June 16 2022 Android app update and PUA Alert

I just updated the Wyze app (Beta) version through Google Play Store and instantly received a security alert for unusual activity of PUA Alert.
Alert through Norton 360.
This is very interesting for sure.

The PUA notice is probably to make sure you’re aware about the contract Wyze has with Braze and Segment.

Wyze uses them for analytics help to figure out things like conversion rates from free trials, what things the majority of users do or do not use in the app, where they can make improvements to increase engagement, etc. If people use/like the changes they make between iterations.

Braze even uses Wyze as a great example to other potential clients of how their analytics helped Wyze improve their messaging to increase conversion rates of free Cam Plus trials to become paid subscriptions by 56% higher than they were before the analytics. And that’s in addition to product launch announcements and updates that they used Braze for.

If you get a PUA notice about the Wyze App, it’s almost definitely because of the Braze analytics package. I looked into the details a while ago and I, myself, am not concerned.


This is a great answer. Just for perspective, can you give us an example of something of this type you are concerned about? :slight_smile:


Thank you for your prompt and excellent information.

1 Like

Sometimes a PUA can be about a coinminer stealing your device resources.

Sometimes they can involve some form of malware that is relatively malicious.

Sometimes they are trackers to collect and sell your info to 3rd parties for profit.

Sometimes they are fairly harmless internal analytics.

For me, I see the way Wyze uses Braze as essentially no different than basically every single professional website does with analytics to track what’s effective at producing engagement or conversation rates. If I was against what Wyze does with Braze, I feel like I’d have to never use a browser again. I know there are things that can be done to minimize analytics use from websites: block all cookies, use private tabs for everything, use a VPN, run everything through TOR, etc. But even that isn’t enough due to techniques data brokers use like browser fingerprinting. You can still be identified and linked in many ways. You also need to spoof your MAC address, spoof GPS, spoof browser, run everything through a virtual OS, etc. There are companies that will do all that for you easily with each new connection, making fingerprinting virtually impossible…(such as Windscribe), not to mention never having an account or logging in to things… but in the end, basically nobody does all that regularly (excepting those doing something extremely illegal). It’s a lot of work with terrible speeds and you get blocked as a bot or spammer by half the websites and have a really hard time doing anything.

Wyze has a really reasonable privacy policy IMO where they strictly will not sell our data to anyone, and basically use analytics info as fairly anonymous collectives to have group insights.

In some ways, it’s more about what it’s used for or allowed to be used for. I’m very against selling my data to third parties, but totally understand internal analytics for UI and messaging improvements.

  1. We don’t know that this particular alert is “merely” for the tracking components.

  2. I disagree that in-app 3rd party tracking is acceptable merely because it might be relatively common. To the contrary, it’s one more reason to avoid apps and vendor ecosystems wherever possible, and to register our disdain with the companies doing this. It is in our interest to limit the exposure of our information and the use of our bandwidth and our devices to multiple third and fourth parties. The comparison to web sites is interesting in that it is trivially easy to avoid most tracking on web sites via incognito modes and ad blockers and VPNs et al., while it is nearly impossible to do so with apps running on your phone. Thus these in app trackers are far more insidious.

  3. Norton still stinks and I was dismayed to learn that they will soon own Avast and AVG and several other antivirus companies. Say bye bye to good free AV from anyone besides Microsoft…

1 Like

There are actually apps out there that will block them on apps. I tested out duckduckgo’s beta blocking tool for example. It successfully blocks Braze and Segment while still showing full use of the rest of the Wyze App. So if that is really important to someone, you can easily get a tool like that. I tested it for several weeks out of curiosity. Obviously Wyze recommend against blocking such things for various reasons, but I didn’t have any noticeable functionality issues by using it. Eventually I stopped using it because I found there was nothing going on with my phone that I was significantly concerned about after researching which apps were using which analytics for what purpose.

I do understand and respect the general provoke and desire for such privacy though, so not disagreeing with the general sentiment, just expressing my personal tolerances (don’t sell my data for profit, keep done stuff encrypted and some anonymous. Those are my general standards).

I’m not sure this statement is accurate.

If I understand these tools correctly (and I am not familiar with them) then Incognito-modes and ad-blockers would not stop them. At least, not necessarily. Tracking where people click and how people are engaging different features is useful for creating better user interfaces and surfacing settings/preferences that people use a lot.

Focus groups, design models, and the like can only go so far.

So I think we should be careful to differentiate between anonymized “interface activity tracking” and “advertising and marketing tracking” (internal or external) because they present different risks and rewards.

For example, if in-app tracking shows that people press the video playback buttons a bunch, it might indicate that the video playback interface needs attention.

To be clear, that also means people might go into the in-app store, add items to their cart and then abandon it. That tracking could be used to try and market those products to you or figure out what’s “broken” (if anything) with the interface that stopped the user from completing the purchase.

Functionality based UI improvements are something I’m really interested in.

Wyze should allow users to disable such tracking if they wish.

I don’t follow you. I was distinguishing between web site usage - where browser add-ons such as uBlock Origin can easily block 3rd party sites - from apps running with near-root access on your phone.

You might understand my confusion. You said “incognito modes and ad blockers and VPNs et al.”

None of those explicitly listed would stop the UI-interaction tracking I was talking about (e.g. HotJar).

In fact, uBlock Origin says on their GitHub:

uBlock Origin is NOT an “ad blocker”: it is a wide-spectrum blocker

Since I hadn’t ever heard the term “wide-spectrum blocker” it never occurred to me that your ‘etc’ would include them :smiley:

Hope that clears things up. Such a “wide-spectrum blocker” would block the sort of thing I was referring to but it certainly wouldn’t be standard I’d expect from mere ad blockers.

So, I learned about a new tool and term. Cool. Thanks.

No, we don’t need to mince words. I never heard that “spectrum” term before. uBlock Origin is a good ad blocker. And from what I just read it blocks “Hotjar” crapware by default, as do other ad blockers. The nice thing about http calls is it’s fairly easy to block them selectively.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.