VKontakte app monitors users

The application sends the user's actions to the server, as well as the location of the device



Russian student and programmer Vladislav Velyuga was sniffed by the Shark for Root program using the VKontakte mobile app and published the results of the investigation ( part 1 , part 2 ). He writes that earlier there was nothing unusual in the results of sniffing, but now it has appeared. Now the social network has started to transfer so much data to the server, literally about every action of the user, that it can be called shadowing.



Unfortunately, now the following client modules are included in the official version of the client, including myTracker from Mail.ru ( screenshot after decompiling the APK file).



Vladislav investigated the version of the official client 4.12.1 for Android.



The study showed that almost all user actions during the work with the application are transmitted to the VKontakte server. At the same time, the need to collect many data is difficult to explain (although you can understand, if you think about why the server needs this). For example, when entering the “Audio” section, geodata is transmitted, and in the section with video recordings information about events such as “volume_on”, “volume_off”, “fullscreen_on”, “fullscreen_off” (transition and exit to / from full-screen mode), event “Video_play”, which simply sends the current video viewing position, somewhere with a frequency of 10-20 seconds.



In other cases, information about the closest WiFi access points is transmitted, metrics are loaded via an invisible WebView, etc. Vkontakte technical support responded that it would not work to stop collecting these data, since all this information is necessary for the application to work.









The author of the study emphasizes that in the informal VK Coffee client (a modification of the official, with cut out metrics, etc.) no such drains were noticed.



VK Coffee author Eduard Bezmenov himself commented: “The hell is that libverify from soap.ru collects sim card serials, and mytracker collects lac and cid”. He said that he had watched the discharge of such data in VKontakte before, and in his client modification this function has long been disabled.



Later in the commentary for the Vedomosti newspaper, the company's representative Yevgeny Krasnikov explained that VKontakte had never concealed that he was collecting such information for advertising, optimization, recommendations. Other information is also required. For example, by changing the identification code of the sim card, you can understand whether the user has changed the phone, and decide whether to send him the code for validation. Location when listening to audio recordings must be requested because of the requirements of copyright holders, etc. In general, all popular applications collect similar personal data, otherwise they will lose to competitors.