صلاتك Salatuk (Prayer time)

Retest Observations

We retested this app on 17/02/2019. The app still contacts Facebook as soon as the app is opened, but no longer shares your Google advertising ID.

Disclaimer: the tested app may still share data with other third parties. This is outside the scope of this work.

Read more

From the Google Play Store page:

"Salatuk app indicates you the Prayer timing, the Mosques near you and the Qibla direction wherever you are!"

Observed Behaviour

This app prerequest permissions when installing from the app store, a screenshot is attached for reference

 

This documentation demonstrates actions taken by the test user and the apps subsequent responses.

Test user action 1: The user taps on the application icon, which opens the application
Response from app: The application is initialised and the following data is sent and received by the app:

Immediately after the app is opened, the following data is sent to graph.facebook.com (Graph)

The following HTTP GET request is made to graph.facebook.com

GET https://graph.facebook.com/v3.2/399888690106811/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=4.38.0&sdk=android&device_id=474364c6-e9cf-4971-8dd2-b1dc3c605450&platform=android HTTP/1.1

With the response

 {
  "data":[ {
    "gatekeepers":[ {
      "key":"app_events_auto_logging","value":false
    }
    , {
      "key":"app_events_if_auto_log_subs","value":false
    }
    ]
  }
  ]
}

The app sends the following HTTP GET request to graph.facebook.com

GET https://graph.facebook.com/v3.2/399888690106811?fields=supports_implicit_sdk_logging%2Cgdpv4_nux_content%2Cgdpv4_nux_enabled%2Cgdpv4_chrome_custom_tabs_enabled%2Candroid_dialog_configs%2Candroid_sdk_error_categories%2Capp_events_session_timeout%2Capp_events_feature_bitmask%2Cauto_event_mapping_android%2Cauto_event_setup_enabled%2Cseamless_login%2Csmart_login_bookmark_icon_url%2Csmart_login_menu_icon_url&format=json&sdk=android HTTP/1.1

The app receives the following response from graph.facebook.com:

 {
  "supports_implicit_sdk_logging":true,"gdpv4_nux_enabled":false,"gdpv4_chrome_custom_tabs_enabled":true,"android_sdk_error_categories":[ {
    "name":"login_recoverable","items":[ {
      "code":102
    }
    , {
      "code":190
    }
    ],"recovery_message":"Please log into this app again to reconnect your Facebook account."
  }
  ],"app_events_session_timeout":60,"app_events_feature_bitmask":5,"auto_event_setup_enabled":false,"seamless_login":1,"smart_login_bookmark_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yh\/r\/HyQ4Fq_iGUX.png","smart_login_menu_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yR\/r\/xi3BPJ134MF.png","id":"399888690106811"
}

 

Without any further user action, the app sends the following request to graph.facebook.com

format:                       json
sdk:                          android
custom_events:                [{"_eventName":"fb_sdk_initialize","_eventName_md5":"d470d22f237aee69843355edba5a8178","_logTime":1543961950,"_ui":"unknown","_implicitlyLogged":"1","core_lib_included":"1","login_lib_included":"1","share_lib_included":"1"},{"_eventName":"fb_mobile_activate_app","_eventName_md5":"cb7f3b6cd294afce05ece615d43ea7b9","_logTime":1543961951,"_ui":"MainActivity","_session_id":"b46acf50-2c69-4531-bd76-b7d887702c4c","fb_mobile_launch_source":"Unclassified"}]
event:                        CUSTOM_APP_EVENTS
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZe7aa8021-cd64-4a9e-b543-9094dc5e6388
application_tracking_enabled: true
extinfo:                      ["a2","com.masarat.salati",164,"2.2.75","8.1.0","Nexus 5","en_","GMT","",1080,1776,"3.00",4,13,5,"Europe\/London"]
application_package_name:     com.masarat.salati

The app receives the following response from graph.facebook.com:

 {
  "success":true
}

 

Without any further user action, the app sends the following request to graph.facebook.com

format:                       json
sdk:                          android
event:                        MOBILE_APP_INSTALL
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZe7aa8021-cd64-4a9e-b543-9094dc5e6388
application_tracking_enabled: true
extinfo:                      ["a2","com.masarat.salati",164,"2.2.75","8.1.0","Nexus 5","en_","GMT","",1080,1776,"3.00",4,13,5,"Europe\/London"]
application_package_name:     com.masarat.salati

The app receives the following response from graph.facebook.com:

 {
  "success":true
}

 

Test user action 2: The user makes further interaction with app
Response from app: No futher data is sent to graph.facebook.com

Test user action 3: The user closes the application
Response from app: No futher data is sent or received by the app from graph.facebook.com

Notes and Commentary

Note 1: In the videos below, the clocks between the VirtualBox Virtual Machine and the Phone handset are not synchronised.
 

Company Response

~27th December 2018, via email

“We use Facebook SDK to allow users to share prayer times via Facebook. Based on your investigation, we understand that there is an automatic transmission of data to Facebook if we use the default implementation of the SDK, and it's possible with the latest Facebook SDK to disable this setting without impacting functionality. We were not aware of this. We will do in-depth check and as long as it is possible to disable this behaviour we will do it in the next release."

 

10 January 2019, via Email

Following up on our last exchange. We have published a new version of Salatuk to disable automatic collection of data by Facebook. Here're the actions we have done:

  • Disable automatic event logging (app install, app launch...) via "facebook app dashboard".
  • Disable automatic event logging programmatically using the Manifest file (AutoLogAppEventsEnabled set to false).
  • Disable Collection of Advertiser IDs (AdvertiserIDCollectionEnabled set to false)
Date Tested
02/12/2018
App Version
2.2.75
Number of App Installs (according to Google Play Store at time of analysis)
10,000,000+
Facebook SDK Version
4.38.0
Opt out of Ads Personalisation (Google Settings)
Not Enabled (Default Setting)