So apparently there's this new app out there that student atheletes are supposed to load onto their phones that tracks them and makes sure that they're going to class. This has of course gotten the attention of the EFF, and so I decided to crack open an APK for the first time ever and take a little looksee.
If someone would reverse this app and publish the results, it would make a great paper and also I am too busy. PS: Stop tracking students. https://t.co/5ubATETNtT— Eva (@evacide) January 28, 2020
The first thing I need to do is actually download the app. There was very little chappenge to grabbing the apk off of a public market and putting it on an analysis rpi I have laying around.
Next up is to decompile the apk so that we can look at what's going on inside of it. For this I decided to use 'apktool'. So then I run it on the downloaded file with:
$>apktool decode <filename>
What comes out of it is a directory structure with different java objects that get called for use in the app. The permissions manifest is the first thing I'm looking for and I find it in the root directory of the app.
The manifest looks like this:A thing or two stands out on this to me. First thing is, why does this app need access to the camera? It's supposedly for tracking students, which is weird enough -- but to then need camera permissions is a little extra weird.
It's possible the camera is just being used to populate a profile picture field or something, but more questions may be in order.
There are also some reasonable questions that could be asked about the read/write permissions on the calendar. There are also some decent reasons why that may be needed, but it's all in context of the app.
As far as how the program is written, the way the app populates its info to decide if a student is or isn't where they should be seems to be done day-by-day:
All in all, I don't know what to make of this app yet. It always raises hackles when a tracking app comes out, especially one that is mandated for a population. This one is no different.