How does the Norton Mobile Android app determine another app is sending device info to certain places across the globe as displayed in the Privacy Report?
We are testing Norton Mobile's scan with our Android app and it indicates data is being sent somewhere we think could be inaccurate.
I have passed on your testing to my contact. We will see if there is anything they can add.
You seem to be focusing on the email feedback. The permission requests are part of the Android OS that ensures a rogue app does not use your email for malicious purposes. That would not send any information outside the device. And as long as the email address used is to your company's site, that might show up as a destination. Does your company email provider's location match one of the locations shown in NMS?
Hmm, maybe in your case there's traffic hitting a load balancer for Google in India when the scan test is run. Would depend on whether or not the scan is run live or tested once from a single location and then cached.
Nope. We basically talk to
Google App Engine
Google SMTP server, for sending user feedback to customer support email.
We did some traffic testing from a network here in Texas, wanted to share our findings.
We ran a test where we grabbed all outbound traffic from an Android device while installing, configuring, and using our mobile app.
Based on the test, there were 3 major endpoints being hit, but these were spread out across about 150 distinct endpoints. We were able to check the endpoints against a group of geolocation databases to pin the IPs to a known (or at least best guess) location.
The grouped endpoints fall into:
Based on the same traffic tests it doesn't look like a traffic scan is done "live" while Norton Mobile runs, instead it reports scan information from the most recent scan (perhaps performed by Norton engineers). Our theory is that when the Norton scan was run, it was done from a location near Chennai, India, and the AWS load balancer in the region is based in Chennai, India. This could result in some traffic appearing to route to AWS in India and some in our primary AWS datacenter in Virginia (USA).
During our testing we saw a very small percentage of traffic to AWS route to an AWS endpoint in Ireland, so its seems to be mostly regional but can jump around based on AWS load balancing.
yccheok, is your app using AWS as well?
The email permission is a different issue to the Privacy question. As you say, it is an Android permission that is trying to protect the user from an app accessing/using your email.
You need to look into what information is being sent by the ad services. They often gather tracking information that will be sent to servers somewhere. Do you really thing Google is not going to gather information from any device it touches?
Our ads from from Google Ads Network and Facebook Ads Network. I'm pretty sure most of them are doing legit stuff. There are no way for 3rd party ads to obtain user's email, without user explicit consent.
https://developer.android.com/guide/topics/permissions/requesting.html
In Android, it is impossible to get user's email, without their consent as getting user's email, requires READ_CONTACT permission. READ_CONTACT permission belongs to dangerous permission. We need to pop up a proper system dialog, to inform user, before they can grant us permission to access their email. Please refer to the screenshot, on how the pop up looks like.
It asks "Allow JStock to access your contacts?". This is the dialog from Android OS system itself, and not from our app.
"Privacy risk" false warning from Norton, and "This app sends email info to Chennai, India" has huge impact to our app business. Can you kindly review them with your tech team, so that it won't affect our app business with no good reason?
Thank you.
Have you checked the ads in your app to see where they send information. If they are sending information Norton is not giving false information.
I'm facing the same problem. As far as I know, we don't send data to "Chennai India"!
https://community.norton.com/en/forums/how-report-false-positive-detection-my-published-app
Norton mobile team should review carefully how they raise such privacy risk, as this has impact on our app business.
Our app is as follow : https://play.google.com/store/apps/details?id=org.yccheok.jstock.gui&hl=en
I heard from my contacts. They say the methods are proprietary and cannot be shared.
They also suggested, as I did in my last post, that it could be related to whatever ads are in your app.Check with whoever is providing the ads to see what information they share.
I see the same you are seeing.
Is it possible that it has something to do with the Ads provider you are using in your app?
As I said, I'll ask for some help from my contacts.
There's a couple of locations in the US, and one in Chennai, India. The one we're questioning is the one in India.
Here's a link to the app on the Play store: https://play.google.com/store/apps/details?id=com.spiceworks&hl=en
Where is the app saying the data is being sent, and where do you feel it should be going?
I'll see if I can get some help from Norton on your question.
If you want to share the app name, I could test to see that I am getting the same destination for the data.
I spoke with our app developers and we don't think the information is correct, no. They reviewed the libraries used by the app, and their sub-dependencies.
Our hope was to better understand how the endpoints are identified by Norton Mobile. If we find that we're wrong about the information being incorrect we would definitely want to fix it in our app!
We are testing Norton Mobile's scan with our Android app and it indicates data is being sent somewhere we think could be inaccurate.
Is the information correct or not? An example, if you are using some analytics in your app, you would have to check with the supplier of that function/feature to see where their servers are located.