Description
Currently, exodus privacy only looks for tracker signature and does not care of the context. As told on the site https://exodus-privacy.eu.org/en/page/faq/#negatives
Our static detection method looks in applications for the presence of a defined list of trackers. If the signature of a tracker is detected in the analysis, its presence is indicated in the report. This is not a proof of activity of these trackers.
So I suggest to look for the signature of methods call instead of look for imports (actually, the application is looking for anything that contains trackers but this work is on progress #35). It will avoid to trigger false positives on applications that imports libraries of trackers but do not use these. Of course nothing forbid us to tell to the consumer that an unused tracker is present or to make another settings.
In a far future, we may want to use the events of the davilk vm to locate exactly when a tracker is called. Example: when a call on the method onResume() is found, we tell to the user each time when you resume your application, X tracker takes X informations.
It sounds hard but not impossible. I am more and more familiar with androguard. I let you some links to the doc that may help:
to find any function declarations
to get the instructions of this function
to list any tracker. We have to parse.
Good luck.