By Quentin Palfrey, Nathan Good, Joel Reardon, and Lena Ghamrawi
A new investigation has identified evidence of concerning behavior from Jiguang, a leading mobile developer service provider and mobile big data solutions platform based in China. The publicly traded company, also known as Aurora Mobile Ltd., is covertly collecting personal and potentially sensitive information—including precise location data and lists of all other apps installed and uninstalled.
The investigation shows that Jiguang, through its Android software development kit (SDK), discreetly collects location data and monitors lists of apps installed on users’ mobile devices without their knowledge. Furthermore, users do not need to use the apps that have Jiguang’s Android SDK for this data collection to occur. Jiguang also uses non-standard encryption practices that may expose users’ sensitive data that it is transmitting over the Internet.
Jiguang is a mobile data solutions platform company, providing its clients with an array of analysis-based services. Jiguang’s Android SDK is a large-scale app “push platform,” facilitating apps in sending push notifications. Jiguang claims to have 37.2 billion installations of their SDK, with a monthly active unique device base of 1.36 billion, as of March 2020. Developers integrate this SDK into their apps as a tool to push messages and notifications to users’ devices. Jiguang also provides a visual web console to send notifications and analyze push results.
How It Works
When users install an app that includes Jiguang’s Android SDK, the SDK silently runs in the background. The SDK’s presence is not typically disclosed to users, because it is embedded in the app. The investigation’s testing revealed that data collection occurs automatically and persistently; data is collected whether or not users are actively using the app in question. The SDK’s code begins to run when users unlock the screen of their device, meaning that the app does not need to be used for the collection to occur. Through this functionality, Jiguang can potentially track users by collecting persistent identifiers and information about their device activity, including exactly when new apps are installed and uninstalled on a user’s device.
Our key findings are outlined below. For more details, please refer to our research paper, JPush Away Your Privacy: A Case Study of Jiguang’s Android SDK.
- Jiguang covertly collects users’ location data.
Although the collection of precise location information with user consent is a common practice by mobile apps, the method in which Jiguang collects this information likely violates Google Play’s Developer Policies. Typically, collection of precise location is facilitated by most mobile operating systems following a user consent prompt, and users can manage apps’ access to this data through the device settings at any time. However, the investigators uncovered evidence of Jiguang collecting precise location information using non-standard mechanisms, such as using media access control (“MAC”) addresses of Wi-Fi routers and Server Set Identifiers (“SSIDs”). The MAC addresses of nearby Wi-Fi routers is a well-known surrogate for location, and for which there is no specific user control. (Note: since Android 7, apps must request location permission to access this information.)
- Jiguang can persistently monitor users by collecting persistent identifiers.
Another practice observed is Jiguang’s collection of persistent identifiers such as the device’s international mobile equipment identity (“IMEI”) and its MAC address. These are unresetable hardware-based persistent identifiers that are permanently associated with a device and cannot be easily removed. This practice raises privacy concerns as the collection of persistent identifiers provide permanent means to track users across apps on a device. Users would first need to know which apps leverage Jiguang’s Android SDK before being able to uninstall those apps in order to stop their data from being shared with Jiguang. (Note: Android 10 does not allow access to these persistent identifiers in order to avoid this conduct.)
- Jiguang collects lists of the apps installed on users’ devices.
Through the collection of names of apps that the user curates on their devices, Jiguang is able to understand what types of apps users are interested in, and in doing so, potentially reveal a tremendous amount of personal information about users; their hobbies, health, sexual orientation, religious affiliations, and political leanings can all be inferred by the apps users use. Users are not aware nor have provided informed consent to allow Jiguang’s discreet collection of such potentially personal information.
Unusual Encryption Practices
In addition to the practices noted above, the investigation found evidence that Jiguang uses a rare code obfuscation technique and sends data using non-standard mechanisms.
Code Obfuscation Technique
While most apps take steps to protect intellectual property, Jiguang’s data transmission techniques go beyond industry standard obfuscation practices, which caught our attention. The rare obfuscation technique was observed in some versions of Jiguang’s Android SDK and, counterintuitively, had the effect of increasing the size and complexity of the program. This has the effect of impeding our investigation into Jiguang’s SDK and results in less transparency into their behavior.
Use of UDP
The investigation team also observed Jiguang sending JSON-encoded data (including precise geolocation data) to their servers using the user datagram protocol (“UDP”) instead of using transmission control protocol (“TCP”), which is the industry standard practice. (Note: the SDK is not using the UDP-based QUIC protocol, but rather plain unencrypted datagrams.)
It is unclear why Jiguang is sending data over UDP datagrams, but it is uncommon to transmit this type of data via UDP, as it is not a reliable method for data transmission. UDP’s typical use is in applications, such as video streaming, where missing data results in a momentary degradation in quality. The use of UDP instead of other industry standard transmission mechanisms also results in Jiguang sending location and other data over the internet to Jiguang’s servers without safeguards to prevent eavesdropping. UDP channels are typically not monitored and scrutinized in the same way that TCP channels are when doing the analysis that the investigation conducted.
The investigation observed Jiguang’s Android SDK using their own non-standard encryption to obfuscate data transmitted between a mobile device and Jiguang. In some cases (for example, in a newer version of Jiguang’s SDK) the investigation observed the use of industry standard and best practices for encrypting and secure data (i.e., TLS). Nevertheless, Jiguang’s custom and insecure “encryption” was still used for the enclosed data.
In general, custom ad-hoc encryption does not offer a true layer of protection that prevents an attacker from reading the contents of the data while in transit. Here, the investigation team noticed that Jiguang enclosed the encryption key required to decrypt the data alongside the data itself, leaving users’ personal information vulnerable to unauthorized access and use.
Jiguang’s ability to quietly obtain personal data from app users is disconcerting. The investigation revealed not only that Jiguang’s Android SDK engages in behavior that is prohibited by the Google Play Developer Policies, it also highlights the non-standard encryption practices Jiguang partakes in. Jiguang’s ability to monitor users raises concerns around the persistent transmission of user data, especially since users are not aware of such practices and have no reasonable recourse to stop this from occurring.
You can read the full technical report published by The University of California at Berkeley’s International Computer Science Institute here or download the report below.