on this page, what we look for is the signature of the tracker. So AFAIK the maven & gradle information will not affect the tracker identification.

Cheers !

[pnu-s]

This issue should be closed since https://etip.exodus-privacy.eu.org has been developed in order to ease and centralize trackers categorization and description.

We are now closing this issue.

If you want an ETIP account, feel free to send an email to [email protected] specifying your desired username + email address and we will send you a temporary password. Once registered, you will be able to freely contribute to the tracker identification process.

Thanks again to everyone contributing to the tracker identification :).
Cheers !