JPush Away Your Privacy: A Case Study of Jiguang’s Android SDK

TitleJPush Away Your Privacy: A Case Study of Jiguang’s Android SDK
Publication TypeTechnical Report
Year of Publication2020
AuthorsReardon, J., Good N., Richter R., Vallina-Rodriguez N., Egelman S., & Palfrey Q.
Abstract

Our investigations into Android apps found that Chinese company Jiguang invasively monitors the activity of consumers who install apps that include their SDK. Jiguang’s SDK can collect consumers’ GPS locations, immutable device persistent identifiers, and even the names of all the apps they have installed—including when new ones are added or old ones removed. It does this collection even if the app that contains their code is not used. They send data over UDP sockets with misused cryptography, resulting in consumers’ personal data being trivially vulnerable to eavesdroppers. We observed their SDK communicating with Jiguang in 31 apps.

URLhttps://www.icsi.berkeley.edu/pubs/privacy/TR-20-001.pdf