Hacker News new | ask | show | jobs
by Jerry2 2622 days ago
Is there a way to check what trackers/libraries/"kits" an iOS app uses? I don't use many apps on my iPhone and most of them don't have background & location rights so I'm not that worried but would still like to know what they send back...
3 comments
lucb1e 2622 days ago
Exodus can detect a number of them: https://exodus-privacy.eu.org/en/

By installing their app, you can see the trackers for each app that you have installed. If you use Yalp store (an open source front-end for the Play Store), there is also a button to view trackers for each app.

Edit: just saw that you're on iOS. This is probably not allowed by Apple, so I guess there will be no alternative.

link
willstrafach 2621 days ago
Working on this. It is very tricky to do for iOS in an App Store compliant manner, but doable. Apple has already approved it.
link
tombrossman 2621 days ago
> Working on this. It is very tricky to do for iOS in an App Store compliant manner, but doable. Apple has already approved it.

This is very welcome news, please do a "Show HN" or post a link to the announcement when it's ready.

For now, before I install an iOS app I run the Exodus Privacy tool on the Android version and must assume the same trackers are present on both platforms. What is worse, Apple fail to label which apps contain ads in the store so I can't even tell which ones are adware before installing (apps with ads are clearly disclosed in Google Play).

link
layoutIfNeeded 2622 days ago
You can try MITM-ing via Wireshark or Charlesproxy but it won’t let you look into the packets if they’re using certificate pinning.
link
willstrafach 2621 days ago
A surprising number of trackers do not use pinning, so this has a pretty high success rate actually.
link
saagarjha 2622 days ago
You can grab the app’s IPA file with Apple Configurator and then crack it open to get a list. The binaries themselves will be encrypted, so you will not be able to introspect those, but you will get a good idea of which framework the app is using.
link
willstrafach 2621 days ago
Keep in mind, only applies to externally bundled SDKs.

Some of them are designed to be compiled into the (encrypted) main app binary.

link