 We are proud to have a new and Guinness not the beer from exodus privacy So it's analysis of the behavior of mobile application and its consequences for our privacy Thank you. So hello everybody and I'm gonna start by presenting who we are and what we are doing so We are so new and my name is Guinness and we will talk about the behavior of mobile applications and especially about trackers which are inside these applications and What we are trying to do to make people aware of the trackers And who we are We are so group of French hacktivists and non-profit Organization which was founded in October 2017 and We are we have an undefined number of members like we are eight to ten active people but we have many supporters and people around us speaking and helping us working and We have some collaborations with the ideal privacy lab, which is a legal issue research laboratory in the US and We have collaboration with after aid also in order to integrate our reports in the after aid application and platform and Also, we obey some strict strict legal rules in that way in the way that Everything we do is a legal. So for example, we do not decompile application since it is forbidden in France Except for research reasons and we are not a research laboratory Hello everyone so what is our goal as Guinness said this is to make people aware of the tracking which is done by your mobile How do we do this so we develop a? Platform which is called exodus privacy auditing platform. It will identify trackers in mobile application Just Android applications actually Just looking for code signatures As Guinness said we cannot decompile application. So we just Statically analyze the files the apk files and we look for signatures and Then nothing will give a bit more details about this in a few slides the goal of this tool is to really show people and Make you understand what is in the Android application. So we don't Give judgments to it to it. We just show what is inside the application so that you are aware of it And you can make your own decisions about this See an example of the of the exodus application This is an example of a report about metal France, which is the public weather forecast Group in France and the application as you can see you have in some informations about the application here Don't know did more than five billion a million times and the important part is on the left. Sorry The number of trackers and permissions So the permissions are pretty simple. We just add the the levels on the right, which is defined by Google They have three levels dangerous normal and and special and on the left is the interesting part as well Is that the trackers? It said that we just found the code signatures of this one and in this case you have 22 But what is a tracker because that's the important part here Tracker is a piece of software, which is meant to collect data about your usage of the application You have some example on the on bottom like Google analytics Google analytics or Timo On the exodus application, you can see this is a report page about the tracker You can see a couple of information about the tracker itself Its name the location the website. So this is furry from Yahoo and You can see how we detect it. So here you have a code detection rule and network detection rule So if we find this code in the application, we will flag and say that the tracker is is in it Here you can see that there is eight thousand two hundred twenty reports actually currently in the Applications with this tracker But how do we do this in detail? Thank you. So Basically, what we are doing is some static analysis of the APK So we just list the Java classes which are embedded in the APK In the APK with a tool called text dump, which is provided by Google and Then thanks to the code signatures, which are some regular expression. We just match against the the Java classes we have found and The tools we are using in the platform So we have to play CLI which is a tool which allows us to download the APK directly from the play store in in CLI We use and regard which is a tool Which allows some analysis and work on the APK and we use it mainly in order to detect the permissions required by the application and We use some text dump to list the Java classes Which is a tool provided by Google and which is open source. So we can check that they it works the way we want it to work and So in a small graph it is lazy so we have the APK file Which we end zip to list the text files and with text dump We dump the Java classes. We have our tractors signatures and we match it. So What is important here is that we need to know the tracker signatures in order to detect Trackers, so we have to build a list of trackers That we know to be trackers. How do we do this? Well, it is mainly people who contribute to it like well I have seen something weird on the network and I just look and try to find if what is it to which company does Where does it come from and which company provides this and in well the first version of Exodus platform when we it was created to us broadly this like text dump and some sorting and we match Thank you So we have a couple of tools the first the one we already showed you the Exodus web platform So you can freely go to the Exodus platform. You can search for reports. You can ask for new reports I think important thing to say is that we don't Analyze application all the time. We just do it on demand So if there is a report that you are looking for and it's not in the application You can simply ask for new analysis and in couple of seconds maybe minutes You will have the report with the permission and and Trackers This is just to show a couple of tools how it's working the exodus core is in python The web application is in Django and we are using a couple of tools to provision our machine and to make it automatically We have other tools as well to make this more usable for everyone We have a sorry Android application, which will simply get the list of application on your phone It will for each of them get the report and show you directly. So here you can see That you don't have to go to the website. It will directly show on your phone at the report and you can open it and see the details The exodus application doesn't not have any tracker obviously You can check it on exodus And it's available on after it and also on Google play There's as well exodify extension actually it was not done by us. It was just done by The community let's say and we have it will add the reports information directly on the Google Play Store Web page so it's quite convenient. You can directly see number of trackers and it can give you a link So directly on the application you can see number of trackers on the left If you click on it for instance, you can see the first one on the first row It's unknown. You can directly submit. It will link you to the exodus web application web page to submit a new analysis There is a last tool we can talk about it is called exodus standalone. Actually it can be used by Android application developers Because that's also important to know that sometimes the developers are even not aware that there are trackers in their own applications So with this you can statically analyze your application before you publish it You just give your APK and it will Show you the list of of trackers and permissions in text archison Important thing to notice that is only on Linux. So it doesn't work on any other platform Well, I can just complete so when we created exodus standalone. So we had some issues kind of issues one We created some reports for the quant application. So quant web to search engine and We found some trackers and they say what we don't have trackers in our applications We are privacy friendly and everything and say well the report can't be false if we found the trackers The Java classes were embedded and actually what happened is that it was included in SDK included by A quant in the applications So sometimes the developers are not aware that they are adding some trackers. They are just using some SDK or some Starting back of SDK for a new applications which embed trackers and Eventually we created exodus standalone for developers to check when they are Writing the applications to check that they do not embed some trackers Yep, it's I think you can note that they remove the trackers. I think really quickly. So that could be noted Yep, I think So What are the first results we've had in like one year and a few months? So As I said before we created the organization in November November 2017 and for now we have identified 152 trackers and analyzed more than 48,000 applications We helped developers like one screen the applications as I said before and also we Try to provide some Advices to developers in order to To clean the applications and to respect privacy of the users and We did also some deeper audits of some applications Like network audits because what is important is that in our Method it is only a static analysis. So we cannot be sure that the trackers is the trackers is Effectively used by the application. It could be embedded but never called and then we find it but it is not used and so With a network audit you can check if some packets are sent on the network okay, and and We did some audits for baby plus. We have a slide for this and I will explain Just after what we can find on it. It is quite impressive And also we provide some statistics on which trackers are the most Present in the applications, which are less present how many applications we have analyzed and We open the rest API which allows to query for trackers applications The list of all the trackers we have identified and also we are trying to educate people On the trackers and so we created some small videos which are for now in French and English And yeah, and we have also some subtitles and it is the aim is to have some Extremely easily understandable videos like for your children and it's quite it's it's Interesting to see it's very You know how to say it, but just look at it. It's on our YouTube channel and our peer tube Peer peer tube instance and everything is free and open to us for sure So the most frequent trackers we have identified so Google Firebase analytics and Google ads which are in Fifty percent and then we have so a lot of Google and then Facebook and other trackers And as I said before baby plus so we installed baby place on an and an entourage device which had never been connected to Facebook and We launched Baby plus application and we gave some information like the name of the baby and what we can see On the report we know that it goes to graph dot Facebook dot com so the domain which Which collects data from the trackers and we can see the gender the name if it is Breastfed or not and we know from which application it comes Yeah, just to finish so we are in the press we got some big coverage in the first six months We are helped by this by the yellow privacy lab to get coverage for instance in the intercept or the Guardian Yeah, we had a nice visit with the knel we will use exodus for primary preliminary investigations We are on brown TV as well, but I think we'll just conclude with Some final points How do we communicate and how do we make people aware of this beside our tools? We have stickers. It are some in the entrance if you want when you live Flyers we have as we said channels on YouTube and peer tube and Obviously accounts on Twitter and and mastodon and Facebook and we use conferences like today to talk about us And To finish what's the future the first one is to revamp the reports We want to make them as user-friendly as we can because we really want to target everyone and For that we want to make as well more videos and podcasts to explain the tracking on mobile translate our videos and Really gather more and more motivated people to help us This will just lead me to the next slide. Yes, we need help And yeah, we really I think any kind of contributions. It can be in code. We have as we talked about Python of Java in the Android application Or as well if you have season mean Skills but as well if you want to make videos translate videos make any kind of pedagogic Content, this is useful for us or even spread the word So what so anything is really useful you have every information on the Contribute page and we have as well a contact contact page with all the information if you want to contact us Or if you have any questions related to this and I think that will yes conclude our presentation. Thank you Any questions? Hi, I'm yours. I'm a legal scholar. I have a question about I mean Compliments for your work. This is really great But shouldn't the apps themselves just be transparent about these things and shouldn't Google just have a Repository of all these things. I mean there must be scanning the app statically dynamically What is like? What is your vision for the future? Where should this transparency be provided? Should your work be necessary in five years? I Think that's a good question For instance, if you use Yelp, which is a tool to download applications from the Google Play Store without Google accounts They actually integrate exodus so you can just activate in the option and they have directly the information F joyed as well is scanning their applications with exodus before putting it in the in the store I think it's hard to answer for Google's of I think we'll be happy if they if they integrate our reports in the Google Play Store Yeah Yeah, I think our goal is to make people aware of it we spread the world as much as we can and But yeah, I think the point is to really target developers because they have to be aware of what they are doing and at least if they know if The public knows then everything is transparent There any other question? Yep once a user Downloads your report and finds out what trackers and permissions are being used like what should we do next? What's the next step for someone? Well, there are multiple possibilities So you can if you want contact the developer and say well I have found this tractor in your application and it seems weird to me So why is it here? I know you can ask to remove it or if you want don't not want to contact the developer because you know They want to remove it you can use an application which is called locada and which acts as a Kind of VPN which will block outgoing packets based on detection rules like DNS DNS names For example, you can say I want all packets going to ads.google.com to be blocked and they will not go out after blockada B-L-O-K-A-D-A And it's quite impressive. You have some pre-compiled lists of of Name that can be blocked which are More or less aggressive you have some very loose list and some very aggressive list Which will block all Twitter.com for example Yeah, I think there are a lot of ways you can as well use mobile version a lot of the web mobile version if you can Because like this you can more control what you are doing with your browser You can use another application if there is another one which is more respecting your privacy But yeah, for instance quant once they were aware they removed it Maybe if everyone is communicating about it, everyone will just remove it who knows But yeah, it's the decision you have to do check all your apps and make a decision for each of them Do you intend to develop a similar tool to IPA based applications on iOS? Yeah, good question Actually, we cannot do that because we cannot Check the application because of DRM's so we are not allowed to do it But that's a really frequently to ask question what we can say is that Often the apps are made by the same people and the trackers which exist on Android exist on iOS So you can just assume that it's basically the same If you have any other question just come to see us I think we can discuss outside or after it sorry