Skip to content

MASTG-TEST-0281: Undeclared Known Tracking Domains

Overview

This test identifies whether the app communicates with known tracking domains that are not declared in the app's Privacy Manifest. These include domains listed in sources like DuckDuckGo iOS Trackers, which are associated with ad networks, analytics providers, and user profiling services.

Steps

  1. Obtain the app's privacy manifests (both main binary and dependencies).
  2. Search statically with semgrep for tracking domain names, or dynamically intercept network requests with mitmproxy.

Observation

The output should contain:

  • a list of tracking domains with which the app has interacted, or may interact.
  • all the app's privacy manifests as files.

Evaluation

The test case fails if the app communicates with a tracking domain that isn't declared in its privacy manifest.