Three Quarters of Android Apps Track Users With Third Party Tools, Says Study (theguardian.com)

← Back to Stories (view on slashdot.org)

Three Quarters of Android Apps Track Users With Third Party Tools, Says Study (theguardian.com)

Posted by BeauHD on Tuesday November 28, 2017 @01:25PM from the increased-transparency dept.

A study by French research organization Exodus Privacy and Yale University's Privacy Lab analyzed the mobile apps for the signatures of 25 known trackers and found that more than three in four Android apps contain at least one third-party "tracker." The Guardian reports: Among the apps found to be using some sort of tracking plugin were some of the most popular apps on the Google Play Store, including Tinder, Spotify, Uber and OKCupid. All four apps use a service owned by Google, called Crashlytics, that primarily tracks app crash reports, but can also provide the ability to "get insight into your users, what they're doing, and inject live social content to delight them." Other less widely-used trackers can go much further. One cited by Yale is FidZup, a French tracking provider with technology that can "detect the presence of mobile phones and therefore their owners" using ultrasonic tones. FidZup says it no-longer uses that technology, however, since tracking users through simple wifi networks works just as well.

46 comments

Min score:

Reason:

Sort:

Breaking news by viperidaenz · 2017-11-28 13:55 · Score: 1

Tinder, Spotify, Uber and OKCupid, all applications that provide location-aware content may track your location!
1. Re:Breaking news by Anonymous Coward · 2017-11-28 16:49 · Score: 0
  
  There is no valid reason that any of them need access to location data.
2. Re:Breaking news by demonlapin · 2017-11-29 14:41 · Score: 1
  
  Actually, Uber does. Kind of useless if it doesn't know where you are.
Not a prob ... by CaptainDork · 2017-11-28 13:55 · Score: 1

Go to the apps in Settings and deny all that shit.
yvw

--
It little behooves the best of us to comment on the rest of us.
1. Re:Not a prob ... by Anonymous Coward · 2017-11-28 14:52 · Score: 1
  
  Google will have none of your shenanigans. It owns you and will track you, even if you keep your phone OFF, because you will have to turn it on eventually. And yes, Google is tied to Russians. Trump has perverted what is acceptable, and there you are. Roy Moore is your daddy!
2. Re:Not a prob ... by bug_hunter · 2017-11-28 18:00 · Score: 1
  
  This isn't tracking your GPS location, camera or anything like that.
  It's an app tracking specifically how you use that single app. Short of never enabling your network there's nothing you can do about that.
  Though in it's basic form it's just harmless developers wanting to know what features are popular, bug tracking etc.
  But yeah, the more over the top ones, such as the apparent ability to detect other mobile phones with sound, presumably is linked up to your microphones permissions.
  
  --
  It's turtles all the way down.
3. Re:Not a prob ... by antdude · 2017-11-28 20:39 · Score: 1
  
  It pisses me off that they want Internet, locations, etc. Argh!
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
My Apps by I'm+New+Around+Here · 2017-11-28 13:59 · Score: 1

I have a flashlight app from a security company that promises it is safe. I have my bank's app, which I'm sure is safe. I have 3 apps from online job sites, which I trust to be safe. And, finally, I have 2 network/wifi analyzer apps, which I trust to be safe.
As for apps that seem like they would want to spy on my as much as possible, I don't have any installed. Ones like Tindr, Uber, and OKCupid. So I don't really worry about apps tracking me.

--
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
1. Re: My Apps by Anonymous Coward · 2017-11-28 14:02 · Score: 1
  
  I count seven apps that are spying on you. Welcome to 21st century, citizen.
2. Re:My Apps by vux984 · 2017-11-28 14:04 · Score: 1
  
  What network wifi/analyzers are you using? The ones I've tried have been pretty much garbage, and the free versions are stuffed to the brim with ads and while the ads go away if you pay, I'm not sure I'd trust that any other tracking did.
  
  "I have my bank's app, which I'm sure is safe."
  I'm absolutely sure its not malware. I'm a lot less sure that they aren't tracking us more than they need to be, especially as the app from my bank is an ad vector for several of the banks services, so they are likely using tracking and analytics and telemetry to target and track 'enagement' etc with those ads.
  
  "I have 3 apps from online job sites, which I trust to be safe."
  As above.
3. Re:My Apps by Anonymous Coward · 2017-11-28 15:09 · Score: 0
  
  I have a flashlight app from a security company that promises it is safe.
  Surely you're being sarcastic? If not, then you definitely have the most relevant user name ever.
  Hint: Flashlight app is built-into newer Android builds[1]. Just pull down the bar at the top and click the flashlight icon.
  [1] = If you're not using a new enough build to have a built-in flashlight, then you obviously don't care about security, and your phone has defintely already been pwned by malicious websites, malicious wifi hotspots, etc. (TL;DR: You're already fucked if your phone doesn't have a built-in flashlight app.)
4. Re:My Apps by Anonymous Coward · 2017-11-28 19:38 · Score: 0
  
  I have my bank's app, which I'm sure is safe
  If you believe that, you could use your bank's app to pay for this bridge I'm selling.
  The last few big banks I've dealt with have all had Google/Facebook/nasties embedded in their online account management pages. It took me a long time to find one that didn't embed any crap in their online portal.
  I don't expect their apps to be any different.
5. Re: My Apps by Anonymous Coward · 2017-11-29 00:57 · Score: 0
  
  Maybe he really meant he has a fleshlight app.
6. Re:My Apps by infolation · 2017-11-29 02:54 · Score: 1
  
  For example HSBC (HSBC Mobile Banking), which uses Tealium tracking.
  
  Tealium: All of your data. Fully integrated. Tealium's Universal Data Hub connects your mobile, web, offline, and other data sources together with every vendor integration.
  
  Streaming Data Support to IaaS - Tealium's DataAccess now supports real-time data integrations with the world's three leading IaaS (Infrastructure as a Service) platforms. Through Amazon Kinesis, Google Cloud Pub/Sub, and Microsoft Azure's Stream Analytics, Tealium can now fuel your cloud architecture and analytics efforts. These new integrations are built on Tealium's global Cloud Delivery architecture which enables the collection and delivery of data from any customer experience touchpoint: web, mobile, IoT, wearable, and offline data sources.
  Plus the HSBC app uses:
  
  android.permission.READ_CONTACTS
  which allows the app to read data about your contacts stored on your phone, including the frequency with which you've called, emailed, or communicated in other ways with specific individuals, and this permission allows apps to save your contact data.
7. Re: My Apps by pjt33 · 2017-11-29 03:56 · Score: 1
  
  Only seven? You optimist. You haven't counted any of the built-in can't-be-disabled crapware that comes bundled with the phone.
8. Re:My Apps by Anonymous Coward · 2017-11-29 05:12 · Score: 0
  
  he might be sarcastic, but don't call him Shirley.
9. Re: My Apps by Swave+An+deBwoner · 2017-11-29 08:35 · Score: 1
  
  Then he'd need a Moto Z Force with a custom module.
Depends how they're used by nasch · 2017-11-28 15:02 · Score: 2

This isn't necessarily nefarious. My company uses Google Analytics to help understand how the app is being used. We don't track anybody with it (I don't think we even could if we wanted to), we just see things like what versions of OSes are in use, which features are being used and which aren't, etc.
But then maybe some of the other tracking systems let you do more spy-ish stuff.
1. Re:Depends how they're used by Anonymous Coward · 2017-11-28 15:16 · Score: 0
  
  Maybe not nefarious but that's still spying. Just what app are you talking about?
2. Re:Depends how they're used by Anonymous Coward · 2017-11-29 02:25 · Score: 0
  
  This isn't necessarily nefarious. My company uses Google Analytics to help understand how the app is being used.
  Yes, and with Windows 10, Microsoft implemented a version of the same to see what UI options people were using. I don't care to look through your post history, but as a numbered Slashdotter I have little reason to suspect you weren't part of the angry mob about that one.
3. Re:Depends how they're used by wings · 2017-11-29 05:44 · Score: 1
  
  I suspect many who initiate data collection plan to use it similarly to what you're doing and they probably don't have nefarious intentions either. This becomes a problem though when that data is stored for any significant amount of time. Stored data becomes succeptible to changes in ownership, changes in management, sale, theft, law enforcement requests, etc. and then used or mined for purposes well outside the scope of what was originally intended. Those who can gain access to data from multiple different sources may be able to cross-reference and mine it for all kinds of unexpected information.
Solution? by Anonymous Coward · 2017-11-28 15:13 · Score: 0

There is no Android replacement firmware (well, at least not for most phones). Can we run the phone in a virtual machine? Some other solution?
Stop the application? by Trax3001BBS · 2017-11-28 16:53 · Score: 2

I assume all Google Store applications track and use the camera, after running an Application I'll go into settings > apps and force stop the application. The Front camera has electrical tape over it, fingernail polish keeps coming off.
A game I'll switch to airplane mode as well.
I'm also inputting the info from https://exodus-privacy.eu.org/ into my router.
It's the best I can do...
1. Re:Stop the application? by thereitis · 2017-11-28 17:13 · Score: 1
  
  Interesting site. I hope they aren't also tracking. Here's the list of applications they have reports for: https://reports.exodus-privacy...
2. Re:Stop the application? by Anonymous Coward · 2017-11-28 17:16 · Score: 0
  
  Even Firefox for mobile contains two trackers: https://reports.exodus-privacy.... That's disappointing.
3. Re:Stop the application? by Trax3001BBS · 2017-11-28 17:58 · Score: 1
  
  I'm also inputting the info from https://exodus-privacy.eu.org/ into my router.
  I had to type it out for myself, so posted for others use. https://slashdot.org/journal/2...
4. Re:Stop the application? by AmiMoJo · 2017-11-29 00:50 · Score: 1
  
  For a few versions of Android now, the first time an app tries to use the camera the user is prompted to give permission. On older versions camera access is listed in the permissions granted on installation, before you install.
  For enhanced privacy and ad-blocking, I recommend DNS66.
  Force stopping an application is insufficient. Android uses a system that allows apps to hook in to various events, such as the arrival of a new message, a given time or even a change of location. Android will re-start the app to let it process these events.
  If you are that concerned, try installing F-Droid and only using free, open source apps.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
5. Re:Stop the application? by Thiaf888 · 2017-11-29 01:30 · Score: 1
  
  I assume all Google Store applications track and use the camera, after running an Application I'll go into settings > apps and force stop the application. The Front camera has electrical tape over it, fingernail polish keeps coming off.
  A game I'll switch to airplane mode as well.
  I'm also inputting the info from https://exodus-privacy.eu.org/ into my router.
  It's the best I can do...
  This is a great help! Thank you. https://freelancerfaithkarin.w...
6. Re:Stop the application? by dszd0g · 2017-11-29 05:24 · Score: 1
  
  The DoubleClick is a false positive dealing with key pinning (as pointed out below it just looked for the string "doubleclick.net"). It prevents other Web sites from impersonating DoubleClick when a Web page includes a DoubleClick tracker. There is no DoubleClick tracking built into Firefox.
  Leanplum is open source spyware that is built into mobile Firefox (the desktop has similar). However, the spyware is disabled if you turn off telemetry/data sharing in the Firefox settings.
  
  --
  This message is encrypted with Quad ROT-13 to protect the author's copyright under the DMCA.
It says nothing good that no one cares about this. by Anonymous Coward · 2017-11-28 18:13 · Score: 0

For the past days we've had constant apocalyptic predictions about what could happen if so called net neutrality is repealed, but when we get more conformation about how much data mining is happening within the Android OS we get pretty much no commentary other than pointless off topic bitching.
And ultimately this is why I don't give a DAMN about Net Neutrality. Because I don't really care if you don't get the best deal on whatever consumer streaming service that might be affected by the lose of preferential treatment in terms of bandwidth. The entire fucking industry is just shot through with anti piracy and anti consumer choice corporations as is.
Google Ad ID??? by Anonymous Coward · 2017-11-28 18:22 · Score: 0

"Network Access" isn't a deniable right on Android, by default all apps get to speak to the net. Courtesy of Google, so no, you can't turn off that shit.
But it also misses the biggest of them all, Google doesn't need to profile the device to generate a tracking id, because it has its very own tracking id built into every device and sent to Google with all Google built in apps.... aka the Google Advertiser ID. Again you want to turn it off, but you can't.
As a side note, if anyone from Samsung is reading, could you please fix up your shit magnifier view??? It crashes every app with a text view by slowly filling up memory with bitmaps when destroying textviews.
Failed to allocate a 375744 byte allocation with 134640 free bytes and 131KB until OOM (TextView.java:14803) 3) So it creates one
android.widget.TextView.getMagnifierView(TextView.java:14704) 2) there is no magnifier view for it to get
android.widget.Editor.onDetachedFromWindow(Editor.java:470) 1) notice the view is being destroyed.
Mobile App Development Trends That Will Make Your by apaspect · 2017-11-28 19:12 · Score: 1

Application developers are refining the existing mobile application development processes to increase their functionality and usability. Reports suggest that the Android application store is filled with nearly 2.8 million applications, whereas the Apple App Store has 2.2 million applications. http://appaspect.blogspot.in/2...
Re:1/3 of /. Stories are dupes, AC says by rastos1 · 2017-11-28 19:47 · Score: 1

The previous story was Researchers Identify 44 Trackers in More Than 300 Android Apps Are you saying that there is only 400 Android apps?
And yet despite this knowledge... by Anonymous Coward · 2017-11-28 22:53 · Score: 0

people will still justify using these goddam horrible devices (and no apple shit is even worse).
I laugh at the reasons people come up with, seriously its like talking to someone in a mental hospital.
Possible false positives? by Anonymous Coward · 2017-11-28 23:30 · Score: 0

Even Firefox for mobile contains two trackers: https://reports.exodus-privacy.... That's disappointing.
The linked page states that the detection rules are:
mng-ads\.com
doubleclick\.net
You could easily get false positives if it's plain string matching and the program contains those strings. The only other reason I see for Firefox to have those strings besides tracking that they are in a preloaded database of some kind.
1. Re:Possible false positives? by Anonymous Coward · 2017-11-29 01:16 · Score: 0
  
  Yeah, ironically those strings are used by Firefox to *block websites from accessing those trackers* as part of the built in Tracking Protection feature.
Switch back to iPhone by dslmodem · 2017-11-28 23:49 · Score: 1

Seriously. After seeing all sorts of app accessing my contact, my phone, my location, I decided to switch back to iPhone.

--
^(oo)^pig~
1. Re:Switch back to iPhone by Anonymous Coward · 2017-11-29 00:47 · Score: 0
  
  We are all glad you reverted to something that is more as your brain capacity.
  The rest of us can figure it out and move on because we are smarter.
2. Re:Switch back to iPhone by dslmodem · 2017-11-29 03:04 · Score: 1
  
  I have not been accusing that Android is inferior to iOS. Instead, I simply state a fact that letting apps off the hook and access all those user information is a big mistake.
  
  --
  ^(oo)^pig~
3. Re:Switch back to iPhone by pjt33 · 2017-11-29 03:54 · Score: 1
  
  But what makes you think that switching to iPhone gives you any benefit in that regard?
4. Re:Switch back to iPhone by Anonymous Coward · 2017-11-29 06:30 · Score: 0
  
  This fucking article would be a good start you big dummy.
They just want to track you like Google does by Anonymous Coward · 2017-11-29 08:14 · Score: 0

Google tracks my phone, my breathing, my movements while spyphone is on & phone location while spyphone is off but can it do so if Gapps framework & apps were not installed? With just LineageOS, no gapps, can Google still listen, photgraph & track?