Surprise: Android apps are riddled with trackers
Hundreds of apps put snoops to work, and then there's 'supersonic tone tracking'
In case you're wondering, yes, there's a good chance at least some of your Android apps have tracked you rather more than you expect.
That's the conclusion of a joint project between Yale University's Privacy Lab and French non-profit Exodus Privacy, which has this month documented snoopware features in apps from Uber, Tinder, Skype, Twitter, Spotify, and Snapchat, the university said.
The 25 trackers outlined by Privacy Lab are a subset of 44 that Exodus Privacy discovered by scanning Google Play apps looking for signatures it developed to identify tracking code. The full Exodus list is here.
Exodus said it wants to find helpers for the project, and published its analysis software at GitHub.
Yale said the trackers are mostly used “for targeted advertising, behavioural analytics, and location tracking”, all of which may be legitimate applications, but often operated without users' knowledge.
Lack of transparency about the collection, transmission, and processing of data via these trackers raises serious privacy concerns and may have grave security implications for mobile software downloaded and in active use by billions of people worldwide.
Of 300 apps Exodus has analysed, Yale says, 75 per cent contain trackers. Some of them are familiar names, like Google's DoubleClick, and some seem relatively benign (it's clear what CrashLytics is for).
Users might be less pleased that apps are sending their name, phone number, e-mail address, login, IP address and device ID to OutBrain, and other trackers like Ad4Screen are pervasive across a huge number of publishers and platforms.
Yale's post also detailed the use of “supersonic tone tracking” in the tracker FidZup, which allowed a French restaurant guide called Bottin Gourmand to track users' physical location “via retail outlet speakers”. It then shared that information with other publication apps, Auto Journal and the TeleStar TV guide.
Don't feel smug if you're an iPhone user: the Privacy Lab post said the tracker companies advertised iOS versions of their software, but auditing iOS apps is difficult. ®
Update: One of the organisations named in the research, Fidzup, says the technology mentioned in the research is obsolete. Anh-Vu Nguyen, Fidzup's COO and co-founder, provided the following statement:
“Fidzup stopped developing and exploiting the ultrasonic technology in 2015 and is only present in outdated sections of the website you refer to. By the way, this outdated website is about to be completely deleted.
“In addition, we never</bo> at any time in the past, integrated our sonic SDK in the Mondadori apps (Autojournal & Telestar). If you download the app, you'll be asked to share you microphone, but this request is not related to our technology, and, as we are not the app's publisher, we have no indication that this request is related to this kind of technology at all. Microphone could be used for other things.
“We want to give you a full assurance that except for our outdated demo app, no other app currently in production features the sonic SDK module, as we do not exploit this technology anymore. Same thing for store deployments, no ultrasonic beacon has been deployed in any store, since 2015.
“While it is true that we developed the Bottin Gourmand app (new version is underway), this app never integrated our sonic SDK in order to track people in restaurants. The goal of this app (and it is the same for the coming new version) is simply to allow Credit Agricole (Bottin Gourmand is part of this Banking group) employees to rate their favourite restaurants and share it to other app users. This app was developed as a side project for Credit Agricole, and there is no link with Fidzup's main activity.”
Sponsored: Becoming a Pragmatic Security Leader