When running the latest minio from https://dl.minio.io/server/minio/release/linux-amd64/minio
and then upload a large apk to it I get this error:

error InvalidPart Order

It is an issue in the verssion of minio-py that was fixed:
minio/minio-py#594

For me updating minio-py to the latest version fixed the problem - please update the requirements.txt

In https://reports.exodus-privacy.eu.org/reports/37/:

• com/applovin/adview/AppLovinInterstitialAdDialog
• com/avocarrot/sdk/nativeassets/model/NativeAdData
• com/appnext/ads/
• com/inlocomedia/android/ads/AdType
• com/moat/analytics/mobile/aol/NativeVideoTracker
• com/mopub/common/GpsHelper
• com/nativex/monetization/mraid/objects/CurrentPosition
• com/unity3d/ads/android/UnityAds
• com/vungle/publisher/AdConfig
• com/youappi/ai/sdk/YouAPPi
  Why the fuck this application requires org/apache/commons/math3/optimization?

Hi,
I didn't check all app reports but I only found a list of DNS queries for this app: https://reports.exodus-privacy.eu.org/reports/67/

It would be appreciated to have the list of all DNS queries (related to trackers) you notice during the tests. It will help users to block them through the hosts file.

Thank you.

I've run a test with an app that on the exodus report is full of trackers (okcupid): https://reports.exodus-privacy.eu.org/reports/49/ on my own installtion of exodus. The version in the official report is 8.11.1 while the one I just tested is 8.12.0. In the official report there are 7 trackers in the app, while my installation cannot detect any. Even if the app version is not the same, I doubt they have removed all trackers at once. My feeling is that my installation is not able to detect trackers. It detected permissions correctly, though. This is the worker's log for the app:

[2017-12-03 14:01:39,152: INFO/MainProcess] Received task: exodus.core.apk.download_apk[94676d20-a2dc-43b1-9fdd-8341bcc92c15] [2017-12-03 14:01:39,159: WARNING/Worker-1] gplaycli -v -a -t -y -pd com.okcupid.okcupid -f /tmp/tmpyttoksnl/ [2017-12-03 14:02:02,680: WARNING/Worker-1] b'[INFO] GPlayCli version 3.10 [Python3.5.2] \n[INFO] Configuration file is /home/iacopo/.config/gplaycli/gplaycli.conf\n[INFO] Retrieving token ...\n[INFO] Token: ewWKUBTs2tsU4jGcNwuOsVsHircbJ2XDYo2r3KYqZch_kvYss64-0oUEKDYJeMEoSed3-w.\n[INFO] GSFId: 3caf098d02b0f637\n[INFO] Using token to connect to API\n[INFO] 1 / 1 com.okcupid.okcupid\nDownload complete\n' [2017-12-03 14:02:02,785: WARNING/Worker-1] Connection pool is full, discarding connection: 127.0.0.1 [2017-12-03 14:02:02,838: WARNING/Worker-1] Connection pool is full, discarding connection: 127.0.0.1 [2017-12-03 14:02:02,858: INFO/MainProcess] Task exodus.core.apk.download_apk[94676d20-a2dc-43b1-9fdd-8341bcc92c15] succeeded in 23.699483317999693s: True [2017-12-03 14:02:02,868: INFO/MainProcess] Received task: exodus.core.apk.decode[31382cdc-2cb7-45a7-a6af-79702ee40e5a] [2017-12-03 14:02:02,870: INFO/MainProcess] Received task: exodus.core.apk.sha256sum[515f63fc-a5b7-41f8-89ae-1cd7c00e5620] [2017-12-03 14:02:02,953: INFO/MainProcess] Task exodus.core.apk.sha256sum[515f63fc-a5b7-41f8-89ae-1cd7c00e5620] succeeded in 0.0825788209995153s: b'b6b60d4d8a1becef01419485aedfe5a1942ed1dd25ceb8c4f9096e0603dab4b3' [2017-12-03 14:02:05,833: INFO/MainProcess] Task exodus.core.apk.decode[31382cdc-2cb7-45a7-a6af-79702ee40e5a] succeeded in 2.9569544399992083s: True [2017-12-03 14:02:05,867: INFO/MainProcess] Received task: exodus.core.apk.get_version[d8e170ef-7a05-4776-82c6-9d450ec74a75] [2017-12-03 14:02:05,871: INFO/MainProcess] Received task: exodus.core.apk.get_handle[1102e7e8-7802-4350-97d8-baab3b117df5] [2017-12-03 14:02:05,873: INFO/MainProcess] Received task: exodus.core.apk.get_permissions[e20bd8b3-3908-4923-8eb6-f24c5c872a5c] [2017-12-03 14:02:05,877: INFO/MainProcess] Received task: exodus.core.apk.find_trackers[1121445f-5e20-4bb9-a914-d8b548946547] [2017-12-03 14:02:05,878: INFO/MainProcess] Received task: exodus.core.apk.find_and_save_app_icon[b94d4175-fdda-4474-8507-5495b27f7d35] [2017-12-03 14:02:05,879: INFO/MainProcess] Received task: exodus.core.apk.get_app_infos[3b393d40-f1ca-49b6-92c4-0e5404c0f4bb] [2017-12-03 14:02:05,880: INFO/MainProcess] Received task: exodus.core.apk.get_version_code[e4f8b676-403f-4979-ac7a-cb8dfd305410] [2017-12-03 14:02:05,890: INFO/MainProcess] Task exodus.core.apk.get_handle[1102e7e8-7802-4350-97d8-baab3b117df5] succeeded in 0.0178719479999927s: 'com.okcupid.okcupid' [2017-12-03 14:02:05,896: INFO/MainProcess] Task exodus.core.apk.get_permissions[e20bd8b3-3908-4923-8eb6-f24c5c872a5c] succeeded in 0.022390117999748327s: ['android.permission.INTERNET', 'android.permission.VIBRATE', 'android.permission.ACCESS_NETWORK_STATE',... [2017-12-03 14:02:05,911: INFO/MainProcess] Task exodus.core.apk.find_trackers[1121445f-5e20-4bb9-a914-d8b548946547] succeeded in 0.029933583999991242s: [] [2017-12-03 14:02:05,912: INFO/MainProcess] Task exodus.core.apk.get_version[d8e170ef-7a05-4776-82c6-9d450ec74a75] succeeded in 0.04378886699942086s: '8.12.0' [2017-12-03 14:02:05,936: INFO/MainProcess] Task exodus.core.apk.get_version_code[e4f8b676-403f-4979-ac7a-cb8dfd305410] succeeded in 0.02285011599997233s: '1074' [2017-12-03 14:02:08,226: WARNING/Worker-3] Downloading https://lh3.googleusercontent.com/8EViHuRt1bABogN1TLPTLodjodJvRDF7QfSpoMkxgdIYe49068lfRgdNh9qWT8Ku7Ls=w300 [2017-12-03 14:02:08,266: INFO/MainProcess] Task exodus.core.apk.find_and_save_app_icon[b94d4175-fdda-4474-8507-5495b27f7d35] succeeded in 2.3543601819992546s: 'nlpxkohdbgmsoxzfgvjhdrwcrxvenrgytrwoxakubtgfwvqdhozxpyviivrl_com.okcupid.okcupid.png' [2017-12-03 14:02:11,109: INFO/MainProcess] Task exodus.core.apk.get_app_infos[3b393d40-f1ca-49b6-92c4-0e5404c0f4bb] succeeded in 5.212145216999488s: {'size': '11.59MB', 'downloads': '10,000,000+ downloads', 'version': '1074', 'handle': 'com.okcupid.okcupid', 'creator':... [2017-12-03 14:02:11,203: INFO/MainProcess] Received task: exodus.core.apk.clear_analysis_files[e5830826-d2e6-4d33-bb9b-6ba8f622239e] [2017-12-03 14:02:11,204: WARNING/Worker-2] Removing /tmp/tmpyttoksnl [2017-12-03 14:02:11,262: INFO/MainProcess] Task exodus.core.apk.clear_analysis_files[e5830826-d2e6-4d33-bb9b-6ba8f622239e] succeeded in 0.058638122999582265s: None

Why not use a tricolour code to mark applications. Green for the most respectful, red for the worst.
This could put some pressure on those who decide to monetize our data with bad apps.

duplicate entries:
mobileanalytics.*.amazonaws.com
etl.tindersparks.com

Additionally, I've collected a bunch of domains from watching Adaway DNS logs specifically for Android for a few years here
https://github.com/jawz101/MobileAdTrackers/blob/master/hosts

Since LibScout requires tracker SDK (.aar or .jar) to work, we have to add following informations for each tracker we know:

• Category
• Maven/Gradle repository
• GroupId
• ArtifactId
• .aar or .jar direct download link

For example, the maven configuration for Facebook Audience is:

"name": "Facebook Audience",
"category": "Advertising",
"comment": "",
"groupid": "com.facebook.android",
"artefactid": "audience-network-sdk"

In order to complete the building process, the two libraries libxml2-dev and libxslt1-dev are required for the package lxml (https://github.com/Exodus-Privacy/exodus/blob/v1/requirements.txt#L46 )

Otherwise, the following error is raised :

  Running setup.py bdist_wheel for lxml ... error
  Complete output from command /home/remi/src/exodus/venv/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-8dyo5w5p/lxml/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 
'exec'))" bdist_wheel -d /tmp/tmpp96zb30tpip-wheel- --python-tag cp35:
  Building lxml version 4.1.1.
  Building without Cython.
  ERROR: b'/bin/sh: 1: xslt-config: not found\n'
  ** make sure the development packages of libxml2 and libxslt are installed **

This commit adds both libraries to the packages to be installed in the README.

For the moment we do not analyze the UDP traffic.

We have to analyze the UDP traffic. See the εxodus core DNS analyzer as example.

Hello,

I followed the readme step by step, that works fine (thank you for this great doc).

But when I try to load trackers, I got an error:

CommandError: No fixture named 'trackers' found.

I launch an analyse, and after the command works.

Accepting suggestions could be weighted by the popularity/number of downloads.

let me know if this issue belongs in exodus-core.

via @eighthave -

The index numbers here are strings of the integers:
https://reports.exodus-privacy.eu.org/api/trackers
{"trackers": {"1":

While in the app result, they integers:
https://reports.exodus-privacy.eu.org/api/search/fr.meteo
{"trackers": [1,

It would be nice in a report to sort all the permissions by "group".

For example in https://reports.exodus-privacy.eu.org/reports/235/, all "android.permission" permissions first (always), then "samsung.permission", then amazon permissions etc..

Hi, I've installed exodus following the instructions in the readme file (except I have postres 9.5 rather than 9.6) and everything went ok: minio is running and the web interface of exodus as well. However, if I try to access the admin page to login, I'm not taken there. The URL on the address bar is that of the admin page, but the page content is the same of the home page. Django reports this when I try to open the admin page:
[30/Nov/2017 13:18:27] "GET /admin HTTP/1.1" 200 3133
so it looks like there are no errors.

Hi,

Thanks for this wonderful analysis tool!

I found an app (Oral-B app) which was requiring location permission, as was found by Exodus and confirmed by running the app.

This was really strange and quite concerning given the nature of the app (no use for location data). However, it pairs with a BLE device and https://stackoverflow.com/questions/41716452/why-location-permission-are-required-for-ble-scan-in-android-marshmallow-onwards seems to indicate this permission is perfectly legit then.

It would be awesome I think to have some insights about what is the typical use of a given permission. Typically when BLE permission is required, there could be a warning next to the location permission to indicate this might be just a side effect?

Additionally, it would be really cool to have a simple mark for every app (A to F, with colors) based on an estimated "safety" and confidence from the analysis.

Thanks!

When landing on reports zone
UX could be improved.

I'm suggesting to keep the split between trackers and reports on top nav, but without the dropdown.

I would love to be able to sort APPs by:

• date (default: latest to oldest)
• number of trackers identified
• usual alphanumerical

A sortable table with a fixed header using jquery would do the job I suppose.

For each tracker, I would like to see its description, for example when having the cursor over its name, or a title on the right of it (why not a "?" in a circle).

By description I mean what appears in the "About" section here : https://reports.exodus-privacy.eu.org/reports/440/.

On alpha android app it would be great to be able to select a tracker from a list (alternatively from the report of a specfic app) and then be able to see all apps on my phone that contains the culprit.

This would allow to remove all occurrences of a given tracker.

This is an enhacement request, rather than a bug. It would be nice to allow the exodus test to run on an apk uploaded locally, rather than fetched from Google Play. This has nothing to do with illegal stuff, but not all apps are on the Google Play and it would be nice to be able to test those as well.

We notice an increasing consumption of memory. Restarting the Celery worker release the memory.

• Debian Strech
• Python 3.5

The task is defined here.

It appears that task state is not released after task execution. A quick diff on:

• 1st_execution_lsof.txt
• 2nd_execution_lsof.txt

shows duplicated unreleased resources.

For the moment, the static analysis blocks the client HTTP request during the duration of the analysis.

The static analysis is started in the analysis query view. The static analysis function is defined in the εxodus core package.

We have to submit the static analysis task and detach it. The client is then redirected to a message explaining what is going on and ask to refresh the report list in few minutes.

Hi there,

I appear to have successfully uploaded a PCAP file via the connecter.py script as template, as mentioned in #45. This is the output of the Exodus worker proces

[2018-02-13 08:47:58,572: INFO/MainProcess] Received task: exodus.core.dns.analyze_dns[57b99e38-60dc-48af-aa63-36951be1e867]
[2018-02-13 08:47:58,579: INFO/MainProcess] Received task: exodus.core.http.analyze_http[a8ce9b8b-8757-4c5c-bb7e-0651aa6dccf4]
[2018-02-13 08:48:08,053: INFO/MainProcess] Task exodus.core.dns.analyze_dns[57b99e38-60dc-48af-aa63-36951be1e867] succeeded in 9.479795052000554s
[2018-02-13 08:48:08,243: INFO/MainProcess] Task exodus.core.http.analyze_http[a8ce9b8b-8757-4c5c-bb7e-0651aa6dccf4] succeeded in 9.663444575999165s

Where can I now access the results of the analysis? I can't see any new information inside the reports; even though, after glancing the source code, I think that should be there. Browsing the apps on reports.exodus-privacy.eu.org I haven't seen examples either. Is this feature fully developed? Perhaps there is some SQL you can provide to verify the analysis was indeed a success?

Best,

Emile

Maybe its a filter in the app page or a dedicated link.

so to help communicating on the shamest list, and also help identify the ones that respect their users.

When trying to analyse an application after installing exodus, the "Unable to analyze the APK file" is always returned. Looking at the erorr log of the worker, the issue is that there is no gplaycli.conf file in ~/.config/gplaycli (actually, the whole gplaycli folder doesn't exist). This means that the config file is not created either during installation or runtime. I have no idea what the config file should contain, but if it's supposed to be created automatically this is a bug. Alternatively, it would be good to have some text in the readme that shows what should be written in there manually.

show warning : Unable to decode the APK .

tried at ~18h33(CET)

https://play.google.com/store/apps/details?id=com.moviepass.mobile

Androguard was not able to decode https://reports.exodus-privacy.eu.org/reports/34/

We have to detect failure and use dexdump instead.

Start updating report "34" - 1/1
Traceback (most recent call last):
  File "manage.py", line 22, in <module>
    execute_from_command_line(sys.argv)
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/django/core/management/__init__.py", line 364, in execute_from_command_line
    utility.execute()
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/django/core/management/__init__.py", line 356, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/django/core/management/base.py", line 283, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/django/core/management/base.py", line 330, in execute
    output = self.handle(*args, **options)
  File "/home/exodus/exodus/exodus/reports/management/commands/refreshstaticanalysis.py", line 76, in handle
    static_analysis.save_embedded_classes_in_file(fp.name)
  File "/home/exodus/exodus/exodus/exodus/core/static_analysis.py", line 103, in save_embedded_classes_in_file
    f.write('\n'.join(self.get_embedded_classes()))
  File "/home/exodus/exodus/exodus/exodus/core/static_analysis.py", line 94, in get_embedded_classes
    self.decode_apk()
  File "/home/exodus/exodus/exodus/exodus/core/static_analysis.py", line 51, in decode_apk
    self.decoded = DalvikVMFormat(self.apk)
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/androguard/core/bytecodes/dvm.py", line 7567, in __init__
    self._load(buff)
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/androguard/core/bytecodes/dvm.py", line 7578, in _load
    self.map_list = MapList(self.CM, self.__header.map_off, self)
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/androguard/core/bytecodes/dvm.py", line 7448, in __init__
    mi.parse()
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/androguard/core/bytecodes/dvm.py", line 7045, in parse
    for i in range(0, self.size)]
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/androguard/core/bytecodes/dvm.py", line 7045, in <listcomp>
    for i in range(0, self.size)]
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/androguard/core/bytecodes/dvm.py", line 1767, in __init__
    self.value = EncodedArray(buff, cm)
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/androguard/core/bytecodes/dvm.py", line 1425, in __init__
    self.values.append(EncodedValue(buff, cm))
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/androguard/core/bytecodes/dvm.py", line 1492, in __init__
    self.value = cm.get_raw_string(id)
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/androguard/core/bytecodes/dvm.py", line 7260, in get_raw_string
    return self.__strings_off[off].get()
  File "/home/exodus/exodus/venv/lib/python3.5/site-packages/androguard/core/bytecodes/dvm.py", line 1865, in get
    return s.encode("UTF-16", "surrogatepass").decode("UTF-16")
UnicodeDecodeError: 'utf-16-le' codec can't decode bytes in position 38-39: illegal UTF-16 surrogate

[edited]

Start updating report "37" - 1/1
Reached a NAMESPACE_END without having the namespace stored before? Prefix ID: 37, URI ID: 188

Same UTF-16 issue with

Start updating report "65" - 1/1 
Start updating report "112" - 1/1

Start updating report "110" - 1/1
Start updating report "114" - 1/1
Styles Offset given, but styleCount is zero.

androguard_errors.txt

The full name of an app should be displayed instead of a truncated name.
Example with Groupon:

I guess the title is truncated to respect the grid, so, ideally the fullname would be in the HTML and be truncated only by CSS, that would allow to search the fullname. Then a title attribute (or any popover would be fine) would display the full title when the cursor is on the app.

When we add new trackers in the database exodus will rerun all the reports.
It will be very interesting to have a list of the changed reports. # #

let me know if this issue belongs in exodus-core.

via @eighthave -

So I'm making a bot to automatically scan submissions to F-Droid. This
API is useful, but there is one small thing missing: an easy way to link
to the webpage for an app, like:

https://reports.exodus-privacy.eu.org/reports/fr.meteo

or even using a SHA256 of the APK:
https://reports.exodus-privacy.eu.org/reports/8b4b20b3d10020b77dcd6239bab16d8d7edaf6f8d67b410bf9500acee8818df4

For now, could "/reports/search/fr.meteo" be used?

In my opinion, the hash would be much better for collaboration with other projects, but we need to think about aliases that are easier to remember than a hash as well. I would propose using Google Play app handle and version code, since Google does not allow you to change these two things (change the handle, and GP treats it as a new app. there can't be two identical version codes for the same app in GP). Example:

"/reports/fr.meteo/5080303"

For the 1500-2000 apps we have scanned already, we'd need to retain backwards compatibility for the reports.exodus-privacy.eu.org instance (even if this is done outside of the application via something like .htaccess redirects). There are a lot of articles and blog posts all over the Web that link to specific reports, and I'd hate to see all those links break.

For the moment, there is no way the look for an application report.

We have to offer a small search engine allowing the user to look for an application by its display name or handle.

Following #1, it would be great if we could filter the apps in https://reports.exodus-privacy.eu.org/reports/apps/.

I'd like to be able to:

• display only the apps that have at least 1 tracker, or the contrary, 0 trackers (to see which apps seem better)
• define a list of trackers and display only the apps that use at least one of the trackers defined in my list
• define a list of permissions and display only the apps that ask at least one of the permissions defined in my list
• filter by name. If I type "Adobe" I should see only the apps containing "Adobe" (or "adobe", case insensitive) in their name

It means report packages / libraries using "fingerprints", and maybe a manual way to warn about missing copyright notice.

Just because an app flooded of ads that don't respect Apache license and probably don't support its dependencies ...

Hey I want to use exodus for a seminar at university but I cannot find instructions on how to run the traffic analysis. Can somebody help?

It could be interesting to have twitter and facebook meta tags in reports allowing for (automatic ) nicer view when posted with url on those medias.

Ideally the bitmap shown would the summary of the report + trackers list.

some side info :
https://blog.vwriter.com/ultimate-guide-to-social-meta-tags-open-graph-and-twitter-cards/
https://www.bruceclay.com/blog/how-to-use-social-meta-tags/
https://moz.com/blog/meta-data-templates-123

Since we have read your report about the trackers we are embedding in our app, we have tried to clean our library imports from our gradle build script.

Is there a way to request you to test our new apk ? (I mean, not a manual request but an automated one).

On this report https://reports.exodus-privacy.eu.org/reports/381/ the android.permission.ACCESS_NETWORK_STATE appears several times (3 times actually).

It kind of modifies my perception of an app to see that it asks so many permissions whereas some of them are actually duplicates.

In Report section -> All reports : Available reports.
Creating categories will make it easier to find an app.
Sorting applications by type would, for example, allow you to compare which bank application is the cleanest, etc...

hey you can install androguard automatically using pip and a fixed version tag by adding to the requirements.txt the following line:

git+https://github.com/androguard/[email protected]

where you replace v3.1.0-pre.2 with the version tag you like

In the apps list (https://reports.exodus-privacy.eu.org/reports/apps/) it would be great if for each app I could see how many trackers are requested and how many permissions asked, without clicking on the app's link, for the latest report (I guess there might be 1 report/version ?).

This could be displayed a bit like bootstrap's badges, with counters https://getbootstrap.com/docs/4.0/components/badge/#example. There would be two badges per app : one for the number of trackers, one for the number of permissions asked.

It would be even better if a badge with a value of 0 would be displayed as green (it seems pretty fair to say that if not trackers are found, that's a good thing. One would have to also check the number of permissions of course).

Add a sorting criteria in the application listing to sort applications whether one or more trackers was found in it or not. "Trackers Identified" vs. "No Known Trackers".

Pi Hole allows the user to add other link to blacklist of this form.

We can easy generate this kind of list just by listing domains which are tagged as tracker.

εxodus knows a bunch of domains which are associated to trackers. In Pi Hole, user can add a URL pointing to a blacklist.

The main idea is to make εxodus providing such URL pointing to a blacklist (containing the list of trackers identified by εxodus). And users of Pi Hole can easily add εxodus blacklist to their Pi Hole instances.

Display the number of analyzed applications in the top bar. You can also display the number of known trackers.

I've managed to install and run my own installation of exodus but something weird is happening. First I tried to run the test on a few app that were not on the official report, then I tried another one that was on the report to see if there was any difference - and there is!
The app is Viber (com.viber.voip). In the official exodus report it's been tested on the 12th of November and the tested version is 7.9.0.6. Now, 3rd of December, the version installed on my phone is the 7.9.4.11 one but when I run the exodus test on Viber the version number 5.6.0.2415 gets downloaded and tested. Now, v.5 is pretty old and I wonder why this is the case. (On a side note, no trackers were reported for the v.5 app)
Same is for Firefox (v.57 in the report, v.56 downloaded by my installation)

On the tracker report page,
there is a list on the right side that show the available reports of app containing this tracker.
It would be nice to be able to

• see the number of installation of each app from this list.
• sort the list by number of install
• possibly show a total sum

That have a idea of the importance of the tracker and the most important vector of it.
it is cosmetic but as the info is avail in the app report maybe it can be easily seen here too.

This is hopefully a simple tweak, but URLs without the trailing slash don't resolve to the correct pages/reports. This becomes a problem when sharing the URLs, for example via e-mail and social media.

Example:
https://reports.exodus-privacy.eu.org/reports/37

Should go to:
https://reports.exodus-privacy.eu.org/reports/37/

Just changes/additions to regex patterns in these files? https://github.com/Exodus-Privacy/exodus/search?utf8=%E2%9C%93&q=url(

We have to inspect the traffic and determine what kind of data has leaked.

Hello,

At the end of the README.md, the link to database was broken: https://seahub.0x39b.fr/d/c17dc0992a/

Since the static analysis is just comparing names of classes in the dex file with class names of popular trackers (code_signature) obfuscated trackers will not be discovered by it.

The problem is that simply by renaming the classes you can prevent exodus from finding any tracker.
Developers have incentive to obfuscate their applications beyond making trackers undetectable:

• Protection of intelectual property
• Minimization of apk file size
• . . .

Tools like proguard can be used for just this.
https://www.guardsquare.com/en/proguard

There are approaches that will detect trackers despite obfuscation attempts.

This paper introduces a obfuscation resiliant approach to detect libraries in android applications:
Titze, Dennis, Michael Lux, and Julian Schuette. "Ordol: Obfuscation-Resilient Detection of Libraries in Android Applications." Trustcom/BigDataSE/ICESS, 2017 IEEE. IEEE, 2017.

It's necessary to put password in settings file, but the file is empty.

Set the password in the file Exodus/exodus/exodus/settings.py line 97.

Add a way to display if a tracker was found by the static or dynamic or both analysis.

This could to limit the number of false positive when an application includes URL of trackers to protect the user. In this case, the trackers are only found by the static analysis, not by the dynamic analysis.