List trackers and permissions of all installed Android applications with Exodus
Exodus is a free privacy application for Google's Android operating system that reveals the use of trackers of installed Android applications and their permissions.
We reviewed Exodify, browser extensions by the Exodus project, back in 2018 and covered the web service Exodus as well back then. Users may use the browser extensions to display permission requests and tracker uses of any app on Google Play, or run searches for applications on the Exodus website.
Exodus was mentioned in Günter Born's article on LastPass' extensive use of trackers in the service's Android application.
The Exodus application is available on Google Play. Its main advantage over the browser extensions or web service is that it will scan all installed applications on an Android device to return each application's use of trackers and its requested permissions.
Usage is pretty simple: download the app from Google Play and run it after installation. It will scan the installed applications automatically, lists them, and displays the number of trackers and permissions for each.
The app uses colors to make it easier for users to distinguish between apps that use little or no trackers or permissions, and apps that use them heavily. Green background colors mean that the app does not use any trackers or has not requested extra permissions, yellow that some are used or have been requested, and red that a lot of trackers are used or a lot of permissions have been requested.
You may tap on any application to display a profile page. The page lists the installed version and test version, all trackers and all requested permissions with a short explanation. A tap on a permission or tracker opens even more details, e.g. when you select a tracker you get a list of other installed applications that use it as well.
You may also activate a link to open the application's profile page on the Exodus website to get additional information such as purposes of trackers if known.
The results depend on the applications that you have installed, but most users will probably notice that the majority of installed applications do use one or more trackers. Use of trackers or lots of permissions is not always a sign that something bad or fishy is going on, but it can be an indicator.
Exodus offers some interesting options, such as:
- Checking all installed browsers for trackers.
- Making sure that important applications don't use trackers.
- Spotting apps or games that go over the board with trackers or permissions to drop them.
It is necessary to check the list of requested permissions and/or trackers. Some application types, web browsers for instance, require more permissions than apps that have a narrower focus.
Closing Words
Exodus offers an interesting service. It needs to be noted that the app requires Internet connectivity as it uses a central database and not real-time scanning for its analysis; this means, that it is possible that some applications have not been scanned by Exodus or that earlier versions have been scanned only.
Still, if you want to quickly check permissions and trackers of all installed Android apps on a device, it is a good way of doing that.
Now You: Do you check trackers or permissions before installing apps on your mobile devices?
Exodus doesn’t list “trackers”, it categorizes apps according to the number of “critical” permissions they request, like network or camera access. And out of my ~ 180 installed apps it didn’t have profiles for, at a glance, 95%… pretty underwhelming.
It complained I had no apps installed immediately upon starting the app, but on the other hand I didn’t let it out because wanted to see what it would do, it kind of sucks it can’t figure out on its own some things of other apps but require online connection, so in short it appears to rather mine user data, uninstalled it.
Theres this one on F-Droid:
https://f-droid.org/en/packages/com.oF2pks.classyshark3xodus/
Can scan installed apps or downloaded .apks without them installed.
Doesnt just compare the app name against reports.
Works offline and actually scans the app classes finding known tracker code in the apps.
@here
Right.
classyshark3xodus is the handy app that is integrated in App Manager on f-droid.
Pithus looks promising as well. here an analysis for Lastpass android app
https://beta.pithus.org/report/5d58f9bd3fb3dd1ce5ec75796b87e296b20ec98075607ed274016f11a30f30e4
https://beta.pithus.org/about/
Exodus is great but the article screenshot here is a reminder that it will not catch everything, apparently looking mainly for standard largely used third-party trackers and ignoring specific home-made tracking components in applications. The F-Droid repository “tracking anti-feature” warnings are more complete. But the F-Droid applications have usually moral standards light-years above those of Google Play applications, which should be considered as compromised by default.
“Use of trackers […] is not always a sign that something bad or fishy is going on”
Debatable, especially considering the trackers that the Exodus database is concerned with.
Looking more closely at their trackers list they still list first-party trackers for some of the biggest fishes, like Tinder and Mozilla.
Useless, only scans play store apps, not sideloaded apps.
App Manager app has the exodus feature in it, and works offline.
It lists activities, broadcast receivers, services, providers, permissions, signatures, shared libraries, etc. of any app.
It has a bunch of other features to manage apps.
Link: https://f-droid.org/en/packages/io.github.muntashirakon.AppManager/
Interesting, good find!
You can easily check the reports directly from the Exodus web site @ https://reports.exodus-privacy.eu.org/en/reports/
Meh! I’m not a fan.
The app will scan your apps by name and then alerts you of trackers and permissions but those trackers and permissions are based upon a different version of which you have installed therefore we have a problem which is indicative of a larger problem. For example if the app you have installed on your phone has recently changed hands (indeed in my case) or has changed permissions and have added ads going forward then you would still be alerted of such issues as the app does not actually deep scan for trackers or permissions but compares it to a loose database of apps and versions that have actually been analysed, furthermore because of such limitations it will not give you accurate information and worse yet it only appears to show you information on applications installed via the google play store.
It will not take into account apps that have been modded an nulled and if it did given the methodology it will probably still flag it with such things as google analytics even if they had been removed.
I award this app one silver star *
I remember trying the Exodus years ago and was also quite disappointed.
There is an app that is rather good at identifying commercial add-ons (such as Firebase Analytics, Google Analytics, Google Mobile Ads, Flurry Ads, and many more) to apps that are installed. It would have been good if Martin would have referenced it in this article (he had written about it before). The app is called “Addons Detector” and was review at: https://www.ghacks.net/2018/02/26/addons-detector-for-android-review/ .
Would be cool to have something similar for iOS.
So is it like the App Warden?
https://gitlab.com/AuroraOSS/AppWarden/
The other way around, App Warden is like Exodus, because App Warden is based on Exodus Privacy.
In the link you provided, it says that App Warden uses the Exodus Privacy tracker list.