Evgeny Poberezkin
Founder of SimpleX Chat - the first chat platform that has no user identifiers of any kind - 100% private by design! Creator of Ajv JSON Validator used by millions of JS applications.
- 0 Posts
- 1 Comment
Joined 3 years ago
Cake day: August 10th, 2022
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
These URIs are the references to technical documentation in Google Android site - they are used in error messages by various libraries.
The presence of the URI in code does not mean that the app communicates with this URI.
On the opposite, the absence of the URI in code does not prove that the app does not communicate with any given URI - the URIs can be obfuscated in many ways.
So this scanning technique to discover potential attacks is completely inefficient, and it creates unnecessary work of removing URIs from code, but achieves absolutely nothing to prevent the actual network connection - any malicious app can hide them and make them invisible to the scanning.
Another example would be simplex.chat domain. While the app contains it in code, the app never communicates with this domain, and it is only used to namespace the links and to allow showing QR code for people who don’t have the app.
You cannot establish what URIs any given app communicates with by scanning its code - you need to proxy all traffic and monitor all connections that the app makes.