GetJar is logging more than you think

26 Feb

I was doing some network analysis on my phone related to another matter, and noticed that GetJar was logging some of my activity. This isn’t that surprising for an app store that provides free apps. Nothing comes for free. I would expect that they would log some information related to their apps provided through their store. However, what surprised me was logging occurred as I was uninstalling apps that I did not purchase or install through GetJar. After seeing this behavior, GetJar got an immediate uninstall. I don’t know what other data GetJar might have been logging as I didn’t leave it on long enough to find out anymore.

 

Here is what was logged:

GET /backchannel/metadata/
?gjClientInstallationID=<24char string>
&androidID=<44 char string>
&gjClientVerCode=3378
&src=gjca
&gjClientVerName=3.3.78
&packageName=com.qik.android
&status=UNINSTALLED
&versionCode=382
&versionName=0.03.765
&appLabel=Qik
&uninstallTime=1329696276134

 

I have reformatted this GET request for easier reading. The character count is based on the decoded URL. There is nothing super personal in there, but they are definitely collect what apps you are using.

 

I took a quick look at GetJar’s privacy policy to see if this was disclosed. As many privacy policies, the sections on personal information collection are a bit vague and open-ended. Even so, I didn’t get the sense that they would be collecting information on what apps I was uninstalling or using. Here’s the relevant excerpt from their privacy policy:

Personal Information Collected via Technology

As you use the GetJar Site or any GetJar Service, some information may also be collected passively, including your Internet protocol address, browser type, access time, mobile phone model, and telecom carrier. We may also store a small text file called a "Cookie" on your computer or phone to store certain information about your use of the GetJar Site or GetJar Services. We may use both session Cookies (which expire once you close your browser) and persistent Cookies (which stay on your computer or phone until you delete them).

Personal Information from Other Sources

We may receive Personal Information about you from other sources, including other users. We may associate this information with the other Personal Information we have collected about you.

 

 

I went on to take a quick look at their logging server eventlogger.getjar.com. It discloses some configuration information which I am not sure how accurate it is. If the information disclosed is to be trusted, the jetty.config.contextMap seems to give an indication on what else is collected or sent to GetJar.

/*=com.getjar.els.servlet.StatusServlet;
/thrift/*=com.getjar.els.servlet.ThriftServerServlet;
/backchannel/messaging/*=com.getjar.els.servlet.BackchannelMessagingServlet;
/backchannel/usage/*=com.getjar.els.servlet.BackchannelUsageServlet;
/backchannel/metadata/*=com.getjar.els.servlet.BackchannelMetadataServlet;
/backchannel/event/*=com.getjar.els.servlet.BackchannelEventServlet;
/20110506/4933/backchannel/usage/*=com.getjar.els.servlet.BackchannelUsageServlet;
/20111010/5001/backchannel/usage/*=com.getjar.els.servlet.BackchannelUsageServlet;
/20111102/5002/backchannel/usage/*=com.getjar.els.servlet.BackchannelUsageServlet

* Reformatted for easier reading.

It appears that messaging, usage, and event details might be logged as well. What those all entail I’m not sure as uninstalling an app fell under Metadata.

Disclaimer: By writing this, I’m not claiming that GetJar is engaging in malicious activities. If anything, I want others to be aware of this and make an informed decision. No one is being forced to use this app so choose to do what you will.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: