This blog series focuses on the collection of device data by various popular mobile apps. Data is often collected in the name of advertising, error monitoring, fraud detection, and social media integration.


TL;DR

  • The Nimses API enables retrieving high precision location data from any user that generates content on the app. These location points update as the user posts and allows anyone to track them through the application. This analysis was able to determine PewDiePie's location at the time of posting to Nimses within ~1cm (ex. GPS coordinates to 7 decimal places).

  • The Nimses application does capture a similar amount of data as other social media applications. Unlike other social media applications, it shares this data with a large number of third parties, some of which seem to have little to no established reputation (ex. “steamrail.net” has no online presence yet receives user data from the app).

  • There has been some speculation that the app continues to collect user data after being uninstalled. During this analysis, there was no evidence found to support that theory. If anyone finds evidence against this claim, please send an email to contact@theappanalyst.com.

UPDATE 24/06/19

  • A user known as 'March' has provided information that steamrail.net is associated with ironSource LTD (read more here).

  • Nimses has acknowledged that it was possible for users to retrieve this location data and has subsequently fixed the issue with their system. User data is no longer being sent to steamrail.net or any other ironSource related domain.


App Analysis: Nimses

Nimses is a social network application which provides users with a form of currency for every minute they spend within the application, and every time someone likes their posts. It describes itself as "a worldwide system which records and saves the time of a human being’s life".

Nimses users are told that once they accumulate enough of the Nimses currency, known as Nims, in their virtual wallet they will be able to spend the currency on "food, clothes, or pretty much anything". Nimses, in essence is, attempting to create a type of social‑economic ecosystem.

Nimses video explaining their social network application

Recently, Nimses had a marketing campaign which involved sponsoring the prominent Youtube Creator PewDiePie. In his video PewDiePie promotes the app as a new social network the likes of which he has never heard of outside of dystopian science fictions such as Black Mirror. Closing out the promotion portion of his video, PewDiePie asks his users to sign up, follow him, and invite their friends to join the Nimses social network.

This sponsorship, however, did not sit well with the creators community, a large and vocal community that participate in the subreddit /r/pewdiepiesubmissions. Fans of the creator began to question whether the application was a scam, whether it collected too much user data, and suspected that it would collect this data even after uninstalling.

Memes created by PewDiePie fans and posted to /r/pewdiepiesubmissions

PewDiePie noticed this outcry and came back to ensure his users that the application was not a scam, that the app collects a similar amount of data as other social media applications, and that his fans are spreading "misinformation".

Neither PewDiePie nor his fans were equipped to definitively say whether the app truly was a scam and the following analysis hopes to investigate Nimses and determine whether these claims are founded.

Social scamming?

Nimses delivers on its promise to give you Nims for just existing on the platform as well as for having users engage through shared posts. As of June 10th 2019, Nimses does not currently have large scale way of trading Nims for a recognized currency.

However, the company could implement a trading system in the future, and it is too early in their development to definitively label them as a "scam".

At present, if a user were to Google "How can I withdraw/exchange nims?" they would be directed to the Nimses support website which currently provides no answers and is under construction.

Unavailable support center provided no answers on how to use Nims outside the application

Providing user data to third parties

The claim that Nimses captures user data in a similar manner to other social media platforms is not true. Large social platforms like Facebook, Instagram, and even Airbnb (as seen in the previous analysis here) do capture user data, however this data is generally kept under the control of these platforms. This means they keep it within their organization, and this is where Nimses differs.

While using the Nimses application your device will provide user data to the following third parties: steamrail.io, branch.io, approovr.io, appsflyer.com, lokalise.com, appbaqend.com, applovin.com, app-measurement.com, supersonic.com, supersonicads.com, atom-data.io, inmobi.com, and more. The domains supersonic.com, supersonicads.com, and atom-data.io appear to originate from another company called ironSource.

Small sample of the device and user data which is sent to these third parties

The most interesting user tracker found during analysis was “streamrail.net”, which appears to have no online presence (if you know what this URL is used for email contact@theappanalyst.com and I will update accordingly). Having the app send data to a service outside of the company's control is one thing, having the app send user data to a completely unknown domain is another.

Locating your favorite Youtubers

Third parties aren't the only entity that Nimses is providing user data to, they also provide it to other users on the platform (that may not be as obvious as that sounds). Whenever a user posts content to the Nimses app the application records the precise longitude and latitude of the user.

When another user views these posts they are able to see an approximate distance from themselves to the location where the post was made. In order to make this calculation of approximate distance from the users device to the post location, Nimses provides the user with the precise longitude and latitude recorded by the other users device when the post was created.

The only way to prevent sharing this data is by not posting any content to the Nimses application; many of the previously sponsored youtube creators hadn't. Unfortunately for PewDiePie he had made two posts from what appears to be his home as of June 10th 2019 and thus the latitude and longitude of his personal address accurate to ~1 cm was made available to all users on the Nimses platform.

PewDiePie's location data provided by the Nimses application

Nimses does implement various security features to prevent the collection of users location data such as certificate pinning and bot detection. However the moment that the data leaves their servers it is no longer guaranteed that these protections will work and their control of the data is lost.

Nimses can prevent this by providing a filtered/trimmed version of the location data instead of the highly accurate version they currently provide users.

Surviving the uninstall?

Once this analysis was complete the Nimses application was uninstalled from the device and remnants of it was search for. None of the Nimses domains were being contacted like many Redditors suspected and no lasting effects were discovered. The claim that the application survived being uninstalled was "misinformation".

Conclusions

Prior to concluding this analysis it should expressed that PewDiePie is not at fault here as he's an entertainer, not an mobile app security specialist, and should not be expected to do this type of in-depth research for each sponsorship activity. This being said, Kaspersky Labs did put out a report in September 2018 describing how Nimses may be unsafe which can be found here.

Whether Nimses proves to be successful in establishing a social-economic ecosystem has yet to be seen and until that time we cannot determine whether it is the "scam" many might accuse it of being.

Nimses does capture a decent amount of device and user data which is in-line with the norm for many other applications of social media companies like Facebook and Instagram. However unlike most these applications, Nimses shares this data with a large number of third parties (a similar issue can been seen with Better Help). Some of these third parties do not have an established reputation or online presence, making their use of the data questionable.

This leakage of user data does not only extend to third parties but also to other users themselves as Nimses can be used to gather high precision location data on any user who posts content to the application. PewDiePie's personal location was able to be found within ~1 cm as the Nimses API returns the exact latitude and longitude where he was when he posted to the platform.

Finally there was no evidence that the application was able to survive the uninstalling process. However if users are seeing something that would lead them to believe otherwise I would appreciate an email to contact@theappanalyst.