Infiltration by Convenience

Date: 2022-11-19

If your mobile app is not tracking user behavior, it likely will cease to exist - soon.

That's just the reality. People have been completely inundated with marketing advertisements. They can only be effectively reached, if you can predict when they would be most receptive.

Well, that's a hard problem to solve. Most smaller companies will outsource the work a third party with analytics and push-notification expertise. The baseline investment is far too high for most developers to justify.

While there are a small number of companies which are competent in this art, there are a plethora of options which don't work. They fail to work - but, at a very low price. It turns out there's a market for such consumers.

When an APP developers decides to enable this feature in their app, they download an SDK from a 3rd party vendor. It's simple..

Download the SDK
(Probably) call a function somewhere in the main.
Modify the permission requirements for the app.

It's that last one that's problematic.

What is the difference between targeted advertisement and corporate espionage?

The latter is cheaper to do, and more profitable.

So that's where were at.

Developers use cheap user tracking SDK's that are getting their primary revenue from private buyers. I'm not talking conspiracy theory here, so let's get more real.

Long Haul Trucker

Let's say you're a long haul trucker hauling goods from ports to inland warehouses. You spend a lot of time on the road. You probably have information, weather, restaraunt needs that are pretty unique. There's probably an app for that.

Someone decides to build such an app that integrates weather, mapping, and rest stop amenity's. Then, they give it away for free. The app likely profits from native ads, or perhaps has a payed option. In it there are a few SDK's which go and fetch such information from 3rd party's. The developer finds such an SDK for free and/or for a small recurring fee. That SDK of course needs location access to accomplish these tasks. It makes complete logical sense for the developer and the user to provide these permissions. And a lot of users might not even care.

So what?

Let's say I want to estimate the US national supply chain logistics to look for critical weak-points. Why? Maybe I am a rival trucking company that wants to destabilize my competitor. If I know where the trucks are going, it's easy to figure out who licenses the warehouses. Or perhaps I am a foreign adversary looking to achieve maximum damage with minimal effort. Or maybe I am a hedgefund trader looking to correlate commodity transfer with economic activity.

Realistically, you only need a small sample to make fairly broad claims for macro economic phenomena.

Modern Day Worker

Productive people have habits and routines. They also have cellphones which charge a lot for fast internet. So companies installed wi-fi's into their businesses.

Every time you connect to that Wi-Fi, any SDK on your phone which has the ability to perform a network operation can reveal your IP address. Generally an IP address is insufficient information, you need ancillary data to get meaning.

That information can come from:

An SDK which requests Wi-Fi name access in permissions.
A malicious virus installed on a phone.
You installed a VPN.
A crowd-sourcing app.
An NMAP scan of the address.
A literal truck with a giant antenna on it driving slowly but in a triangulating pattern.

And you only need one "hit". That is, if 1 person ever associates the IP address by any means - it will be known for all others, usually forever.

Even though (good) ISP's cycle IP addresses. Given that people continue their dailing habits without regard for their IP address, it doesn't take a genius to infer the newly assigned IP addresses in their life.

So what?

If I want to glean some private conversations and/or make drinking friends of people working in a certain industry, I only need to know what Wi-Fi connections they frequent.

Does your outbound IP address come from the NSA? Great, maybe you take your work home with you and put it in a gym locker before going to the office.

Does your IP address come from a corporate research lab? Awesome, where do all those phones go for their Friday happy hour?

Usually there are easier ways to get intelligence. But very unique intelligence may be worth the cost of such sophisticated methods. From cell-phone prototype leaks by engineers drinking on a Friday, to extra-marital reconnaissance.

Home