Malcore Mobile App Analysis

Interesting look at where various apps fall on the privacy scale, conducted by joint Australia/U.S. cybersecurity firm Internet 2.0 / Malcore Team.

Note that the website, apparently unironically, uses Google analytics.

Some of the details about apps commonly thought of as privacy-respecting are interesting, too. (Not that they aren’t still the best choices for privacy.)

Other analyses and individual app reports: https://blog.malcore.io/archive?sort=new

Yes but…

TikTok is in a War with US based Software. In China TikTok is less invacive for example.

I think malcore.io underrade US Software like Microsoft, Apple and Google OS… for telemetry on Device and Operating Level.

Yes do not use TikTok… but you know.

The first time I read the above line I thought the report was published on TikTok rather than about TikTok.

Lol… I wouldn’t do that to anyone, not even my worst enemy.

I think to be even included in any of their metrics is a bad sign!!

I’m suspicious that they rate facebook as such low risk when facebook is high risk even to those who have no facebook account and have never visited a facebook page.

I suspect TikTok (or its PRC version/surrogate Douyin) is even more privacy-invasive there.

Agreed!

You ma be right, however its educational too. Because friendliy folks… the software try to educate (only in China) instead of harm and deprive some time… its like personalized TV. Some selections have a upward elevator and some a fabb around.

I am sorry about the algorithm, but its just to descripe the power of algorithm in the Internet time of 2023.

Hi, I invented Malcore. I actually wrote the APK analysis and the rule sets. I won’t say my name, but if you look I’m not too hard to find. I can explain why it appears that way.

LONG VERSION:

Malcore APK analysis is based off code analysis, meaning that it has a set of rules that are based off best coding practices in Java. These rules are basically just regular expressions that are ran through the decompiled code, it takes those into account when adding to the score (low, medium, high, etc). It also takes into account the AndroidManifest.xml file, based off of what the Android developer documentation says it adds the score based on severity from the documentation. Facebook, however, is HIGHLY obfuscated, by highly I mean it’s almost impossible to read. This may have impacted the scoring due to the high levels of obfuscation and since Facebook has an Israeli company that created a packer specifically for them, and Tiktok is just two apps thrown together that has code from the Chinese version inside of the app (I don’t know if you’ve ever seen China code, but it’s pretty bad). Trackers are also taken into account, since analytical trackers, profiling trackers, and location trackers all take the same amount of data (analytical a little less but still a lot of info) we decided to keep them at the same level and skip the SDK during analysis. So in a nutshell, Tiktok just has worse coding practices, more dangerous permissions, and more trackers than the other apps.

TL;DR

I invented Malcore. Facebook is HEAVILY obfuscated by an Israeli packer, which may have played a part in its lower score. Tiktok has terrible coding practice, an extreme amount of tracker SDK’s, and more dangerous permissions than most apps.

Wow, that’s very interesting… Thanks, and welcome, @Salty.

I’d like to hear more detail about that obfuscation in Facebook’s app(s) and the company that wrote it; will you be publishing a report on that?

Many of “us” () here love to hate on Meta’s privacy abuses, and take measures to block their spying, including this.

And, of course, privacy in computing and mobile is why we forum-members (from multiple countries) are here in the first place. We frequently pull in articles and sites for discussion, as I did with Malcore.

Thanks for the welcome, sometimes I get egotistical and Google myself, thats where I found this lol.

As for the fb obfuscation, if I do end up writing a report on it, it’ll go into the tech blog instead of the mobile app blog (here: https://blog.malcore.io/s/malcore-tech-blog) because it’ll be a very deep dive into the obfuscation with entropy, packer signatures, etc. I do not know what company wrote the packer, and I’ll probably never be able to figure it out. The only thing I know is that they’re based out of Israel, you can see signatures that match another packer in an earlier version of fb.

I wouldn’t say that I hate Meta, after doing so much reversing on so many different applications you’d be amazed at what apps are actually extremely sketchy and which ones aren’t. Also thanks for reading the blog, I appreciate it!

Looking forward to reading it!

P.S. I don’t hate Meta for their apps, per se, but for their business practices, their proliferation to every corner of commerce and the digital realm, and for how they’ve affected privacy, especially for people who have never created a Facebook account. (And not only Meta, of course!)

I can respect that. Facebook basically invented data sales, well they made it a commercial product. I can tell you from experience that the most sophisticated tracker SDK’s are: bytedance , facebook, tencent, and google. No particular order. I say these ones because of the following:

• Tencent encrypts the data using AES-GCM to prevent pattern recognition on the cipher string so that you never really know what they’re taking unless you can crack the encryption, which you can’t so…
• Bytedance uses a strategy of asking for COARSE_LOCATION in the xml file and using that access to ping cell towers near you and triangulate your location. They also have a cool trick where if you deny the access it prompts you for it every 3-10 minutes. It also allows them to do like FB and use cookie tracking. (I actually found out they do cookie tracking not too long ago).
• FB uses the strategy of letting you login and using the login cookies to track history as well as current information. This allows them to gather information without you having to be on their platform. (It’s pretty smart tbh).
• Google likes to use the term “analytics” in order to gather information from both your usage stats and log files. Log files usually contain information pertaining to your phone (like IMEI and SIM info) and this allows them to create your profile. Having said that, google analytics is a really good tool and people use it because there’s not really another option that does what they do and to the extent they do it.

You don’t really dislike their business dealings, what you dislike is that there’s not really any laws on data collection that can’t be loopholed. For example, (I’ve heard this was changed but I’m not sure so correct me if I am wrong), GDPR only applies to companies that have over 10 people so if you make a secondary entity where one person works and funnel the information through that, GDPR can’t touch you. Data is basically oil now, and people pay a lot for it.

IMHO obfuscated code should boost the risk score proportional the fraction of code it is.

It might be outside the scope of Malcore, but there is also the problem of the Meta Pixel tool, which has delivered protected patient medical information to meta, even for non facebook users.

There is a potential problem that Malcore will be adopted as a comprehensive measure of risk unless its (reasonably) limited scope is repeatedly made quite clear. (And even then the limitations will be ignored by some.)

You’re assuming that all production code isn’t obfuscated in one way or another. It’s a good idea I might be able to accomplish something similar by determining the entropy of the every file and calculating an average based on amount of files, adding ones that are at least 1.5x the average, etc.

However this might cause some false positives because decompiled apk code isn’t the original source code. It’s as close as you can reasonably get, but it’s not the original.

As for the measure of risk. There’s not really any other tools that I’m aware of that perform analysis in the same way, we also have an Android emulator in the works which will make the analysis full (static and dynamic)

Hi Salty,

thank you very much for your work, and your participation. I am not conversantly with Android Code or Apps. But from my point of view much changed to programming Stuff for Computers like Desktop PCs or just some scripts…

I am just a dude with interest in privacy and kind of code and algorithms invisible policy. So i trusted Shoshan Zuboff and here inside views (talking to employees of big tech companies).

Today i gone a step further and be worried if there is is some larger interest beside the capital one. Or if there just kind of unlucky attack surface in privacy and behavior, between the lines. Shoshana Zuboff think there is a shift… and a German Author wrote about an invisible (cyber/information) war.

Not sure what it is all about. Likely every one, even the Users have some kind of benefits why they (don’t) buy and share to much information this way with (un)free applications.

I am with Shoshana, we likely kill our Democracy in a slowly way, like (many) do/to starve their/our brain/s over time.

For practice about mobile reverse and security:

Its to late for joining. Its today and on 8th of March. I just want to point to some teachers with knowledge i like to follow on media. And maybe there is some tool mentioned, which could be interesting, and was unknown for you.

Thank you for your good work Salty!

Chris

There’s also Exodus Privacy who do a static analysis of Android apps, looking for tracker signatures and permissions. Maybe you could join forces to give us a more comprehensive picture?

https://reports.exodus-privacy.eu.org/en/reports/

IIRC, they do a static analysis only for legal reasons. (I may be wrong about this.)