MASTG-TEST-0281: Undeclared Known Tracking Domains
Overview¶
This test identifies whether the app communicates with known tracking domains that are not declared in the app's Privacy Manifest. These include domains listed in sources like DuckDuckGo iOS Trackers, which are associated with ad networks, analytics providers, and user profiling services.
Steps¶
- Obtain the app's privacy manifests (both main binary and dependencies).
- Search statically with semgrep for tracking domain names, or dynamically intercept network requests with mitmproxy.
Observation¶
The output should contain:
- a list of tracking domains with which the app has interacted, or may interact.
- all the app's privacy manifests as files.
Evaluation¶
The test case fails if the app communicates with a tracking domain that isn't declared in its privacy manifest.