Transparency on Malcore Mobile Algorithm

How the Malcore Risk Score works for mobile applications

During code analysis Malcore unzips the APK file and decompiles the compiled .dex files. Malcore runs through each file and uses indicators to determine issues within the code. These Code severity warnings are based off Java coding best practices.

Next Malcore parses the AndroidManifest.xml file and determines the device permission requests the app has. These permission levels are graded in severity based on the Android manifest website: https://developer.android.com/reference/android/Manifest.permission.

A tracker is a piece of software with the task to gather information on the person using the application. A tracker can be used to monitor usage and engagement, for example in analytics or advertising. Trackers normally are a legitimate software development kit (SDK) designed to help developers understand how their apps are being used, resolve potential issues and improve their software. Importantly for privacy though there is a large market buying the data collected by these SDKs to improve advertising spend and to better understand user’s behavior. This post on their developer forum is a good example how how Facebook SDK works https://developers.facebook.com/community/threads/278044280345820/

Scores are assigned by the following numbers

Dangerous permission = 0.25

Suspicious permission = 0.075

High severity warning for code analysis results =  0.15 

Severity warning for code analysis results =  0.05

Per tracker or token  = 2.5

Why the Malcore Mobile App analyzer algorithm was built?

The Malcore team have begun a project to analyze as many popular mobile applications as possible with Malcore and publish the results. A few comments about this project.

We believe in transparency!

Too many providers harvest data from consumers and do not have a security mindset when it comes to their customers' data. To give transparency and easy information back to users Malcore is going to analyze as many mobile applications as we can.

Because we believe in transparency we are going to live by example by openly publishing our own Mobile App analyzer algorithm. We hope providers will use these scores to cut down on unnecessary permissions and trackers.

We understand some permissions are functionally necessary. But developers tend to prefer to have a culture of just track everything rather than only access what we need. Due to the large flow of private and sensitive data on the dark web between hackers this culture is enabling the leaking of a lot of consumer data. We hope to do our part on behalf of the consumer to keep the developers honest about harvesting customer data and storing it behind weak security.

The genesis of this project came about after our release of the TikTok technical analysis. We were asked dozens of times how TikTok stacks up against Facebook or Twitter for example. Well, Malcore now enables us to provide a start for relative analysis by mobile application which is conducted on a level playing field and is an addition to our formal 2022 report on TikTok we released which received international coverage at Internet 2.0.

We must note this process and algorithm is not an exhaustive code review. It is a static analysis and automated code review using Malcore, with no manual code review. A manual code review tends to find a lot more juicy content but at the cost of time. The Malcore Team publish all our research in a self funded model which means we have no bias, but are limited by time. For example our TikTok technical analysis report at Internet 2.0. was far more detailed and definitive than these short blog posts.