Australian Council on Children and the Media

Android Software development kits (SDKs) from Jiguang found to perform invasive monitoring of consumers October 21, 2020

US researchers have found that the Jiguang SDK present in a number of Android apps was performing invasive monitoring of consumers.

They said  “ … Jiguang’s SDK is particularly concerning because this code can run silently in the background without the consumer ever using the app in which it is embedded. Moreover, they send sensitive information insecurely over the Internet allowing any eavesdropper to monitor the traffic. We have provided examples of the network traffic generated by Jiguang’s SDKs,along with the use of obfuscation techniques which impede the analysis of software using traditional methods.”

The research team concluded that “While the majority of our previous research efforts focused on SDKs,  specialized in analytics and advertising services, the results of our analysis call for the need of analyzing and regulating the behavior of the whole third-party SDK ecosystem due to their privacy and consumer protection implications”

Read more here

Another piece from Appcensus says:

“While third-party software development kits (SDKs) are meant to make software development easier and less error-prone, the Android ecosystem is full of examples that demand more scrutiny with regard to protecting users’ privacy. Aurora Mobile’s JPush SDK is one such example, providing push notification functionality to developers, but also collecting a variety of sensitive user data through unofficial means (that are likely prohibited by Google’s Play Store policies), and attempting to mask its construction and data transmission techniques.

According to metadata available on the Google Play Store, JPush is embedded in apps that are installed on tens of millions of devices worldwide. Aurora Mobile’s ability to use JPush to harvest user data (not even considering its other offerings, JAnalytics, JMessage, JSMS, and JShare) is therefore vast

Read more here