Hacker News new | past | comments | ask | show | jobs | submit login

my summary (not a native speaker and pasting the full translation was too messy).

the nordvpn app for android is sending device data to multiple trackers.

It contains all the normal things you probably expect, screen size, manufacturer, uuids for advertising etc but also some strangely specific stuff.

This includes sensor data (Gyroscope, Accelerometer, etc)

from the json sent to "AppsFlyer":

    sensors":[{"sT":4,"sV":"BOSCH","sVE":[0.015487671,0.022598267,-0.013870239],"sVS":[-0.061203003,-0.059432983,0.04260254],"sN":"BMI160 Gyroscope -Wakeup Secondary"},{"sT":1,"sV":"BOSCH","sVE":[0.6355438,6.844879,7.2422333],"sVS":[0.1184082,6.7634735,7.1632233],"sN":"BMI160 Accelerometer -Wakeup Secondary"},{"sT":4,"sV":"BOSCH","sVE":[0.015487671,0.022598267,-0.013870239],"sVS":[-0.061203003,-0.059432983,0.04260254],"sN":"BMI160 Gyroscope"},{"sT":2,"sV":"Yamaha","sVE":[46.717834,-18.313599,-34.529114],"sVS":[46.717834,-20.56427,-33.029175],"sN":"YAS537 Magnetometer"},{"sT":2,"sV":"Yamaha","sVE":[46.717834,-18.313599,-34.529114],"sVS":[46.717834,-20.56427,-33.029175],"sN":"YAS537 Magnetometer -Wakeup Secondary"},{"sT":1,"sV":"BOSCH","sVE":[0.6355438,6.844879,7.2422333],"sVS":[0.1184082,6.7634735,7.1632233],"sN":"BMI160 Accelerometer"}



Some apps need gyro details to determine if the app is being reverse engineered. The idea being if the device is static and not moving then it is been run in a virtual machine and being inspected.


They want the data, they don’t need it.

This is probably either a ‘grab whatever you can’ or a panopticlick-like strategy though.


thanks, that's actually really interesting!

I can see how it would be useful for invalidating data in analytics, seems like a bad choice of partner for an app promoting privacy though.

As an anti-analysis tool it seems like it's more likely to harm users (api is reporting incorrectly, sensor is faulty etc) than slow down reverse engineering much.


I've seen them recommended pretty often in 'best vpn' lists. This is pretty unsavoury if its true




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: