Investigating Mobile SDK Event Logging

Many apps take advantage of third-party “event reporting” services, which allow app developers to instrument their apps, such that when users do certain things, this information is logged. This allows the app developers to track exactly what users do with their apps. Prior reporting on this practice has been limited to its existence (i.e., “Facebook is collecting analytics data”), but does not go into what events/behaviors are specifically being reported. Given that we have a large corpus of apps, our goal is to reverse engineer apps to figure out what activities a given app is tracking.

Research goal: First, perform static analysis on mobile app binaries to detect what events get reported to third-party analytics companies. In many cases, this is simply a matter of searching for various string constants that appear near the relevant API calls. Next, we will validate this by running the apps (dynamic analysis), to validate that these events are reported as predicted.

Potential studies:

  • For a given set of apps that contain Facebook’s SDK, what are the names of the events that are logged in a given app, and what do they actually mean?
  • Examining usage of SDKs in the wild: specifically, how often do SDKs access permission-protected resources, as compared to core app code?

Relevant Documents: