MASTG-TEST-0281: Undeclared Known Tracking Domains
Overview¶
This test identifies whether the app properly declares all known tracking domains it may communicate with in the NSPrivacyTrackingDomains
section of its Privacy Manifest files.
To perform this test, use one or more curated lists of known trackers. These lists include domains and identifiers associated with advertising networks, analytics providers, and user profiling services. They are commonly used in privacy-focused tools and browsers to detect and block tracking behavior.
Some example lists:
- DuckDuckGo iOS Trackers: Includes domains, matching rules, descriptions, and categories such as "Action Pixels," "Ad Fraud," "Ad Motivated Tracking," and "Advertising."
- Exodus Privacy Trackers: Includes tracker names, categories (e.g., "Advertisement," "Analytics," "Profiling"), descriptions, and detection metadata such as network and code signatures.
These references can be used to match hardcoded or dynamically accessed domains within your app and verify whether appropriate declarations exist in the Privacy Manifest.
Steps¶
- Extract the app's privacy manifest files, including those from third-party SDKs or frameworks using Retrieving PrivacyInfo.xcprivacy Files.
- Obtain the list of declared tracking domains from the privacy manifest files using Analyzing PrivacyInfo.xcprivacy Files.
- Run a static analysis scan using radare2 for iOS:
- Search for hardcoded references to known tracking domains.
- Identify code references to well-known tracking libraries.
- Perform network analysis with mitmproxy:
- Intercept and log all outbound network traffic.
- Extract all domain names contacted during runtime.
Observation¶
The output should contain:
- All extracted privacy manifests from the app.
- A list of declared tracking domains from the
NSPrivacyTrackingDomains
key in the manifests (preferably with associated components). - A list of all domains contacted during dynamic testing.
- A list of code matches for known tracking domains or tracking libraries from static analysis.
Evaluation¶
The test fails if any of the following is missing in the privacy manifest files' NSPrivacyTrackingDomains
key for the app or any of its components (Frameworks, Plugins, etc.):
- Tracking domains contacted by the app at runtime.
- Tracking domains found in the code.
- Domains corresponding to tracking SDKs found in the code.