Hacker News new | past | comments | ask | show | jobs | submit login
NordVPN transfers data to tracking service (kuketz-blog.de)
49 points by MissBrain on Jan 25, 2019 | hide | past | favorite | 6 comments

my summary (not a native speaker and pasting the full translation was too messy).

the nordvpn app for android is sending device data to multiple trackers.

It contains all the normal things you probably expect, screen size, manufacturer, uuids for advertising etc but also some strangely specific stuff.

This includes sensor data (Gyroscope, Accelerometer, etc)

from the json sent to "AppsFlyer":

    sensors":[{"sT":4,"sV":"BOSCH","sVE":[0.015487671,0.022598267,-0.013870239],"sVS":[-0.061203003,-0.059432983,0.04260254],"sN":"BMI160 Gyroscope -Wakeup Secondary"},{"sT":1,"sV":"BOSCH","sVE":[0.6355438,6.844879,7.2422333],"sVS":[0.1184082,6.7634735,7.1632233],"sN":"BMI160 Accelerometer -Wakeup Secondary"},{"sT":4,"sV":"BOSCH","sVE":[0.015487671,0.022598267,-0.013870239],"sVS":[-0.061203003,-0.059432983,0.04260254],"sN":"BMI160 Gyroscope"},{"sT":2,"sV":"Yamaha","sVE":[46.717834,-18.313599,-34.529114],"sVS":[46.717834,-20.56427,-33.029175],"sN":"YAS537 Magnetometer"},{"sT":2,"sV":"Yamaha","sVE":[46.717834,-18.313599,-34.529114],"sVS":[46.717834,-20.56427,-33.029175],"sN":"YAS537 Magnetometer -Wakeup Secondary"},{"sT":1,"sV":"BOSCH","sVE":[0.6355438,6.844879,7.2422333],"sVS":[0.1184082,6.7634735,7.1632233],"sN":"BMI160 Accelerometer"}

Some apps need gyro details to determine if the app is being reverse engineered. The idea being if the device is static and not moving then it is been run in a virtual machine and being inspected.

They want the data, they don’t need it.

This is probably either a ‘grab whatever you can’ or a panopticlick-like strategy though.

thanks, that's actually really interesting!

I can see how it would be useful for invalidating data in analytics, seems like a bad choice of partner for an app promoting privacy though.

As an anti-analysis tool it seems like it's more likely to harm users (api is reporting incorrectly, sensor is faulty etc) than slow down reverse engineering much.

I've seen them recommended pretty often in 'best vpn' lists. This is pretty unsavoury if its true

I am strangely reassured by the GDPR email I got from my VPN provider. They are in a EU country, so breaking the GDPR will have consequences. They state clearly what they store and what they are required to store. There is an actual company in an actual house and they are in a jurisdiction I understand. No shady parent companies and weird tax schemes to get money from Panama companies.

These kinds of VPN services have always seemed shady to me.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact