The VKontakte application monitors users

The application sends the user's actions to the server, as well as the location of the device.

Russian student and programmer Vladislav Velyuga is sniffed by the Shark for Root program using the VKontakte mobile app and published the results of the investigation ( part 1 , part 2 ). He writes that earlier there was nothing unusual in the results of sniffing, but now it has appeared. Now the social network has started to transfer so much data to the server literally about every user action that it can be called spying.

Unfortunately, the following client modules are now included in the official version of the client, including myTracker from Mail.ru ( screenshot after decompiling the APK file).

Vladislav investigated the version of the official client 4.12.1 for Android.

The study showed that almost all user actions during the work with the application are transmitted to the VKontakte server. At the same time, the need to collect many data is difficult to explain (although you can understand, if you think about why the server needs this). For example, when entering the “Audio” section, geodata is transmitted, and in the section with video recordings information about events such as “volume_on”, “volume_off”, “fullscreen_on”, “fullscreen_off” (transition and exit to / from full-screen mode), event “Video_play”, which simply sends the current video viewing position, somewhere with a periodicity of 10-20 seconds.

In other cases, information about the closest WiFi access points is transmitted, metrics are loaded via invisible WebView, etc. VKontakte technical supportreplied that to refuse to collect this data "will not work, since all this information is necessary for the operation of the application."




The author of the study emphasizes that in the informal VK Coffee client (a modification of the official, with cut-out metrics, etc.) no such drains were noticed.

VK Coffee’s author Eduard Bezmenov commented: “The hell is that libverify from soap.ru collects sim card serials, and mytracker collects lac and cid.” He said that he had watched the discharge of similar data in VKontakte before, and in his client modification this function has long been disabled.

Later in the commentary for the newspaper "Vedomosti" a company representative Yevgeny Krasnikov explainedthat Vkontakte has never concealed that it collects such information for advertising, optimization, recommendations. Other information is also required. For example, by changing the identification code of the sim card, you can understand whether the user has changed the phone and decide whether to send him the code for validation. Location when listening to audio recordings must be requested because of the requirements of copyright holders, etc. Anyway, all popular applications collect similar personal data, otherwise they will lose to competitors.