Not invented here
Google: "The only one around here allowed to abuse personal data is us".
Google binned two apps by China’s Baidu, which says researchers got it wrong by linking it to personal info leaks
Infosec researchers at Palo Alto Networks’ Unit 42 threat intelligence unit spotted a pair of prominent Chinese apps leaking personal data, and after it informed Google the ad giant dumped the apps from its Play store. The researchers named Chinese web giant Baidu’s Search Box and Maps as the offending apps, saying collected …
-
Wednesday 25th November 2020 04:45 GMT Anonymous Coward
Baidu at it again...
Baidu has a history of tracking users using shady techniques.
I found a hidden Base64 encoded configuarition file on the SD card of a friends Android device that looked to be a unique identifier used for tracking and sharing with other apps that also had access to the SD card.
A quick DuckDuckGo search determined my suspicions were accurate:
https://blog.appcensus.io/2019/08/13/baidu-and-salmonads-saving-imei-on-the-filesystem/
-
-
Wednesday 25th November 2020 10:39 GMT Fruit and Nutcase
Re: MAC Addresses?
As @stiine comments above, that should be fine from a network perspective, but this would appear to be exfiltration of the data from within the app using Baidu's Android push SDK.
See figure 1 & 2...
https://unit42.paloaltonetworks.com/android-apps-data-leakage/
-
Wednesday 25th November 2020 10:43 GMT Graham Cobb
Re: MAC Addresses?
MAC addresses can go anywhere if software chooses to collect them.
If an app on the device collects the MAC address, it can send it anywhere on the Internet, or save it anywhere it has access to (such as the filesystem), allowing it to access it again in the future (for example to see if it has changed, if the OS is randomising MAC) or share it with another app.
Same applies to any other data the app can access (GPS location data, phone number, IMSI, maybe a serial number for a subsystem such as a camera, contacts). Note that the app privacy policy may tell you about some of this data and claim it is "anonymised" - that just means they don't send the actual data, they send a hash of it which is still unique to you and allows them to correlate with the other data later.
If software on the access point collects the MAC address (almost certain when the wifi is being provided "free"), it can pass the MAC address anywhere on the Internet (such as to the provider of the "free" service) or to the app on your device and can correlate it to other data it has access to, such as DNS lookups and IP addresses you contact, or footfall data about where you go. Who did you think was paying for the free wifi in your local shopping mall? You are, with your privacy.
It is even possible for these to cooperate (particularly if the "free" WiFi service is being provided by someone like Google or Amazon): so that tracking is permanent and ubiquitous, defeating MAC address randomization and keeping a complete record of DNS names looked up, IP addresses contacted, shops and aisles entered and left, with detailed dates/times and traffic details.
