Some profiling attributes require special permissions in your AndroidManifest.xml. Profiling will continue to operate without them, albeit with values missing.
The following are optional permissions that can be enabled:
<uses-permission android:name="android.permission.READ_PHONE_NUMBERS" />
Provides details around the profiled device's telephone number, namely:
profiling.android.sim_info[AndroidSimContext].line_number
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
Provides enhanced details around the device's SIM card. These are particularly useful for identifying attacks such as sim swapping and users on multiple networks. Provides the following attributes:
profiling.android.sim_info[AndroidSimContext].state
profiling.android.sim_info[AndroidSimContext].meid
profiling.android.sim_info[AndroidSimContext].country
profiling.android.sim_info[AndroidSimContext].imei.identifier
profiling.android.sim_info[AndroidSimContext].is_primary
profiling.android.sim_info[AndroidSimContext].msisdn
profiling.android.sim_info[AndroidSimContext].sim_operator
profiling.android.sim_info[AndroidSimContext].multi_sim_configuration
profiling.android.sim_info[AndroidSimContext].mms_user_agent
profiling.android.sim_info[AndroidSimContext].network_operator
profiling.android.sim_info[AndroidSimContext].network_operator_name
profiling.android.sim_info[AndroidSimContext].network_type
profiling.android.sim_info[AndroidSimContext].sim_serial_number
profiling.android.sim_info[AndroidSimContext].sim_country
profiling.android.sim_info[AndroidSimContext].sim_carrier_id
profiling.android.sim_info[AndroidSimContext].sim_carrier_name
profiling.android.sim_info[AndroidSimContext].subscriber_id
profiling.android.sim_info[AndroidSimContext].voice_mail_number
profiling.android.sim_info[AndroidSimContext].voice_message_count
profiling.android.sim_info[AndroidSimContext].sim_operator_name
profiling.android.sim_info[AndroidSimContext].call_state
profiling.android.sim_info[AndroidSimContext].voice_network_type
profiling.android.sim_info[AndroidSimContext].is_idle
profiling.android.sim_info[AndroidSimContext].is_offhook
Using the above intelligence, Darwinium also provides calculated insight attributes:
profiling.android.sim_info[AndroidSimContext].imei.score.trust
profiling.android.sim_info[AndroidSimContext].imei.score.age
profiling.android.sim_info[AndroidSimContext].imei.score.bot
profiling.android.sim_info[AndroidSimContext].imei.score.scam
profiling.android.sim_info[AndroidSimContext].imei.score.mule
profiling.android.sim_info[AndroidSimContext].imei.score.linkage_node_strength
profiling.android.sim_info[AndroidSimContext].imei.score.linkage_page_rank
profiling.android.sim_info[AndroidSimContext].imei.score.linkage_h_index
profiling.android.sim_info[AndroidSimContext].imei.score.linkage_lobby_index
profiling.android.sim_info[AndroidSimContext].imei.score.linkage_node_strength_quantile
profiling.android.sim_info[AndroidSimContext].imei.score.linkage_page_rank_quantile
profiling.android.sim_info[AndroidSimContext].imei.score.linkage_h_index_quantile
profiling.android.sim_info[AndroidSimContext].imei.score.linkage_lobby_index_quantile
profiling.android.sim_info[AndroidSimContext].imei.signals
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> , <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
These provide insight around Android device Geolocation - this is in addition to geo insights provided from sources such as IP addresses.
Note that in order to receive these insights your app must also implement the following dependency:
com.google.android.gms:play-services-location:xx.x.x
These attributes are useful in determining geo anomalies, such as the device location differing from the IP address location, or spoofed locations. Captured attributes include:
profiling.android.location.is_mock
profiling.android.location.is_mock_provider
profiling.android.location.mock_provider
profiling.android.location.latitude
profiling.android.location.longitude
profiling.android.location.altitude
profiling.android.location.coordinate
profiling.android.location.accuracy
profiling.android.location.provider
profiling.android.location.time
profiling.android.location.speed
profiling.android.location.speed_accuracy
profiling.android.location.vertical_accuracy
profiling.android.location.bearing
profiling.android.location.bearing_accuracy
The following attributes are also calculated on Darwinium's backend when these permissions are enabled:
profiling.android.location.geoname_id
profiling.android.location.country
profiling.android.location.nearest_country
profiling.android.location.nearest_country_distance
profiling.android.location.state
profiling.android.location.nearest_state
profiling.android.location.nearest_state_distance
profiling.android.location.locality
profiling.android.location.nearest_locality
profiling.android.location.nearest_locality_distance
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
This permission enables enhanced insights around Wifi. These are particularly useful when trying to determine if a user has a variety of devices that are potentially part of a device farm connected to a single problematic access point.
Attributes provided include:
profiling.android.wifi.state
profiling.android.wifi.bssid
profiling.android.wifi.network_id
profiling.android.wifi.mac_address
profiling.android.wifi.ssid
profiling.android.wifi.frequency
profiling.android.wifi.rssi
profiling.android.wifi.ap_state
profiling.android.wifi.enabled
profiling.android.wifi.score
profiling.android.wifi.security_type
profiling.android.wifi.dhcp_info.server_address
profiling.android.wifi.dhcp_info.netmask
profiling.android.wifi.dhcp_info.ip_address
profiling.android.wifi.dhcp_info.gateway
profiling.android.wifi.dhcp_info.primary_dns
profiling.android.wifi.dhcp_info.secondary_dns
profiling.android.wifi.dhcp_info.lease_duration
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
Attributes provided by this permission are particularly useful when determining if a device is being emulated. Profiled attributes include:
profiling.android.connection.owner_uid
profiling.android.connection.signal_strength
profiling.android.connection.capabilities"
<uses-permission android:name="com.google.android.gms.permission.AD_ID"/>
This permission enables Darwinium to access the Device's advertising ID. This is typically used for ad retargeting and the permission is requested by a popup notification (which your organization may or may not already be using). Its usage also requires the following implementation dependency:
implementation 'com.google.android.gms:play-services-ads-lite:20.3.0'
This permission provides:
profiling.android.advertising_id - this is a particularly sticky identifier that may be useful across multiple networks, in addition to Darwinium's existing device ID and signatures
<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES" tools:ignore="QueryAllPackagesPermission" />
This permission allows the app to query the complete list of installed packages on the device. This can be a sensitive permission, but Google has exception when applied for anti-virus and/or financial institution security purposes. See here.
profiling.android.scanned_packages
profiling.android.system.app_store
profiling.android.input_method.*
profiling.android.all_languages
profiling.android.app_package_source
profiling.android.app_package_installer
profiling.android.package_number
profiling.android.nonsystem_package_number
profiling.android.is_jailbroken ^
profiling.android.system.root_detection_signals ^
- Improved Root Detection: ^ Perform package scan for known root management and cloaking apps; additional signals in
profiling.android.system.root_detection_signals:- root_busy
- root_rma
- root_cloak
Note: If QUERY_ALL_PACKAGES permission is not given , there are other rooted signals which can trigger and contribute to deciding is_jailbroken.
But requesting provides more complete protection, particularly against root cloaking which may evade several of those signals.
See: Root Detection
- Sideloaded App Detection: Detecting applications installed outside of official routes may indicate compromised security or fraudulent activity. Also can check for the system application store(s) and input methods.
- Virtual OS suspicion: Counting number of other packages, including system packages can increase likelihood of being a VirtualOS, where environments have fewer installed packages. Will default to 1 if permission not granted (representing the current app).