Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Jiguang JPush tracker #89

Closed
blaueente opened this issue Oct 30, 2020 · 8 comments
Closed

Add Jiguang JPush tracker #89

blaueente opened this issue Oct 30, 2020 · 8 comments
Labels
tracker Issue about the tracker database

Comments

@blaueente
Copy link

Please add the tracker SDK described here:

https://www.icsi.berkeley.edu/icsi/node/6407
https://www.icsi.berkeley.edu/pubs/privacy/TR-20-001.pdf

Our investigations into Android apps found that Chinese company Jiguang invasively monitors the activity of consumers who install apps that include their SDK. Jiguang’s SDK can collect consumers’ GPS locations, immutable device persistent identifiers, and even the names of all the apps they have installed—including when new ones are added or old ones removed. It does this collection even if the app that contains their code is not used. They send data over UDP sockets with misused cryptography, resulting in consumers’ personal data being trivially vulnerable to eavesdroppers. We observed their SDK communicating with Jiguang in 31 apps.

(note they also use hardcoded IPs, not only DNS hostnames)
@pnu-s pnu-s added the tracker Issue about the tracker database label Nov 1, 2020
@pnu-s
Copy link
Member

pnu-s commented Nov 1, 2020

I checked the code signature cn.jiguang.sdk.jpush and it doesn't catch anything in exodus database

If I look for cn.jiguang.sdk there are 20 reports with this signature

@blaueente
Copy link
Author

What about cn.jpush and cn.jiguang ?

@pnu-s
Copy link
Member

pnu-s commented Nov 7, 2020

I found the signature cn.jpush.android according to their documentation:
https://github.com/jpush/jpush-android-samples

Matches 317 reports on exodus

I'll update this tracker profile: https://etip.exodus-privacy.eu.org/trackers/b2909a06-e5d8-470c-a755-a273ab20de04/

@blaueente
Copy link
Author

Thanks for the tracker profile! I did a search before submitting, but could not find the entry, because I searched for "jiguang" and "jpush", not for "Aurora Mobile JPush". I added #91 to make this easier in the future.

@blaueente
Copy link
Author

Found that it might submit UDP messages on port 19000 to the following addresses:

s.jpush.cn
sis.jpush.io
easytomessage.com
123.196.118.23
103.229.215.60
117.121.49.100

also in some unknown way to:

im64.jpush.cn
_im64._tcp.jpush.cn
_psis._udp.jpush.cn
stats.jpush.cn

and http to:

http://182.92.20.189:9099/
https://tsis.jpush.cn

@pnu-s
Copy link
Member

pnu-s commented Nov 28, 2020

Tracker added today to exodus! 🎉

@pnu-s pnu-s closed this as completed Nov 28, 2020
@blaueente
Copy link
Author

I checked the code signature cn.jiguang.sdk.jpush and it doesn't catch anything in exodus database

If I look for cn.jiguang.sdk there are 20 reports with this signature

@pnu-s : Is there a way for me to access this database in order to obtain similar statistics?

@pnu-s
Copy link
Member

pnu-s commented Dec 5, 2020

@blaueente Unfortunately this is not possible for the moment. This data is only on our production machines so can only be accessed by an Exodus Privacy member.

What I can offer is to check this data for you, starting with the trackers you created on ETIP.
We know it's not ideal, hopefully some day we can set an easier way to access those but it is not a trivial change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tracker Issue about the tracker database
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pnu-s @blaueente