so.cl

Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer


Measurement SDK library (coelib.c.couluslibrary) implemented in various Android apps is responsible for collecting sensitive data such as Clipboard, GPS, Email, Phone Numbers, IMEI, SSID.

At this point, we wanted to figure out who owns mobile.measurelib.com, which turned out to be rather difficult. We searched for strings that we saw in the network traffic to measurelib.com, such as ARPSurvey, measurelib, and ClientIPv4, to see which SDK was responsible for them. Yet, none that we sought were present! The app’s privacy policy was also unhelpful in identifying this traffic to measurelib.com: while listing other location and router data collectors like Huq, they somehow omitted measurelib.com.

To find out more, we looked for other apps that talked to mobile.measurelib.com. We found a few, including Audio Quran, Qibla Compass, and a QR code scanner, all of which have location permissions. This means that if the user grants the app access to location data, then this SDK does not need a side channel to get the router’s MAC address. In such apps, when we performed our test, we found that they also shared precise GPS location information with measurelib.com, as well. The Curious Case of Coulus Coelib