JPush Away Your Privacy: A Case Study of Jiguang’s Android SDK

Our investigations into Android apps found that Chinese company Jiguang invasively monitors the activity of consumers who install apps that include their SDK. Jiguang’s SDK can collect consumers’ GPS locations, immutable device persistent identifiers, and even the names of all the apps they have installed—including when new ones are added or old ones removed. It does this collection even if the app that contains their code is not used. They send data over UDP sockets with misused cryptography, resulting in consumers’ personal data being trivially vulnerable to eavesdroppers. We observed their SDK communicating with Jiguang in 31 apps. 1University of Calgary, 2Good Research LLC, 3AppCensus Inc., 4International Computer Science Institute, 5IMDEA Networks, 6UC Berkeley, 7Future of Privacy Forum JPush Away Your Privacy: A Case Study of Jiguang’s Android SDK Joel Reardon1,3, Nathan Good2,3. Robert Richter3 Narseo Vallina-Rodriguez3,4,5, Serge Egelman3,4,6, Quentin Palfrey7 University of Calgary, Good Research LLC, AppCensus Inc., International Computer Science Institute, IMDEA Networks, UC Berkeley, International Digital Accountability Council, Berkman Klein Center for Internet & Society, Harvard Abstract—Our investigations into Android apps found that Chinese company Jiguang invasively monitors the activity of consumers who install apps that include their SDK. Jiguang’s SDK can collect consumers’ GPS locations, immutable device persistent identifiers, and even the names of all the apps they have installed—including when new ones are added or old ones removed. It does this collection even if the app that contains their code is not used. They send data over UDP sockets with misused cryptography, resulting in consumers’ personal data being trivially vulnerable to eavesdroppers. We observed their SDK communicating with Jiguang in 31 apps.Our investigations into Android apps found that Chinese company Jiguang invasively monitors the activity of consumers who install apps that include their SDK. Jiguang’s SDK can collect consumers’ GPS locations, immutable device persistent identifiers, and even the names of all the apps they have installed—including when new ones are added or old ones removed. It does this collection even if the app that contains their code is not used. They send data over UDP sockets with misused cryptography, resulting in consumers’ personal data being trivially vulnerable to eavesdroppers. We observed their SDK communicating with Jiguang in 31 apps.