Categories
App Store Developer iOS News privacy security Software Uncategorized

Parcels – Track Your Packages app apparently creates botnet, violates user privacy

And now there’s a parcel tracking app that works to track everything else around it.

The app, entitled “Parcels – Track Your Packages”, currently holds a 4.7-star rating in the App Store and is distributed by Russian developer Pavel Tisunov. It’s free with an optional subscription of $3.49/year or $0.99/month. The same app is also available in the Google Play store.

Upon launch, the immediately begins sending request to its server, asking for packages to track, even without the user entering a package to track. The server then sends information to the app about packages from other users for it to track. This information includes the tracking number and details about which courier to send the request to, with technical details such as the URL for the courier’s API or website, request headers, etc.


The app then begins to perform a tracking function by sending a request to the courier’s API or website as specified by the instruction it received from the server, sending the results to the app’s server so it can display them to the user who’s actually registered that package for tracking.

Where this becomes controversial, instead of running the processes of tracking packages server-side, the app is leveraging the bandwidth, energy and processing power of its users to access courier websites, get the changes to delivery status and send that to other users. This type of behavior could be designated as a botnet, since every device which has this app installed basically becomes a bot, tracking packages for other users of the app, even if the user of the current device hasn’t registered any packages to be tracked.

The developer could have a variety of reasons to use this tactic, although the app essentially creates a server to command its botnet.

What might be happening is that the app’s developer is working to avoid rate-limited that can be applied by API vendors. Rate limiting generally limits the number of API calls that can be made to the courier’s service in a certain period of time, based on either the API key that’s used to make the call or the IP of the client making the call. Given that this app is distributing its API calls between devices all over the world, it’s impossible to rate-limit them based on IP address.

In addition to this, a number of the couriers the app supports and contacts don’t use a proper API, so the app is resorting to website scraping, a technique that downloads the normal website users would access to track their packages, then reads the results and interprets them so the tracking data can later be shown in the app.

Website scraping is prohibited by many websites, which can block requests from an IP address they believe is performing constant scraping. Again, server IP addresses don’t change frequently, but given the app is using its users’ devices to perform the scraping, it’s impossible for the websites to block based on IP address.

Should the app become immensely popular, it could function as a tool with which to perform DDoS attacks against websites by instructing its botnet to attack a target URL. The app could falsely “click” on advertisements.

At present, the app’s functionalities violate Apple’s App Review Guidelines section 2.4.2 which states that apps “may not run unrelated background processes”. The app achieves its functionality via the use of a botnet, which seems suspect at best.

Finally, in tests, after an hour, the app apparently performed 52 tracking requests for packages that were not meant to be tracked.

Stay tuned for additional details as they become available.

Via 9to5Mac and Reddit