RomanNum3ral
/
android-reverse-engineering-skill
mirror of https://github.com/SimoneAvogadro/android-reverse-engineering-skill.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
android-reverse-engineering.../plugins/android-reverse-engineering/skills/tracker-analysis/references/data-exfiltration-patterns.md

4.9 KiB
Raw Blame History

Data Exfiltration Patterns

How tracker SDKs send data out of the device — known endpoints, custom configurations, proxy patterns, and batch upload mechanisms.

Known Endpoints by SDK

Firebase Analytics / Google Analytics

Endpoint Purpose
app-measurement.com Primary event collection
firebase-settings.crashlytics.com Crashlytics config
firebaselogging-pa.googleapis.com Event logging
google-analytics.com/collect Legacy GA hits
www.googletagmanager.com GTM container

Adjust

Endpoint Purpose
app.adjust.com Event tracking, attribution
app.adjust.io Alternative domain
app.adjust.world Regional alternative
cdn.adjust.com SDK config
gdpr.adjust.com GDPR forget-me requests

AppsFlyer

Endpoint Purpose
launches.appsflyer.com App launch events
events.appsflyer.com In-app events
register.appsflyer.com Install attribution
inapps.appsflyer.com In-app purchase validation
gcdsdk.appsflyer.com SDK config

Mixpanel

Endpoint Purpose
api.mixpanel.com/track Event tracking
api.mixpanel.com/engage People profiles
api.mixpanel.com/decide Feature flags, A/B tests
api-js.mixpanel.com Alternative endpoint

Amplitude

Endpoint Purpose
api.amplitude.com/2/httpapi Event upload (v2)
api2.amplitude.com/2/httpapi Batch event upload
cdn.amplitude.com SDK config
regionconfig.amplitude.com Region routing

Segment

Endpoint Purpose
api.segment.io/v1/t Track events
api.segment.io/v1/i Identify calls
api.segment.io/v1/batch Batch upload
cdn-settings.segment.com Workspace settings

Braze

Endpoint Purpose
sdk.iad-01.braze.com US-01 SDK endpoint (varies per cluster)
sdk.iad-02.braze.com US-02 SDK endpoint
sdk.fra-01.braze.eu EU-01 SDK endpoint
rest.iad-01.braze.com REST API

Braze uses cluster-specific endpoints: sdk.iad-NN.braze.com, sdk.fra-NN.braze.eu. Look for .setCustomEndpoint() in BrazeConfig.Builder.

CleverTap

Endpoint Purpose
wzrkt.com Primary analytics/events
in.clevertap.com India region
eu1.clevertap.com EU region
sg1.clevertap.com Singapore region
clevertap-prod.com Legacy

Flurry

Endpoint Purpose
data.flurry.com Event data upload
adlog.flurry.com Ad analytics
cfg.flurry.com SDK configuration

Custom Endpoint Configuration

Some SDKs allow custom endpoint configuration — important for identifying proxy/relay setups.

Grep for custom endpoints

# Braze custom endpoint
grep -rn 'setCustomEndpoint\|setEndpoint\|setApiUrl' "$SOURCE_DIR"

# Segment custom host
grep -rn 'connectionFactory\|apiHost\|cdnHost' "$SOURCE_DIR"

# Mixpanel custom server
grep -rn 'setServerURL\|setDecideUrl\|setEventsUrl' "$SOURCE_DIR"

# Amplitude custom server
grep -rn 'setServerUrl\|setUseDynamicConfig' "$SOURCE_DIR"

# Generic proxy patterns
grep -rn 'proxyUrl\|proxyHost\|relayEndpoint\|analyticsProxy\|trackingProxy' "$SOURCE_DIR"

Proxy & Relay Patterns

Apps may route analytics through their own servers to avoid ad blockers or aggregate data.

Detection patterns

# Look for OkHttp interceptors that rewrite analytics URLs
grep -rn 'Interceptor.*analytics\|Interceptor.*tracking\|rewriteUrl.*analytics' "$SOURCE_DIR"

# Server-side relay: app sends events to its own API, which forwards to tracker
grep -rn '/api/analytics\|/api/events\|/api/tracking\|/v1/collect\|/v1/events' "$SOURCE_DIR"

# Custom transport layer
grep -rn 'AnalyticsTransport\|EventTransport\|TrackingTransport\|EventDispatcher' "$SOURCE_DIR"

Batch Upload Patterns

Most SDKs batch events and upload periodically or on app backgrounding.

Common batch patterns

# Database/file storage for batched events
grep -rn 'EventDatabase\|event_queue\|analytics_db\|pending_events\|EventStore' "$SOURCE_DIR"

# Flush triggers
grep -rn '\.flush\(\)\|flushEvents\|flushQueue\|uploadEvents\|sendBatch\|dispatchEvents' "$SOURCE_DIR"

# Batch size / interval config
grep -rn 'flushInterval\|batchSize\|maxQueueSize\|uploadInterval\|flushAt\|setFlushInterval' "$SOURCE_DIR"

Finding the Underlying HTTP Calls

Tracker SDKs ultimately use standard HTTP mechanisms. To see the actual network calls:

# OkHttp client creation inside SDK packages
grep -rn --include="*.java" 'OkHttpClient\|HttpURLConnection' "$SOURCE_DIR"/com/google/firebase/
grep -rn --include="*.java" 'OkHttpClient\|HttpURLConnection' "$SOURCE_DIR"/com/adjust/
grep -rn --include="*.java" 'OkHttpClient\|HttpURLConnection' "$SOURCE_DIR"/com/appsflyer/

# POST bodies — look for JSON construction near known SDK packages
grep -rn 'toJson\|JSONObject\|JsonWriter\|Gson\|Moshi' "$SOURCE_DIR"/com/mixpanel/