mercredi 3 mars 2021

Jio’s MyJio app sends fullscreen ads to homescreen, violating Google Play policy

Unless you’ve been living under a rock in India, you’ve probably heard of Reliance Jio — the carrier that practically transformed the country’s 4G landscape overnight and now has its eyes set on 5G. Jio has found a concrete space for itself as India’s leading telecom service provider, amassing over 400 million subscribers by the end of 2020. Based on the smartphone landscape in the country, it would be safe to assume that a good many of these users access Jio’s services on an Android smartphone. If you’re one such user, you may have had to contend with fullscreen banner ads on your homescreen in the recent past. As it turns out, they’re delivered straight by the companion MyJio app, in direct violation of Google Play’s policies.

On Android smartphones, you can just insert a Jio sim card and begin using the telecom’s services right away. But if you use other services from Jio such as the JioFiber connection, or perhaps you want to check how much of the daily data allowance you have consumed so far, or you want to top-up your data pack, then you do need to install the MyJio companion app on your phone. The MyJio app serves as a “one-stop destination for recharges, UPI and payments, managing Jio devices, Movies, Music, News, Games, Quizzes” and more. Needless to say, if you have dipped your toe into the Jio ecosystem (and I’d be surprised if you haven’t so far while residing in India), you have this app installed on your device.

Unfortunately, the MyJio app has a rather annoying habit of sending fullscreen ad banners straight to the user’s homescreen.

Reliance Jio's MyJio app displaying popup ad banner and hijacking the homescreen

This ad banner was initiated by the MyJio app on my Samsung Galaxy S21 Ultra, and that was the only Jio app on the phone at the time. The app had not been in the foreground for a few days at that point, but this banner notification hijacked the homescreen irrespective. Looking around, I found that this has been happening for a fair few months now, with many users complaining about the homescreen hijacking. Clicking on the banner leads you to this pre-generated WhatsApp message to text the number mentioned.

It’s difficult to trigger the popup banner consciously on our end. We’ve examined the app, and there are hints that the banner is triggered upon toggling flight mode and when unplugging the device from charge. But those common actions do not trigger the banner every time, and it appears rather infrequently. We presume that there are more triggers set up on the Firebase notification receiver as well, whose conditions may not have been met during our testing.

Prima facie, this hijacking behavior is caused by a fullscreen activity that the app is launching from the background. This directly contravenes Google Play’s policies on Ads:

Interfering with Apps, Third-party Ads, or Device Functionality

Ads associated with your app must not interfere with other apps, ads, or the operation of the device, including system or device buttons and ports. This includes overlays, companion functionality, and widgetized ad units. Ads must only be displayed within the app serving them.

The example that Google talks about is pretty much the same behavior that the MyJio app demonstrates. We can conclude that the MyJio app directly contravenes Google Play policies by pushing out ads that are displayed outside of its app by hijacking the homescreen.

Curiously, the app is able to push this hijacking ad without having been granted permission to “Display Over Apps”/”Appear on Top”. The MyJio app does not even request this permission, so I was very curious about how the app could push an ad over the homescreen.

With Zachary’s help, I dug in deeper. We found out that the app integrates the MADME SDK, and there are activities titled “OverlayAdActivity”, which leaves little room for doubt on its intention.

Visiting Madme’s website corroborates our finding, as they proudly display solutions to telecoms that bring out these popup ad banners with hijacking intent.

Madme SDK for hijacking overlays Madme SDK for hijacking overlays Madme SDK for hijacking overlays

The MyJio app integrates a whole host of Activities, Services, and Receivers from Madme, and there’s way too many of them.

How do I stop these hijacking popups on my homescreen from Jio’s MyJio app?

There are a few ways you can get rid of these hijacking popups. The first and most obvious solution is to simply uninstall the MyJio app. A lot of users use the app very infrequently, and you can reinstall it back when you do need it. In the intervening cycles, you can at least not be annoyed out of your homescreen.

The second solution, widely suggested by the Internet, is to disable all permissions for the app. Much like the first solution, this is a very wide solution that will cause certain functions of the app to not work properly.

The third solution takes a more precise approach, but it also requires root. You can use an app like Root Activity Launcher to disable all Activities, Services, and Receivers related to the Madme SDK in the Jio app.

Root Activity Launcher ($0.99, Google Play) →

And here are all the related Activities, Services, and Receivers. Note that you may not need to disable all of them, and I am just listing all the ones that I could spot. It is difficult to force-trigger the fullscreen popup on our end, so we’d still have to go with a blanket approach here.

  • Activities:
    • com.madme.mobile.sdk.activity.AdActivity
    • com.madme.mobile.sdk.activity.AdListActivity
    • com.madme.mobile.sdk.activity.BrowserActivity
    • com.madme.mobile.sdk.activity.MadmeCmClickActivity
    • com.madme.mobile.sdk.activity.MadmePermissionActivity
    • com.madme.mobile.sdk.activity.MyOffersHistoryActivity
    • com.madme.mobile.sdk.activity.OverlayAdActivity
    • com.madme.mobile.sdk.activity.OverlaySurveyActivity
    • com.madme.mobile.sdk.activity.ChangeProfileActivity
    • com.madme.mobile.sdk.activity.SavedAdActivity
    • com.madme.mobile.sdk.activity.SurveyActivity
    • com.madme.mobile.sdk.activity.ThankYouActivity
    • com.madme.mobile.sdk.activity.WebViewActivity
    • com.madme.mobile.sdk.activity.LegalInformationActivityResources
    • com.madme.mobile.sdk.activity.TermsActivity
    • com.madme.mobile.sdk.activity.BenefitsActivity
  • Services:
    • com.madme.mobile.sdk.service.ad.ShowAdService
    • com.madme.mobile.sdk.service.AdAlarmHelperService
    • com.madme.mobile.sdk.service.AdReminderHelperService
    • com.madme.mobile.sdk.service.AdTriggerEventsService
    • com.madme.mobile.sdk.service.CampaignHelperService
    • com.madme.mobile.sdk.service.CdnCampaignJobService
    • com.madme.mobile.sdk.service.CdnCampaignService
    • com.madme.mobile.sdk.service.cloudmessaging.CloudMessagingRegistrationService
    • com.madme.mobile.sdk.service.DbUpdateService
    • com.madme.mobile.sdk.service.DownloadService
    • com.madme.mobile.sdk.service.location.GeofenceService
    • com.madme.mobile.sdk.service.LoginService
    • com.madme.mobile.sdk.service.LSFService
    • com.madme.mobile.sdk.service.LSJobService
    • com.madme.mobile.sdk.service.LSJobService2
    • com.madme.mobile.sdk.service.LSService
    • com.madme.mobile.sdk.service.MFAService
    • com.madme.mobile.sdk.service.SBSTService
    • com.madme.mobile.sdk.service.SurveySubmissionJobService
    • com.madme.mobile.sdk.service.SurveySubmissionService
    • com.madme.mobile.sdk.service.TrackingService
    • com.madme.mobile.sdk.service.TrackingSubmissionJobService
    • com.madme.mobile.sdk.service.TrackingSubmissionService
  • Receivers:
    • com.madme.mobile.sdk.broadcast.AdAlarmReceiver
    • com.madme.mobile.sdk.broadcast.AdReminderReceiver
    • com.madme.mobile.sdk.broadcast.adtriggers.AirplaneModeChangedAdTrigger
    • com.madme.mobile.sdk.broadcast.adtriggers.PowerConnectionAdTrigger
    • com.madme.mobile.sdk.broadcast.adtriggers.RoamingAdTrigger
    • com.madme.mobile.sdk.broadcast.adtriggers.WiFiAdTrigger
    • com.madme.mobile.sdk.broadcast.adtriggers.WiFiAvailableTrigger
    • com.madme.mobile.sdk.broadcast.BootReceiver
    • com.madme.mobile.sdk.broadcast.DailyTaskReceiver
    • com.madme.mobile.sdk.broadcast.EOCTrigger
    • com.madme.mobile.sdk.broadcast.GeofenceReceiver
    • com.madme.mobile.sdk.broadcast.IdSnsReceiver
    • com.madme.mobile.sdk.broadcast.MadmeSmsTrigger
    • com.madme.mobile.sdk.broadcast.NotificationActionTrigger
    • com.madme.mobile.sdk.broadcast.PackageRemovalReceiver
    • com.madme.mobile.sdk.broadcast.UnlockReceiver

Disabling all of these would effectively render the Madme SDK useless, and should prevent the banner from hijacking your homescreen again.

Apps on the Google Play Store have been removed for far more innocent behavior, and it does surprise me that the Madme SDK and Jio’s homescreen ad behavior have not been spotted, highlighted, and addressed before. Madme is certainly not even hiding what it does, and they proudly highlight such behavior as a selling point, leaving us to scratch our collective heads on which loophole they have figured out to get such confidence and presumed immunity. And if their website is to be believed, other telecom providers in India also make use of their services, though we have not encountered any homescreen hijacking ad banner from them just yet.

We hope Google takes cognizance of the homescreen hijacking behavior of these popups and provides clarifications on their existence alongside Google Play policies.

The post Jio’s MyJio app sends fullscreen ads to homescreen, violating Google Play policy appeared first on xda-developers.



from xda-developers https://ift.tt/3bVaED7
via IFTTT

Aucun commentaire:

Enregistrer un commentaire