I started last week’s article ranting about how — unbeknownst to us — advertising networks get the same Android-permissions as the installed app they’re associated with. It’s the trade-off we make to get the app for free. I understand that. What I have a problem with is the “unbeknownst to us.”

In the article, I offered a solution — not much of one, I admit. But, at least you could find which ad networks were lurking on your phone. And if you had an issue with a certain ad network, you knew which app to remove.

There are more permission-grabbing add-ons

When I was looking into how the whole permission-granting thing worked, I soon realized ad networks weren’t the only add-ons given the app’s permissions. Add-ons also getting the app’s permissions were:

  • Analytics
  • Developer Tools
  • Licensing
  • Social Gaming
  • Push-ad Notifications

I found out about the additional add-ons when I was checking out an app called Addons Detector. As I ran tests, I became increasingly interested — Addons Detector was finding add-ons that similar tools missed. Why was that?

Ask William

As you know, I always bring my investigative partner William Francis on board when I’m not clear about something Android, and this was one of those times.

Kassner: Thanks for your help, William. To start, exactly what is an add-on?
Francis: In the context of Addons Detector, an add-on seems to be any third-party library a developer has bundled with his or her application.

These libraries as a whole aren’t bad. In fact, they improve the integrity of the Android ecosystem because not every app developer is reinventing the same functionality. Thus, add-ons get a chance to mature and survive testing across numerous applications.

But, add-ons and the apps that use them share the same list of permissions. So locating all the embedded add-ons is meaningful, because it allows us to flag add-ons known to be security and privacy violators.

Kassner: William put Addons Detector through its paces and I was curious as to what he found. So William, what do you think?
Francis: Last night, I installed Addons Detector and took a look. It’s pretty insightful. The ability to go back and see all the permissions your apps have asked for in one place is handy (since the only way to do this in the OS is to go to settings>applications>manage apps, and then view on an app by app basis).

I also like how the tool detects several different kinds of add-ons, not just ad networks. Oh, one other thing, the user interface is slick. It’s unique, yet intuitive and easy to use.

Questions for the developers

As I bid William adu, I made him promise to call if anything interesting surfaced. Next step, contact Denis Peretto and Peter de Kraker, the developers of Addons Detector; I had several questions for them .

Kassner: Denis and Peter, thank you for taking time to talk about Addons Detector. First, a bit about yourselves — what is your background?
Peretto: I’m 36 and work as a business-intelligence professional for a manufacturing company. I graduated in 1999 with a degree in Computer Engineering from the University of Trento, Italy.

I have always been keen on technology. I started out as a java developer. Three years ago, I switched to Android-applications development and have enjoyed the change.

de Kraker: I am 27 years old; live in the Netherlands; just started my Bachelor of Computer Science degree; and run Umito, an app-development company.

Addons Detector was the first project I collaborated on with another developer, and I really liked the experience. Denis is good in some aspects of Android development and I am in others — we complement each other.

Kassner: What motivated you to develop Addons Detector?
Peretto: The idea of Addons Detector was born about a year ago. I was searching for an app to detect push-ad notifications. Not finding any I liked, I decided to create one that not only detected push ads, but other add-ons as well.

In October of 2011, I released the first version of Addons Detector. It had some problems; the scan engine was slow and inefficient. That’s when I met Peter and we began collaborating on how to improve Addons Detector’s scan engine, add new functionalities, and create a new user interface.

Kassner: What is Addons Detector?
de Kraker: Addons Detector is a tool that scans installed apps for integrated add-ons. Developers and power users are interested in seeing all the add-ons, advertising networks, and tools integrated into the app. For users, the most interesting type of add-on is the push-ad notification that spams your notification bar.

Because push-ad notifications are so important we have added the Notification Monitor to detect unknown notification spam. Our scan engine uses known classes to detect the add-ons, but sometimes developers create their own version of notification spam and we can’t detect it until we manually update our scan definitions.

Kassner: How does Addons Detector work?

Peretto: Addons Detector uses a list of known Java classes belonging to the add-on SDKs. It downloads this definition file from our server and scans all app APKs for occurrences of these classes or their ProGuard versions.

For notification add-ons, we explicitly scan the Applications Manifest to avoid false positives. It’s really great that we’ve found a quick way to scan all APKs without using a lot of memory. Previous versions relied on class loaders to detect the existence of the classes, but that caused memory leaks. Our new scan engine is a big improvement, and quite fast — allowing Addons Detector to scan for 100-plus add-ons in every app and in a reasonable amount of time.

Kassner: After installing Addons Detector and enabling a scan, the following screen comes up.

Would you explain what the five buttons in the outside ring do?

de Kraker: Addons: Provides an overview of all the apps installed with their detected add-ons. It also allows you to focus, for example, on push-ad notification add-ons.

Livescan Monitor: Users get this feature when they have donated. It provides users the option of allowing Addons Detector to scan automatically after updates or new-apps are installed.

Permission Explorer: An easy way to see what permissions are associated with each app. It also displays what each permission means.

Install Date: We felt it important to provide the installation date of each app and its latest update — mainly as a tool to figure out which app could be causing mayhem if more than one updated at the same time.

Notification Monitor: A service that records all notifications. This allows you to find the app responsible for notification spam even though it avoided detection. It also supports submitting the app name to our server, so we can check it out.

Kassner: William and I noticed that Addons Detector had listed itself as having an add-on. I thought we might use that as an example to show how Addons Detector works.

What are we looking at?

Peretto: This view shows all the add-ons. At the top, you see the filter currently set to Developer Tools. Consequently, it shows all the apps that have integrated developer tools, like the Android NDK.

Export button: This function allows you to save a list of all the add-ons to the SD or send an email containing the list. Several of our customers have mentioned to us that they use this functionality to help their users solve problems remotely.

Submit button: This function allows people to upload the same results to our server so we can study them. We may anonymize and publish this information if there is enough interest.

Kassner: Next, I tapped on Addons Detector and the following screen opened.

Are these the permissions we must agree to in order to load Addons Detector? If so, why is it important to display them in Addons Detector?

de Kraker: Yes, this is the overview of the selected app. It shows all data we have collected during the scan. The permissions are there so you can easily see what the app uses. We wanted to provide a complete overview of the selected app.
Kassner: Addons Detector does not provide any rating or advice about the third-party add-ons it detects. Neither of us have heard of several listed, so we do not know if they are okay to allow. What would you suggest we do?

Peretto: Recent versions of Addons Detector (2.2 and newer) now include some info and advice. You click on the add-on in the app view and it provides specific information, the website of the add-on developer, and our advice.
Kassner: William had this to say about Notification Monitor:

“I wasn’t completely sold on the Notification Monitor. Essentially this requires me to give Addons Detector permission to spy on all my notifications. That requires some faith on my part.”

How would you respond to William’s concerns?

de Kraker: We have tried to find ways to detect notification spam that currently uses unknown, therefore undetectable code. But, there is no way in Android to detect notifications of other apps.

The only way we could find was using the accessibility service, and that does indeed bring some privacy concerns with it. We can only guarantee that we do not look at anything else. And, all results are stored in the notification monitor.

Kassner: There is not much information describing the operation of Addons Detector. What differentiates it from other similar apps?
Peretto: Our most distinctive feature is that we use online definitions. The app downloads the definitions on startup. This way we can dynamically add new information without needing to update Addons Detector.

The live scanner is also a nice feature. The scan engine is also quite fast and simple, but effective. We also like our user interface, it’s clean and easy to understand.

Kassner: I noticed you have a premium version of Addons Detector. What additional features does it have?
de Kraker: The premium version has access to the live scanner that checks each app when installed or updated. This makes it much easier to keep an eye on your apps, without needing to scan your whole phone every time you install new software.

Final thoughts

I saw my first push-ad the other day. I’m sorry, but I’m not interested in buying a purse. Using Addons Detector, I was able to locate the associated app and remove it with extreme prejudice.

I’d like to thank Denis and Peter for their helpful app and explaining how it works.