Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Identify 44 Trackers in More Than 300 Android Apps (bleepingcomputer.com)

Posted by msmash on from the privacy-woes dept.

Catalin Cimpanu, reporting for BleepingComputer: A collaborative effort between the Yale Privacy Lab and Exodus Privacy has shed light on dozens of invasive trackers that are embedded within Android apps and record user activity, sometimes without user consent. The results of this study come to show that the practice of collecting user data via third-party tracking code has become rampant among Android app developers and is now on par with what's happening on most of today's popular websites. The two investigative teams found tracking scripts not only in lesser known Android applications, where one might expect app developers to use such practices to monetize their small userbases, but also inside highly popular apps -- such as Uber, Twitter, Tinder, Soundcloud, or Spotify. The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps. In total, researchers said they identified 44 trackers embedded in over 300 Android apps.

12 of 87 comments (clear)

  1. Android: The Gift That Keeps on Taking... by TheFakeTimCook · · Score: 3, Insightful

    This stuff will NEVER cease until Google themselves stops being the greatest Data Sink of all time, and puts some actual Privacy into Android. ...and we ALL know when that will be.

    1. Re:Android: The Gift That Keeps on Taking... by Anonymous Coward · · Score: 2

      This stuff will NEVER cease until Google themselves stops being the greatest Data Sink of all time, and puts some actual Privacy into Android. ...and we ALL know when that will be.

      Yup, I want OS-level selectable permissions I can apply to each application, whenever I wish ... and if that utterly breaks an application too bad.

      If I download a calculator, I want to be able to go in and pretty much explicitly turn off everything, because it has no business accessing my contacts, my location, or pretty much anything.

      I know my iPhone lets me do this to a certain extent, but neither of my Android devices support this.

      The reality is there is a couple of conclusions that I've made quite some time ago:

      1) all app developers are lying, greedy assholes who aren't honest about what they're doing
      2) all apps which essentially mirror a webpage serve no purpose but to add additional tracking
      3) any app which shouldn't require network access for its basic functions which can't operate in airplane mode needs to be uninstalled

      Most apps are pointless social media which I don't care about, or pointless games which try to force you to constantly touch and use micro transactions.

      I've found the number of actually useful apps that I actually make use of to likely be in the single digits. Everything else is just ads and other bullshit.

      Unfortunately, this seems to be what the mobile market actually wants, so if people are suddenly realizing their apps are spying on them I have little sympathy left in my heart for this. Everyone wants to download shiny apps so they can instagram taking a shit, or Facebook their friends they collected 7 turds in Ace Pooper Scooper.

      This is the kind of garbage people seem to like, if they're collectively too stupid to realize what is actually happening that's their problem.

    2. Re:Android: The Gift That Keeps on Taking... by chill · · Score: 4, Informative

      I'm not sure what version of Android you're talking about, but granular permissions have been available for some time now.

      My current phone is a OnePlus 3T and running Android 8.0.0 with the September 1, 2017 patch level. Yes, I know that is a very recent version of Android, but much of this was introduced earlier.

      I can go into Settings --> Apps and from there, view and control app permissions by permission or by app. That is, I can see every app that has access to something like SMS or my camera. Or, I can go in and see what permissions a specific app has. In both views, I can toggle specific permissions on and off.

      --
      Learning HOW to think is more important than learning WHAT to think.
  2. Making Reverse-Tracking Legal Would Solve This by dryriver · · Score: 2

    Reverse tracking would be that whenever someone tracks your life, you get the legal right to track them back. So if the CEO of Company X puts a tracker on your Android phone peering into your private life, for example, you'd get the legal right to track that CEO back and peer into HIS private life and habits. If a big data company is collecting data on you, your spouse, your kids, you would have the legal right to collect big data on THAT big data company's activities, including insight into that company's most private activities. Watch how quickly all tracking stops when such a law is passed.

    --
    Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    1. Re:Making Reverse-Tracking Legal Would Solve This by Anonymous Coward · · Score: 2, Insightful

      What we need a law that makes it illegal to track users without explicit consent and whose violation ends the perpetrator (or company) not only with giant fines but jailtime too. And to the question "how can you jail a corporation ?" you can't but you can sure as hell jail the CEO and other executives. You know the ones how give the go ahead to enact such privacy invading policies. How fucking hard can it be ?
      Your reverse tracking law is pie in sky and serves no purpose beyond making you feel all warm and fuzzy.

    2. Re:Making Reverse-Tracking Legal Would Solve This by geekmux · · Score: 4, Insightful

      Reverse tracking would be that whenever someone tracks your life, you get the legal right to track them back. So if the CEO of Company X puts a tracker on your Android phone peering into your private life, for example, you'd get the legal right to track that CEO back and peer into HIS private life and habits. If a big data company is collecting data on you, your spouse, your kids, you would have the legal right to collect big data on THAT big data company's activities, including insight into that company's most private activities. Watch how quickly all tracking stops when such a law is passed.

      Most CEOs don't have a fucking clue as to how their own products abuse privacy. They're never punished for abusing privacy, which is why they don't give a shit. Even when they do risk punishment or fines, they still weigh it against profit, which is truly all they care about. They continue to abuse privacy because they found out long ago that it's worth it.

      And do you know what happens when you try and do a WHOIS lookup on the worlds most popular domains? You get some generic result-by-proxy bullshit, which is exactly what any executive of any corporation would do if a reverse-tracking law were passed. You would never be allowed to track them, you would be allowed to track a sanitized proxy.

  3. Scare Mongering Story is Scare Mongering by Oliver+Wendell+Jones · · Score: 3, Interesting

    From the article:

    "In total, researchers said they identified 44 trackers embedded in over 300 Android apps. Overall, three-quarters of the 300+ apps Exodus analyzed contained at least one tracking component, with Google's CrashLytics and DoubleClick being the most popular trackers.

    While some trackers collected only app crash reports (such as Google's CrashLytics), some of these trackers also collected app usage info and user details, some of which were sensitive in nature."

    So, a majority of the apps are "contaminated" only with a plug-in from Google that collects "only app crash reports" - but somehow this indicates a massive privacy breach in 300+ Android apps? I think they may be a little overly paranoid on this one. Get back to me with legit numbers of "real, scary" tracking plug-ins...

    --
    A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
    1. Re:Scare Mongering Story is Scare Mongering by Jerry+Atrick · · Score: 2

      When apps like "DuckDuckGo Search & Stories" seem to be in there because they want INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE & INSTALL_SHORTCUT permissions, a perfectly reasonable and tight set for what it does, you have to question the quality of this research. When apps can get on the list for blocking known trackers that's even more worrying.

  4. App? by crow · · Score: 2

    Do they have an app that I can install to check the apps on my phone? Not that it will do me much good if I still want to run those apps.

    What I really want is a fake location service that returns a fake cell phone tower ID and fake GPS, but based on a real location of my choice. Then apps that want location data will get the fake location except for ones that I want to give the real location to (for example, Waze).

  5. Re:"for whatever reason" by TheFakeTimCook · · Score: 2

    Maybe that reason is more careful app review, or the fact that it's not nearly so easy to collect interesting data from an iOS app because the user has to agree to access and the app has to declare its intent to access (which is also part of the review), nor or iOS apps as freely able to run all the time.

    I've no doubt there are some trackers embedded in iOS apps, but I would think it would be a lot more limited scene because few apps would garner much use or ability to mine data.

    I think you are absolutely right.

    Between the App Review, Sandboxing, and iOS' OS-level "User Account Control"-like system of asking for User-permission to access data outside of an App, it just doesn't seem too likely that iOS would be affected to any great extent, if at all...

  6. So what's the link? by wardrich86 · · Score: 3, Informative

    The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps. In total, researchers said they identified 44 trackers embedded in over 300 Android apps.

    Why mention this if you're not even going to link to it?! Here's the URL that should have been plastered in the summary, and made more visible in TFA

  7. TFA also has embedded trackers by afgam28 · · Score: 2

    Ironically TFA is on a site that's full of trackers. I'm using the EFF's Privacy Badger extension, and I get:

    detected 23 potential trackers on this page.