From: mariasophia@comprehension.com
PSA: How to check Android APKs for ads, trackers & hidden ad-related SDKs
I invested hours in this post so I ask, if you respond, that you try
to add value so that the spent energy is not wasted but is leveraged.
However, I can (and do) make mistakes, so I challenge others to find
them since the whole goal of posting this is to ask you to improve it.
That way, everyone benefits from every action we take in this PSA.
I (almost?) never see ads and it's hard to tell if an app has ads just
by the listing on Google Play Store because some listings aren't honest.
Plus, as you can see from the example below, some apps start off with
no ads, but then ads are added secretly later, without overt notice.
This happened to me, based on a conversation between Andy Burns &
VanguardLH recently, where I wondered why my specific installed version
1.15.2(41) of Activity Launcher
does not show any ads even as billing is disabled on my Android.
They saw ads apparently.
I did not.
Why not?
I (almost?) never see ads, even in apps that "say" they show ads, so my
tests aren't conclusive since my Android phone is set up to not show them.
But how do we know, just by 'looking' at an APK, if it "can" show ads?
Here is my first pass at testing whether an app has ads or not. Activity
Launcher is the test case but not the only one.
1. The first thing I did was search in Muntashirakon App Manager which
tells me for Activity Launcher
Trackers = 0
Where we would look for these strong indicators of ads in the app:
Google Ads
Facebook Ads
Unity Ads
AppLovin
MoPub
ByteDance
The Trackers tab showed none of these strong indicators of ads
No known ad SDKs
No analytics SDKs
No tracking libraries
Note that Muntashirakon AM uses the Exodus signature list so it detects
known tracker packages but not custom or obfuscated ones.
We can get Muntashirakon App Manager from here:
2. In the Shared Libraries tab it tells us:
Shared libraries = 0
That is where we would look for ad related libraries such as:
ads
admob
google.android.gms.ads
facebook.ads
unity.ads
applovin
chartboost
inmobi
startapp
mopub
bytedance
yandex
If any of these appear the app almost certainly contains ad code.
Note: If Shared Libraries = 0, that means no native libraries,
which is normal for many apps. Ad SDKs are usually Java/Kotlin,
not native, so they often do not appear here.
3. In the Activities, Services, and Receivers tabs we would look for:
AdActivity
MobileAdsInitProvider
AdService
InterstitialActivity
RewardedVideoActivity
These components are created by ad SDKs & are strong indicators of ads.
4. In the Muntashirakon AM 'Uses Permissions' tab, we would look for:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
QUERY_ALL_PACKAGES
READ_PHONE_STATE
The existence of these alone do not prove ads exist but if an app has
only these but no ad components it is most likely free of ad SDKs.
5. The next test was Skyica App Finder (which fits next to Muntashirakon
in terms of the most useful apps on Android) where I set the Skyica
'In App Components Analysis' to these mutually exclusive checks:
[x] No ads
[x] No ads/removable ads
Skyica detects embedded ad libraries even if they are not active.
It also checks for in-app-purchase libraries:
[_] No in-app purchases
Skyica detects embedded ad SDKs, trackers & analytics libraries.
Skyica also detects apps that contain any ad-related code.
Important detail: Skyica detects only embedded ad libraries. If the
app developer uses the Google Play Services dependency, the ad code
is usually not packaged inside the app APK. It is resolved at install
time from the system. In that case Skyica sees no embedded ad SDK &
reports 'No ads' even if the app later loads ad code at runtime.
We can get Skyica App Finder from here:
6. The next test was to make use of the Exodus Privacy web site.
The Exodus Privacy web site detects references to trackers, whether
or not it's in the embedded code. This allows the web site to detect
ads even when the SDK is not packaged inside the app APK
Note that Exodus Privacy works differently from Skyica in that regard.
Exodus Privacy detects trackers by scanning for package names & class
signatures inside the APK. If the app APK contains references to ad
sdks such as com.google.android.gms.ads or com.google.firebase.analytics
then Exodus Privacy flags them (even if the actual code is not bundled).
C:\> start msedge https://exodus-privacy.eu.org
a. Press "Check an app"
b. Paste in de.szalkowski.activitylauncher
What's nice is that Exodus Privacy allows checking older versions of
each app to find the definitive last-known-good versions which are
clean of ads & trackers.
From that list the first version with trackers is 2.0.7 from Google Play.
All F-Droid builds remain clean because they are built without Google Play
Services dependencies.
7. The next test was ClassyShark3xodus which analyzes Android apps for:
Trackers (analytics, advertising, profiling SDKs)
Permissions the app requests
It uses the same curated database of tracker signatures as Exodus.
This reports that version 2.1.6 has 3 trackers & 12 permissions.
Clicking the highlighted link for the app name goes to:
This shows Google AdMob, Google Firebase Analytics & Google CrashLytics,
which means tracking SDKs were apparently added after my sub-version.
8. Since I solved problems for a living, there might also be another
step, which is dynamic analysis to catch those apps that slip by.
Since static analysis can miss ad code that is loaded only at
runtime, the next logical test is dynamic analysis of network
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
