{"id":102610,"date":"2017-11-27T12:00:09","date_gmt":"2017-11-27T12:00:09","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=102610"},"modified":"2017-11-26T20:36:42","modified_gmt":"2017-11-26T20:36:42","slug":"staggering-variety-of-clandestine-trackers-found-in-popular-android-apps","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2017\/11\/staggering-variety-of-clandestine-trackers-found-in-popular-android-apps\/","title":{"rendered":"Staggering Variety of Clandestine Trackers Found in Popular Android Apps"},"content":{"rendered":"
\"\"<\/a>

Photo: Dave J Hogan\/Getty Images<\/p><\/div>\n

24 Nov 2017 – <\/em>Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, rideshare, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising.<\/p>\n

Exodus security researchers identified 44 trackers in more than 300 apps<\/a> for Google\u2019s Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university\u2019s law school, is working to replicate the Exodus findings and has already released reports<\/a> on 25 of the trackers.<\/p>\n

Yale Privacy Lab researchers have only been able to analyze Android apps, but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital \u201csignatures\u201d distilled from known trackers. A signature might be a tell-tale set of keywords or string of bytes found in an app file, or a mathematically-derived \u201chash\u201d summary of the file itself.<\/p>\n

The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking.<\/p>\n

\u201cI think people are used to the idea, whether they should be or not, that Lyft might be tracking them,\u201d said Sean O\u2019Brien, a visiting fellow at Yale Privacy Lab. \u201cAnd they\u2019re used to the fact that if Lyft is on Android and coming from Google Play, that Google might be tracking them. But I don\u2019t think that they think that their data is being resold or at least redistributed through these other trackers.\u201d<\/p>\n

Among the Android apps identified by the researchers were, with six or seven trackers each, dating apps Tinder and OkCupid, the Weather Channel app, and Superbright LED Flashlight; the app for digital music service Spotify, which embedded four trackers, including two from Google; ridesharing service Uber, with three trackers; and Skype, Lyft, Accuweather, and Microsoft Outlook.<\/p>\n

(A Spotify spokesperson wrote, \u201cWe take data security and privacy very seriously. Our goal is to give both our users and advertising partners a great experience while maintaining consumer trust.\u201d An Uber spokesperson referred The Intercept to its published details on its use of cookies<\/a>, which lists some of their third-party cookie providers but is not intended to be comprehensive. Users who visit the privacy policy section of Uber\u2019s website can follow an opt-out link which appears to only apply to interest-based advertising on web traffic. The preferences do not work if a user disables third party cookies, and users must opt out again after deleting their cookies.)<\/p>\n

Some apps have their own analytics platforms but include other trackers as well. For example, Tinder uses a total of five trackers in addition to its own.<\/p>\n

\u201cThe real question for the companies is, what is their motivation for having multiple trackers?\u201d asked O\u2019Brien.<\/p>\n

\u201cData is the oil in the machinery here, and I think they\u2019re just trying to find different ways to extract it.\u201d<\/em><\/strong><\/p><\/blockquote>\n

Tinder\u2019s heavy use of trackers means the company has been able to make use of behavior analytics<\/a>, and also to accept payment from shaving supply company Gillette<\/a> for highly targeted research: Do college-aged male Tinder users with neatly-groomed facial hair receive more right swipes than those with untidy facial hair?<\/p>\n

Capabilities of the trackers uncovered by Exodus include targeting users based on third-party data, identifying offline movement through machine learning, tracking behavior across devices, uniquely identifying and correlating users, and targeting users who abandon shopping carts. Most trackers work by deriving an identification code from your mobile device or web browser and sharing it with third parties to more specifically profile you. App makers can even tie data collected from trackers with their own profiles of individuals, including names and account details. Some tracking companies say they anonymize data, and have strict rules against sharing publicly identifiable information, but the sheer wealth of data collected can make it possible to identify users even in the face of such safeguards.<\/p>\n

Although some or all of the apps identified by Exodus and Yale researchers may technically disclose the use of trackers in the fine print of their privacy policy, terms of service, or app description, it is difficult, to say the least, for smartphone users to get a clear handle on the extent and nature of the monitoring directed at them. The whole point of using a mobile app, after all, is often to save time.<\/p>\n

\u201cHow many people actually know that these trackers are even there?\u201d said Michael Kwet, another visiting fellow at Yale Privacy Lab. \u201cExodus had to create this software to even detect that they were in there.\u201d<\/p>\n

A few of the trackers offer users the option to opt out via email or through their privacy settings. But tracking can resume even after this step is taken. For example, one app requires that users who clear their cache set up the opt-out again. Some opt-outs are temporary. Even if the opt-outs do end up being permanent, few users would even know to activate them in the first place.<\/p>\n

\"\"<\/a>

David Singleton speaks during the Google I\/O 2015 keynote presentation in San Francisco. Photo: Jeff Chiu\/AP<\/p><\/div>\n

Meet the Trackers<\/strong><\/p>\n

Google has a vested interest in allowing liberal use of trackers in apps distributed through Google Play: One of the most ubiquitous in-app trackers is made by Google\u2019s DoubleClick ad platform, which targets users by location<\/a> and across devices and channels, segments users<\/a> based on online behavior, connects to personally identifiable information<\/a>, and offers data sharing and integration<\/a> with various advertising systems. DoubleClick\u2019s tracker is found in many popular apps, including Tinder and OkCupid, Lyft and Uber, Spotify, the Weather Channel and Accuweather, and the popular flashlight apps Superbright LED flashlight and LED light.<\/p>\n

A Google spokesperson confirmed that its ad platforms DoubleClick for Publishers and AdMob serve ads on both Android and iOS devices, and that it ties information collected by the networks to a persistent identifier to measure engagement. Although users can control information Google uses to show them ads, they cannot specifically opt out of DoubleClick.<\/p>\n

DoubleClick prohibits vendors from sharing personally identifiable information or other unique identifiers, and states that it only stores general location data like city and zip code rather than precise location information unless users enable location history in their Google account. App developers who use the DoubleClick Ad Exchange are required to disclose in their privacy policies that the user\u2019s identifier will be shared unless the user opts out of ad tracking, and to explain how the user can reset their identifier. Google shares attribution data with advertisers and third party measurement partners using these identifiers.<\/p>\n

Perhaps the most invasive of the trackers is Fidzup, a France-based mobile performance marketing platform for brick and mortar retailers. The company\u00a0has stated<\/a> in its advertising copy<\/a> that it has developed communication between a sonic emitter and a mobile phone (either iOS or Android) by emitting an inaudible tone to locate a user within a shopping mall or a store. User phones receive the signal and decode it to give away their location. The company further uses geofencing to track users to a so-called \u201ccatchment area,\u201d such as a specific section within a store, where it can serve them targeted ads, possibly for a competing retailer.<\/p>\n

Mathieu Vaas, a spokesperson for Fidzup, said that the company has not used inaudible tones in two years, but is instead using wifi-based technology to obtain data regarding how customers behave within stores and to retarget them with ads. But information on sonic technologies is posted on Fidzup\u2019s website<\/a> (as of November 21st) and detailed further in an older version of the site<\/a> accessed on October 15. Vaas stated that these pages are outdated and inaccessible from the main page, and will be scrubbed from a new website that\u2019s currently being prepared.<\/p>\n

Vaas also confirmed that, even just using wifi technology, Fidzup can track highly specific in-store behavior such as aisles visited, the time spent in them, the number of visits to a store, and so forth. Fidzup can also leverage other apps to obtain geolocation data, but the only third parties receiving that data are retailers that have installed the company\u2019s wifi technology within their store, he added, and the data it is only related to behavior within the store. \u00a0Vaas later said that Fidzup does not share information with third parties.<\/p>\n

\u201cIn every store where we are present, we inform the public of the presence of data-gathering technology in the store and indicate to them that they can turn their wifi off, as well as provide them with a link that allows them to permanently opt-out of Fidzup. In that case, their data will be recognized and scrapped automatically and they won\u2019t be retargeted with ads from Fidzup ever,\u201d he said via email.<\/p>\n

Though based in France, Fidzup has a presence in San Francisco, and Vaas said that the company plans to start effectively operating in the U.S. soon. Since Fidzup is a French company, Vaas said they are subject to stricter privacy laws and regulations than the U.S. has, and as they \u201cdeeply respect consumers\u2019 rights to privacy and their civil liberties,\u201d they plan to operate under those standards in the U.S. as well.<\/p>\n

O\u2019Brien and Kwet seemed less impressed with the company\u2019s privacy commitment, writing, \u201cFidzup\u2019s practices mirror that of Teemo (formerly known as Databerries), the tracking company that was embroiled in scandal earlier this year for studying the geolocation of 10 million French citizens<\/a>.\u201d Teemo collected navigation data from mobile users and used it to drive in-store sales by targeting users based on locations they had visited. Its website states<\/a> that it may collect location data using GPS, cell towers, wifi access points, wireless networks, and sensors such as gyroscopes, accelerometers, compasses, and barometers. In addition to collecting IP addresses and identifiers assigned to mobile devices, it also may obtain information from third parties to combine with what it has and share its information with third parties (with some stipulations) as well. As with Fidzup, it is not immediately clear to what extent Teemo is operating in the U.S. Although Teemo is a French company based in Paris, it has an office in New York. Teemo did not respond to request for comment.<\/p>\n

Surveillance Mission Creep<\/strong><\/p>\n

Not all trackers are equally invasive, though many grab more information than they arguably should. For example, Google-owned Crashlytics is presumably just a crash reporter, but it does much more<\/a> than simply performing analytics on app logs. The app, used by Tinder, OkCupid, Spotify, Uber, Superbright LED and LED Light, can also link users across multiple cookies and devices<\/a>. Microsoft\u2019s HockeyApp, used by Microsoft Outlook, Skype, and the Weather Channel, goes beyond simply collecting and analyzing crash reports but can also track daily active users, monthly active users<\/a>, the net number of new users, and session counts. AppsFlyer (used by Tinder, Superbright LED, and the Weather Channel) does fraud prevention and protects from malware, but also fingerprints devices by their IDs<\/a>, tracks users across datasets<\/a> to circumvent the fragmentation caused by users with different devices, and tracks which users install which apps<\/a>. A spokesperson for AppsFlyer directed The Intercept to the company\u2019s privacy policy<\/a>, and stated that the tracker only works with businesses and advertisers, and does not engage with end users. Its terms and conditions also require clients to disclose the collection and use of data in their own privacy policies.<\/p>\n

In addition to DoubleClick, Teemo, and Fidzup, Braze (formerly App-Boy) and Salesforce DMP (formerly Krux) appear to collect large amounts of user data. Braze, used by OkCupid and Lyft, can track users by location<\/a>, target them across devices and channels, and serve targeted advertising based on consumer actions<\/a>. Salesforce DMP, used by OkCupid, not only captures user clicks, downloads, and other interactions, but also uses hashed device management<\/a> to effectively circumvent Safari\u2019s third-party blocking. The tracker allows marketers to use machine learning<\/a> to discover personas, uses cross-device ID, and even uses behavioral analysis to guess when a user is sleeping, and a probabilistic matching algorithm<\/a> to match identities across devices. There is an opt-out on the Salesforce website<\/a>, though it\u2019s unclear what percentage of OkCupid users are aware that the dating site is wrapped around the Salesforce DMP tracker and would even know to opt out. (OkCupid did not respond to request for comment.)<\/p>\n

\u00a0<\/strong>Weather apps are ubiquitous, and one wouldn\u2019t guess that they\u2019d include surveillance. But both Accuweather and the Weather Channel apps (along with Spotify) use the ScoreCardResearch tracker, which can also track data on usage<\/a>, including information on web browsing and app usage behavior over time and across digital properties, possible relationships between browsers and devices\u2014which can be provided to third parties for advertising purposes. <\/strong>The tracker can even use third-party service providers to obtain more non-personally identifiable information to add to unique profiles using cookies.<\/p>\n

The tracker Millennial Media (formerly Nexage) is used by Accuweather and Super Bright LED to \u201cautomate the buying and selling of mobile advertising<\/a>\u201d targeting channel and demographic segments, such as a shampoo company targeting \u201cwomen ages 25-55 with an emphasis on\u2026pregnancy, stress, and bleach\/coloring<\/a>.\u201d<\/p>\n

Microsoft Outlook, the Weather Channel, Superbright LED, and LED Light use Flurry, a mobile ad platform acquired from Yahoo! by Verizon subsidiary Oath. Flurry tracks device and app performance metrics and analyzes user interactions, identifies user interests, stores data profiles as personas, groups and correlates user data, and injects both native and video ads. A spokesperson for Oath said that Flurry\u2019s terms of service<\/a> require app developers to post a privacy policy notifying what data is collected, stored, and shared and either linking to Flurry\u2019s privacy policy or describing their opt-out service. In addition, the spokesperson said only information that\u2019s not personally identifiable leaves Flurry\u2019s system.<\/p>\n

Another tracker, Tune, follows Rideshare users\u2019 online and offline behavior \u00a0across devices<\/a> and also tracks in-app user behavior<\/a>, uniquely identifies users, and tracks their location.<\/p>\n

The AppNEXUS tracker, used by, among other apps, Superbright LED, uses machine learning for targeted advertising<\/a>. In a phone call, AppNexus\u00a0spokesperson Joshua Zeitz confirmed that the tracker collects mobile advertising identifiers, type of phone, IP addresses, and a unique app identifier. The company does store mobile advertising identifiers as well as cookies from web users, but Zeitz said data on what ads have been served to what identifiers is only retained for up to 33 days, and that the tracker does not collect names, numbers, or account numbers, that it only keeps device and browser identifiers and cookies, and that it cannot de-anonymize users from its data set. AppNexus stated that it does not share device and browser identifiers tied with third parties.<\/p>\n

O\u2019Brien said app developers can choose the types of advertising they embrace, but that it\u2019s unlikely users are thinking about those decisions when installing apps. He also doesn\u2019t see permissions as a solution. \u201cIf you\u2019re in a situation where you\u2019re asking the victim of the tracking how much tracking they want, you\u2019ve already gone too far. It\u2019s already a problem,\u201d he said.<\/p>\n

Without an overhaul of the advertising-rich phone system, O\u2019Brien said the best solution may be to use the software repository F-Droid<\/a>, which distributes only free and open source software that does not include unknown or masked trackers or code.<\/p>\n

___________________________________<\/p>\n

Related<\/em>: Hit App Sarahah Quietly Uploads Your Address Book<\/strong><\/a><\/em><\/p>\n

Yael Grauer<\/a> – yael@\u200byaelwrites.com<\/a><\/em><\/p>\n

Go to Original \u2013 theintercept.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

24 Nov 2017 – Researchers built a custom platform to root out trackers in mobile apps. They discovered 44 different varieties in 300 apps downloaded by billions of people.<\/p>\n","protected":false},"author":4,"featured_media":102612,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[216],"tags":[],"class_list":["post-102610","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/102610","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=102610"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/102610\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media\/102612"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=102610"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=102610"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=102610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}