Researchers Identify 44 Trackers in More Than 300 Android Apps

Catalin Cimpanu, reporting for BleepingComputer: A collaborative effort between the Yale Privacy Lab and Exodus Privacy has shed light on dozens of invasive trackers that are embedded within Android apps and record user activity, sometimes without user consent. The results of this study come to show that the practice of collecting user data via third-party tracking code has become rampant among Android app developers and is now on par with what's happening on most of today's popular websites. The two investigative teams found tracking scripts not only in lesser known Android applications, where one might expect app developers to use such practices to monetize their small userbases, but also inside highly popular apps -- such as Uber, Twitter, Tinder, Soundcloud, or Spotify. The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps. In total, researchers said they identified 44 trackers embedded in over 300 Android apps.

Android: The Gift That Keeps on Taking...

[TheFakeTimCook]

This stuff will NEVER cease until Google themselves stops being the greatest Data Sink of all time, and puts some actual Privacy into Android. ...and we ALL know when that will be.

Re:Android: The Gift That Keeps on Taking...

This stuff will NEVER cease until Google themselves stops being the greatest Data Sink of all time, and puts some actual Privacy into Android. ...and we ALL know when that will be.

Yup, I want OS-level selectable permissions I can apply to each application, whenever I wish ... and if that utterly breaks an application too bad.

If I download a calculator, I want to be able to go in and pretty much explicitly turn off everything, because it has no business accessing my contacts, my location, or pretty much anything.

I know my iPhone lets me do this to a certain extent, but neither of my Android devices support this.

The reality is there is a couple of conclusions that I've made quite some time ago:

1) all app developers are lying, greedy assholes who aren't honest about what they're doing
2) all apps which essentially mirror a webpage serve no purpose but to add additional tracking
3) any app which shouldn't require network access for its basic functions which can't operate in airplane mode needs to be uninstalled

Most apps are pointless social media which I don't care about, or pointless games which try to force you to constantly touch and use micro transactions.

I've found the number of actually useful apps that I actually make use of to likely be in the single digits. Everything else is just ads and other bullshit.

Unfortunately, this seems to be what the mobile market actually wants, so if people are suddenly realizing their apps are spying on them I have little sympathy left in my heart for this. Everyone wants to download shiny apps so they can instagram taking a shit, or Facebook their friends they collected 7 turds in Ace Pooper Scooper.

This is the kind of garbage people seem to like, if they're collectively too stupid to realize what is actually happening that's their problem.

Re:Android: The Gift That Keeps on Taking...

[Carcass666]

This stuff will NEVER cease until Google themselves stops being the greatest Data Sink of all time, and puts some actual Privacy into Android. ...and we ALL know when that will be.

Per TFA (toward the bottom), the tracking providers also provide iOS components/libraries, so it's likely they are affected/infected as well. It's just that this study didn't look at them (for whatever reason).

Re:Android: The Gift That Keeps on Taking...

Seriously, this is really holding back mobile computing.

My bank asked if I'd installed their mobile app. Are you kidding? I would never put any important information into my phone. I don't trust it at all.

Re:Android: The Gift That Keeps on Taking...

[chill]

I'm not sure what version of Android you're talking about, but granular permissions have been available for some time now.

My current phone is a OnePlus 3T and running Android 8.0.0 with the September 1, 2017 patch level. Yes, I know that is a very recent version of Android, but much of this was introduced earlier.

I can go into Settings --> Apps and from there, view and control app permissions by permission or by app. That is, I can see every app that has access to something like SMS or my camera. Or, I can go in and see what permissions a specific app has. In both views, I can toggle specific permissions on and off.

Re:Android: The Gift That Keeps on Taking...

[JackieBrown]

Install fdroid and then install apps that only ask for permisions you are willing to grant.

Installing a calculator that requires network and location access is foolhardy on your part unless you are cool with allowing the ads that it will be "giving" you to pay the developer.

Re:Android: The Gift That Keeps on Taking...

[Aighearach]

This is exactly it!

If it is asks for your phone ID and also network access, it is tracking you. It even told you and asked! LOL

With fdroid, if an app asks for permissions it doesn't need I can just download it and take them out of the code.

Never trust. Never.

Re:Android: The Gift That Keeps on Taking...

Must be new to 8.0.0 because my older one only shows the permissions but doesn't allow changing them.

Re:Android: The Gift That Keeps on Taking...

[tepples]

Install fdroid

That might work for a calculator or a flashlight. But it doesn't help much for things like games, for reasons that have been explained elsewhere.

Or has a viable business model emerged for developing video games for distribution as free software from day one? If the model involves developing the engine as free software but everything but the engine as non-free and paywalled, F-Droid currently considers that an anti-feature called NonFreeAssets .

Re:Android: The Gift That Keeps on Taking...

[JackieBrown]

That's the price for playing these games. It's not like there is a need for these games and there are plenty of alternative (maybe less flashy) games to play.

I understand the frustration. Trying to find even a solitaire game on the play store that doesn't request access to everything under the sun is a challenge. It's why I check fdroid first. That said, I understand why they developers do it since most people don't want to pay currency for anything and get bombarded enough with ads to not be outraged when they get an app that has ads. It's the norm for allot of people.

Re:Android: The Gift That Keeps on Taking...

#fragmentation

Re:Android: The Gift That Keeps on Taking...

It's hilarious you think Google's the only one that's allowing these apps into the app store -- and it's AGAINST their best interests as it's letting other companies build user profiles.

Just had this conversation with someone on facebook and they refused to see it hard evidence. So I'll ask: Which platform do you think has no user privacy issues?

i devices? Just do a quick google where MAJOR 3rd party app companies were successfully sued for Invasion of Privacy. And remember, antivirus/spy companies CANNOT scan i device binaries and must rely on APL to find and remove, so this has to be done via a jailbroken device... There's no user aggregating scans like on every other platform.

It's like reverse enginnering binaries is a difficult thing to do, so cursory app reviews don't do much to stem the privacy...

Re:Android: The Gift That Keeps on Taking...

Granular Permissions have been in Android since 6.0. Apps that target a lower version (i.e. you wouldn't be able to see them otherwise) will present the information.

That said, if you don't trust the app developer with the information, why are you installing it to begin with? They could quite easily build a profile on you without these premissions, and all they need is you to cllick yes once from another app they use.

Re:Android: The Gift That Keeps on Taking...

Without jb'ing there is no way to analyze i device apps. On Android, Binaries are accessable to all (user data is protected).

iDevices cannot access this, so the only people who can scan for things are:
- Jailbroken devices, but they have to install each individually since most people won't do this for the purposes of a scan.
- APL themselves. Who aren't going to do shit.

Re:Android: The Gift That Keeps on Taking...

[farble1670]

Yup, I want OS-level selectable permissions I can apply to each application, whenever I wish ... and if that utterly breaks an application too bad.

Good thing Android added that two releases ago. Phew! We almost had a problem on our hands there.

Re:Android: The Gift That Keeps on Taking...

[farble1670]

Install fdroid and then install apps that only ask for permisions you are willing to grant.

Or, install from Google Play and then install apps that only ask for permissions you are willing to grant.
Or, sideload apps that only ask for permissions you are willing to grant.

You are *always* prompted to grant permissions.

Re:Android: The Gift That Keeps on Taking...

[farble1670]

With fdroid, if an app asks for permissions it doesn't need I can just download it and take them out of the code.

Yep, completely reasonable. Modify the source and recompile and sideload all of your apps. Also make sure you keep up with new releases merging in changes with your modifications, rebuilding, and re-installing by hand.

Thanks for the useful suggestion.

Re:Android: The Gift That Keeps on Taking...

Right, so if you disable camera, you can't take pictures with the app. You probably just didn't want the app to take pictures when it wanted to. There's no granularity on that level.

There's thousands of permissions at this level, and even if you whitelist some, your blacklist will bite you, or application developers will just pull all functionality if you blacklist some.

The only solution is to stop using closed-source apps. Again. See: Slashdot 1997

Re:Android: The Gift That Keeps on Taking...

[arth1]

Granular Permissions have been in Android since 6.0.

Given that half of all Android users are at lower versions than 6.0, that isn't ultimately helpful.

Google really needs to start forcing vendors to take responsibility, for example by requiring 3 years of OS upgrades before granting a license.
3 years is not too long a lifespan to expect from a phone; while most of us are reasonably well off and can afford to change more often, a lot of people aren't all that affluent, and need to use their phone for several years.
As long as Google allows and encourage companies to release and abandon, this situation with most of the userbase on old and insecure devices just won't improve.

Re: Android: The Gift That Keeps on Taking...

No. Move beyond blocking. Have a system to generate fake data. Much better. Poison the well.
Norootfirewall is a good start.

Re:Android: The Gift That Keeps on Taking...

[Seven+Spirals]

Which is a completely useless waste of time as the application will simply refuse to run. This is universal on both Android, iOS, and even BB10. Granular permissions are meaningless since the applications will only give a complaint about you taking away camera, mic, and addressbook permissions and quit without letting you use them. I've yet to see a single application that didn't do this and you can bet the ones doing stupid shit you wouldn't want are going to be even more militant. So, I get it, in your particular case your Android fanboy gene is overriding your understanding of the problem, but try to see it in realistic terms - the granular permissions feature is mostly useless without the ability to force applications to run without their spying enabled.

Re:Android: The Gift That Keeps on Taking...

[chill]

The ability to work with the removal of specific permissions depends on the minimum level of Android that the app was designed for. This works better on newer apps.

However, not all older apps have issues with disabling certain permissions. Just because *you* haven't seen one doesn't mean they don't exist. For example, Skype for Business is one of those apps designed for an older version of Android, yet survives my removal of its permission to access my calendar. It still works fine.

Yes, it is perfectly functional in that I only want it to have access to my Outlook Calendar and not my Google one.

Fanboy has nothing to do with it. I was simply responding factually. If an app asks for too many permissions, then don't use it.

Re:Android: The Gift That Keeps on Taking...

[JackieBrown]

Yes you have to do a bit of work to stop the developer from monetizing an app they created, you found valuable, but don't want to pay for.

Re:Android: The Gift That Keeps on Taking...

[Seven+Spirals]

You managed to find one app that doesn't freak out and obstinately refuse to run after having it's permissions altered. Congrats. I don't really see that as validating your excitement about the nearly useless granular permissions feature, but if your point is "Hey! It's possible. It was done once. See?" Okay, wonderful, but that damn sure isn't the norm for new or old applications. That's what these constant drumbeat of horrifying news about mobile security are elucidating. Now, do you really think that any appdev who wants to track you, steal your addressbook, or turn on the camera/mic without permissions is going to tell themselves "Android is newer now and has some granular permissions features. I should probably stop being a spying asshole and support that feature". There is no way that's happening! I will stick to my ancient Symbian phone that can't run apps, has no bluetooth or wifi, and nobody cares about. You might turn your nose up and refuse to run apps that won't behave. However, it's not you or I that's really endangered by this kind of behavior. It's the huge numbers of folks with entry-level technical skills (ie.. they can barely run the phone) who get screwed by the fundamentally stupid/evil security architecture in *all* mobile operating systems.

Moviepass....

The new moviepass app doesn't even try to hide that they track you even when the app isn't open, keeping your gps full blaze.

Making Reverse-Tracking Legal Would Solve This

[dryriver]

Reverse tracking would be that whenever someone tracks your life, you get the legal right to track them back. So if the CEO of Company X puts a tracker on your Android phone peering into your private life, for example, you'd get the legal right to track that CEO back and peer into HIS private life and habits. If a big data company is collecting data on you, your spouse, your kids, you would have the legal right to collect big data on THAT big data company's activities, including insight into that company's most private activities. Watch how quickly all tracking stops when such a law is passed.

Re:Making Reverse-Tracking Legal Would Solve This

What we need a law that makes it illegal to track users without explicit consent and whose violation ends the perpetrator (or company) not only with giant fines but jailtime too. And to the question "how can you jail a corporation ?" you can't but you can sure as hell jail the CEO and other executives. You know the ones how give the go ahead to enact such privacy invading policies. How fucking hard can it be ?
Your reverse tracking law is pie in sky and serves no purpose beyond making you feel all warm and fuzzy.

Re:Making Reverse-Tracking Legal Would Solve This

You need to understand the distinction between the CEO of the company and the company itself. Just because the company did something does not make the CEO responsible, unless it's illegal and he had knowledge of it.

However, with all this talk about tax reform, I *would* support legislation to the corporate tax rate for each company equal to the average tax rate of the bottom 50% of it's workers. I think you'd see some real changes made to the tax code then that would beneficial to America. #MAGA

Re:Making Reverse-Tracking Legal Would Solve This

[geekmux]

Reverse tracking would be that whenever someone tracks your life, you get the legal right to track them back. So if the CEO of Company X puts a tracker on your Android phone peering into your private life, for example, you'd get the legal right to track that CEO back and peer into HIS private life and habits. If a big data company is collecting data on you, your spouse, your kids, you would have the legal right to collect big data on THAT big data company's activities, including insight into that company's most private activities. Watch how quickly all tracking stops when such a law is passed.

Most CEOs don't have a fucking clue as to how their own products abuse privacy. They're never punished for abusing privacy, which is why they don't give a shit. Even when they do risk punishment or fines, they still weigh it against profit, which is truly all they care about. They continue to abuse privacy because they found out long ago that it's worth it.

And do you know what happens when you try and do a WHOIS lookup on the worlds most popular domains? You get some generic result-by-proxy bullshit, which is exactly what any executive of any corporation would do if a reverse-tracking law were passed. You would never be allowed to track them, you would be allowed to track a sanitized proxy.

Re:Making Reverse-Tracking Legal Would Solve This

However, with all this talk about tax reform, I *would* support legislation to the corporate tax rate for each company equal to the average tax rate of the bottom 50% of it's workers. I think you'd see some real changes made to the tax code then that would beneficial to America. #MAGA

Uh, what? The less someone makes, the lower their tax rate. So you want to give companies a huge incentive to lower the pay they're giving to the bottom 50% of their workers? What am I missing here?

Re:Making Reverse-Tracking Legal Would Solve This

[freeze128]

Since WHOIS records are totally public, and accessible via the internet at no cost whatsoever, MILLIONS OF PEOPLE can view them. In fact, I'm sure there are bots that are scraping that info RIGHT NOW, in order to SPAM THE HELL out of those contacts with unwanted email, snail mail, phone calls, etc.

It's really no wonder that ANY company uses that 'Result-by-proxy bullshit' as you call it. I wouldn't want all that spam either.

Re:Making Reverse-Tracking Legal Would Solve This

The public record requirement for domain names is a travesty. The owners of domains where you'd want that info public inevitably hide behind proxy records (and probably don't show their real identities to the proxy either). Public whois just makes having your own email domain impossible without also giving spammers and stalkers not just your email address but also your real world address. Domain whois needs to go.

Re: Making Reverse-Tracking Legal Would Solve This

The CEO is responsible for the entire company, including those who do illegal shit without their knowledge.

That multi-million dollar salary needs some risk to justify it.

Don't like that risk ? Don't become a CEO.

Something stupid happens on a ship, what happens ? They sack the Captain as the first step. A company should be no different.

You want the job, you have to take on the responsibilities that come with it.

Re:Making Reverse-Tracking Legal Would Solve This

[mi]

you get the legal right to track them back.

You already have that right — and always did. With very few exceptions, whatever you can legally see, hear, or otherwise perceive, you can record and even sell the recordings others.

Watch how quickly all tracking stops when such a law is passed.

Watching...

Re:Making Reverse-Tracking Legal Would Solve This

[denzacar]

"Explicit consent" is a worthless and meaningless measure.
Everyone already agrees to all the bullshit that a particular piece of software demands of them - either during the installation or when starting the software.
Or during updates.

What would be necessary goes beyond tracking or consent.
Basically, there's a need for legislation treating software and hardware developers as presumed criminals and fraudsters - requiring proof and regular inspection that they are not defrauding or abusing their customers, attempting to do so or allowing for it through negligence.
Think treating all software and hardware with same scrutiny as medical devices and procedures.

You know... as you would expect whatever it is that your dentist is putting inside your mouth during a root canal procedure.
Is it just filling material - or is she putting a tracking device in there, so the reptilian overlords could track you using satellites and cellphone towers?

Same scrutiny should be given to all the cases of giving away "free" software, purposefully making software obsolete or packaging the same old functionality in a "new" application just because the developer has to push SOMETHING out there every quarter.
Also, backward compatibility and right to repair for hardware would have to be obligatory, and could be waived only by making all the software running on obsolete and "reasonably beyond repair" hardware open source and "free" - unless said hardware/software is a part of a medical device.
In which case support would be obligatory "for the life" of the patient.
You know... so people wouldn't have to worry about being asphyxiated if a fuse blows out during the night.

Re:Making Reverse-Tracking Legal Would Solve This

[Quantum+gravity]

Not quite what you want perhaps, but EU has mandated something called General Data Protection Regulation (GDPR) for EU citizens, that will be enforced in May 2018. After that people can ask a company what personal data it store about them, and to explain why it stores that data. GDPR also contains the "right to erasure" with which anyone can ask a company to remove their personal data. Google is located in Ireland due permissive legislation. That disappears with GDPR.

Jokes on them

Android users never leave their moms basement so these trackers are useless

Scare Mongering Story is Scare Mongering

[Oliver+Wendell+Jones]

From the article:

"In total, researchers said they identified 44 trackers embedded in over 300 Android apps. Overall, three-quarters of the 300+ apps Exodus analyzed contained at least one tracking component, with Google's CrashLytics and DoubleClick being the most popular trackers.

While some trackers collected only app crash reports (such as Google's CrashLytics), some of these trackers also collected app usage info and user details, some of which were sensitive in nature."

So, a majority of the apps are "contaminated" only with a plug-in from Google that collects "only app crash reports" - but somehow this indicates a massive privacy breach in 300+ Android apps? I think they may be a little overly paranoid on this one. Get back to me with legit numbers of "real, scary" tracking plug-ins...

Re:Scare Mongering Story is Scare Mongering

[jbmartin6]

Just look at the number of apps which ask for permission to read the IMEI number, whose only purpose is for individual user tracking. It's possible that permission in Android has some other purpose, the permission dialog isn't very informative. I'd really like a current app or rom which can provide false information for apps which shouldn't have it.

Re:Scare Mongering Story is Scare Mongering

[Jerry+Atrick]

When apps like "DuckDuckGo Search & Stories" seem to be in there because they want INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE & INSTALL_SHORTCUT permissions, a perfectly reasonable and tight set for what it does, you have to question the quality of this research. When apps can get on the list for blocking known trackers that's even more worrying.

Re: Scare Mongering Story is Scare Mongering

Android 7 will provide a fake IMEI and WiFi mac. You can still get the mac through native code, but that always worked.

Re:Scare Mongering Story is Scare Mongering

[evolutionary]

Really, how about this:

http://mashable.com/2017/11/15...

And another tibit: I was interviewed by a mobile app company that will remain nameless, but my primary job would have been to organize and analytic database so the company could find data trends to sell. They had so much raw data they didn't know how to use it yet. Company rep said: "People have idea how much data they are giving".

This isn't scare mongering, this is reality, until we start saying "no thanks". There are ways.

Re:Scare Mongering Story is Scare Mongering

[Rakarra]

If you read through and start clicking on the app reports, you'll get this disclaimer:

Privacy protecting applications embed lists of trackers signatures in order to block them. xodus could find tracker signatures in these blacklists and falsely report them as part of the application. If you have doubts about this report, contact us at contact@exodus-privacy.eu.org

Looking through some of the commercial apps that I have installed, it's pretty clear that a number of apps here are on the list which have 0 trackers (or a crash dump "tracker" which doesn't mean shit) but they have permissions which their service finds.. suspicious?

Let's use Discord as an example. exodus found 15 permissions that it thought were suspicious that this app should need. Sounds bad, right? Except there are valid reasons why Discord should need each of them:
* com.google.android.c2dm.permission.RECEIVE "Allows apps to accept cloud to device messages sent by the app's service." Yes, it's a service that supports push notifications if you set your account for it, like any sort of instant messenger.
* android.permission.CAMERA "Allows the app to take pictures and videos with the camera." Yes, the app allows you to do screen sharing and make video calls.
* android.permission.BLUETOOTH "Allows the app to view the configuration of the Bluetooth on the phone, and to make and accept connections with paired devices." Pretty much necessary if the application needs to select which input/output device to use for voice audio.
* android.permission.WAKE_LOCK "Allows the app to prevent the phone from going to sleep." Pretty much required if you need the voice connection and notifications to remain open when you're not actively using the phone.

And on and on and on. What I can see is the report flags a bunch of applications because the things that the application actually needs to do its intended work can also be used by spyware. Hey, it's good have a list to go through and check out yourself. But to gather all these together and then then say "all these popular apps have privacy-intruding trackers" is dishonest and not very responsible.

sometimes without user consent

As opposed to what? All the ones where the users begged to be tracked?

Also on iOS?

[Hrrrg]

Is this a problem iPhones too, or is this just an android problem?

Re:Also on iOS?

Affects iOS 100%. These tracking SDKs have iOS versions as well.

Re:Also on iOS?

I find iOS to be more explicit in informing the user about what an app is allowed to access and what it is not... That said, i'm not sure if there are ways to go around these security measures.

Re:Also on iOS?

[Oswald+McWeany]

Is this a problem iPhones too, or is this just an android problem?

Why track an apple user? We know where they are at all times. ... standing in line to buy the next iPhone.

"for whatever reason"

[SuperKendall]

Maybe that reason is more careful app review, or the fact that it's not nearly so easy to collect interesting data from an iOS app because the user has to agree to access and the app has to declare its intent to access (which is also part of the review), nor or iOS apps as freely able to run all the time.

I've no doubt there are some trackers embedded in iOS apps, but I would think it would be a lot more limited scene because few apps would garner much use or ability to mine data.

Re:"for whatever reason"

[TheFakeTimCook]

Maybe that reason is more careful app review, or the fact that it's not nearly so easy to collect interesting data from an iOS app because the user has to agree to access and the app has to declare its intent to access (which is also part of the review), nor or iOS apps as freely able to run all the time.

I've no doubt there are some trackers embedded in iOS apps, but I would think it would be a lot more limited scene because few apps would garner much use or ability to mine data.

I think you are absolutely right.

Between the App Review, Sandboxing, and iOS' OS-level "User Account Control"-like system of asking for User-permission to access data outside of an App, it just doesn't seem too likely that iOS would be affected to any great extent, if at all...

Re:"for whatever reason"

Unless its Apple collecting the data.

Re: "for whatever reason"

Show me proof.

Re:"for whatever reason"

Holy shit, you guys have your head so deep in the sand it's not even funny.

Android, since 6.0, has had granular permissions just like iDevices. Android devices also explicitly tell you what information it will access, instead of silently allowing (like Uber's screen recording permission) because APL thinks it's okay.

Additionally, user permissions for every app are NOT necessary to track you. Tracking which games you play and which websites you go to is usually enough, since another app that has a legit reason for your contacts ALSO happened to be part of this tracking network.

Re:"for whatever reason"

[farble1670]

it just doesn't seem too likely that iOS would be affected to any great extent, if at all...

I have this great bridge I'm selling at an incredible discount. Interested?

Re:"for whatever reason"

[TheFakeTimCook]

it just doesn't seem too likely that iOS would be affected to any great extent, if at all...

I have this great bridge I'm selling at an incredible discount. Interested?

Put your Citations where your foot/mouth is.

Re:"for whatever reason"

[farble1670]

Put your Citations where your foot/mouth is.

You first. "it just doesn't seem ..." isn't a citation, or a fact, or otherwise useful data.

Re:"for whatever reason"

[TheFakeTimCook]

Put your Citations where your foot/mouth is.

You first. "it just doesn't seem ..." isn't a citation, or a fact, or otherwise useful data.

Neither is your Apple-Hating screed.

Stalemate.

Re:"for whatever reason"

[farble1670]

Neither is your Apple-Hating screed.

Apple-hating? No, I have many Apple products. I am just pointing out the level of your naivety.

Re:"for whatever reason"

[TheFakeTimCook]

Neither is your Apple-Hating screed.

Apple-hating? No, I have many Apple products. I am just pointing out the level of your naivety.

No naivety here.

Simply a considered opinion, just like yours.

Re:"for whatever reason"

[farble1670]

Simply a considered opinion, just like yours.

Yes, we both have opinions. So after several days of back and forth, you've worked as back to zero. Good job.

App?

[crow]

Do they have an app that I can install to check the apps on my phone? Not that it will do me much good if I still want to run those apps.

What I really want is a fake location service that returns a fake cell phone tower ID and fake GPS, but based on a real location of my choice. Then apps that want location data will get the fake location except for ones that I want to give the real location to (for example, Waze).

Blocking

[AVryhof]

So, where is the App that scans for these, and blocks the data endpoints?

I have Ad-Away from the F-Droid store, but I'm betting that my patched hosts file doesn't block them all.

What a joke Android.

That why I only use a professionally coded and reviewed iOS, which is built using a real OS: UNIX. That piece of junk called Android is based on Linux, which is a third rate Unix wannabe.

Re: What a joke Android.

AC isn't lying.

Re:What a joke Android.

[Rakarra]

Trolling troll is a little too obvious.

Like an ankle monitor except you carry it

If in 2017 you're still using a smartphone then you're signing off on being monitored, tracked, and surveilled continuosly, plain and simple. Dump the smartphone, get the cheapest dumbphone you can manage to have, only turn it on when you really need to use it, and otherwise learn to do without. Enough people do this and the wireless companies and phone manufacturers will get the idea: stop spying on people or you'll lose money.

What do you expect from a free app?

Developers have bills too.

Re: What do you expect from a free app?

So do welders. Developers arent special.

Re:What do you expect from a free app?

[Aighearach]

Actually, if they don't track you and the software just runs on the phone then it doesn't create a bill for the developer at all!

This may be a bit circular.

When I download an app from fdroid, nobody gets a bill.

Oh please

Every app at every company I've worked at has implemented Crashlytics / analytics services so that developers can fix issues, and marketing can get off to user events inside the app. This is exactly the same on iOS. There are no doubt apps out there that sell user data (I mean It's the damn business model of the internet) but it's not the primary use of these trackers.

Lazy

"The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps."

I know the link is buried in the story, but why not link to it directly, especially since it was mentioned in the summary.

http://reports.exodus-privacy.eu.org/reports/apps/

Is this news to us..?

[evolutionary]

Some of knew that virtually every app made by a commercial enterprise had trackers to extract data. This is why so much money has been spent on creating apps for phones instead of Phone friendly websites: you can get a LOT more data and have viewer options to block it. Otherwise it would be cheaper in development and maintenance to do a mobile friendly website. Data mining is the biggest business in the world right now and google is one of the leaders of this charge. Now, for those who WANT to get rid of this you can start by using an OS that doens't have google #$% apps preinstalled. LinageOS ( https://www.lineageos.org/ ) or Replicant OS (https://www.replicant.us/) as well as a phone that you can lock down microphones, cameras, and wireless that is linux based (https://puri.sm/) with no google spyware nonsense. If you have a more trusted on your Android compatible phone using LinageOS, CyanogenMod (old) or Replicant, you can get apps more trustworthy from FOSS using the F-Droid app (https://f-droid.org/). At least the apps are less likely to track you. Most don't ask for weird permissions like most commercial apps from, say the Google store tend to do. Hope that helps everyone remove the chains from their phones.

Santa Claus

[Oswald+McWeany]

These trackers are all installed by Santa! How else is he going to know if you're being naughty or nice.

You better watch out,
You better not cry,
You better not pout,
I'm telling you why,
Santa Clause is tracking your phone.

He sees you when you're naked,
he watches you undress,
he tracks your phones movement,
upon his G. P.S.

So what's the link?

[wardrich86]

The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps. In total, researchers said they identified 44 trackers embedded in over 300 Android apps.

Why mention this if you're not even going to link to it?! Here's the URL that should have been plastered in the summary, and made more visible in TFA

Country-specific entertainment rights

[tepples]

Say you have downloaded an application to stream a particular movie from a particular provider. This movie is an adaptation of a novel whose copyright has expired in country A but not yet in country B, whose copyright term is longer than that of country A. This means the provider holds the rights to stream the movie to viewers in country A, not to viewers in country B. Without tracking the user's true location, how should the provider determine whether it has the rights to stream the movie to a particular viewer?

Re:Country-specific entertainment rights

How about asking "what is your location"? My grand mother thought me that if I want something from someone I should ask for it, not just take it.

But the real question is - is streaming a content a real source of profit or maybe the profits comes from tracking your user base, and streaming is just a way to get it?

Re:Country-specific entertainment rights

[tepples]

How about asking "what is your location"?

That's exactly what these apps do. The user can choose to deny location services to a particular application through the operating system's Settings. This would cause a movie streaming application to display only those movies to which the provider owns worldwide rights. Browse and search results would include a notice:

Results are limited because location services are disabled. Learn More

Tapping "Learn More" would display a help page:

Some studios make movies available only in specific countries or groups of countries. AppName needs your location in order to determine which movies can be viewed in your country. To provide your location to AppName, open your device's Settings and follow these steps:

On Android, it'd show steps like these; on iOS, it'd show steps like these. Does asking the user to turn on location services count as "asking"?

If you meant providing a list of countries and allowing the user to choose one, this approach would encourage the user to defraud the provider by knowingly providing an incorrect location. Relying on a location provided by the operating system deters casual fraud.

Re:Country-specific entertainment rights

[Rakarra]

How about asking "what is your location"? My grand mother thought me that if I want something from someone I should ask for it, not just take it.

If you ask, someone could lie. What the GP is talking about is a service where it is imperative that valid location data be passed back.

linkbait?

[swell]

Why not link to the source of the story instead of some commercial middleman? Is it all about kickbacks? Here's the list: https://reports.exodus-privacy...

Re:linkbait?

[SeaFox]

Irony: Ghostery is on the list of apps.

Space Trader

[execthis]

I miss Space Trader on my Palm V

TFA also has embedded trackers

[afgam28]

Ironically TFA is on a site that's full of trackers. I'm using the EFF's Privacy Badger extension, and I get:

detected 23 potential trackers on this page.

NetGuard

Get the free NetGuard firewall. Block everything except what you need to access the web. I even block everything google. No one gets out when NetGuard is running.

Block with squid

One can setup an OpenVPN with 'squid' as a proxy on the VPN. Configure OpenVPN to have clients direct all traffic through the VPN. And add an 'acl' to block all regex patterns in a file pointed to in squid.conf

Look at the GitHub link provided in the article. Under the "trackers" link, each entry has "Exodus Detection Rules" with regex patterns that you can have "squid" block.

You can add advertisers and other annoying site patterns to that list,

Connect to the VPN from your phone and things should be better.

explicitly turn off everything

[n329619]

On Android 5+, apps now have pops up (one time) for you to grant it permission to use those permissions.

If you have LineageOS, you can turn off everything including network for apps.

Not content with recording our sex habits..

[ShamblerBishop]

...they're even recording my kegel exercise history damnit!