Slashdot Mirror

← Back to Stories (view on slashdot.org)

18,000 Android Apps Track Users By Violating Advertising ID Policies (bleepingcomputer.com)

Posted by BeauHD on from the are-we-really-surprised dept.

18,000 Android apps with tens or hundreds of millions of installs on the Google Play Store have been found to violate Google's Play Store Advertising ID policy guidance by collecting persistent device identifiers such as serial numbers, IMEI, WiFi MAC addresses, SIM card serial numbers, and sending them to mobile advertising related domains alongside ad IDs. Bleeping Computer reports: AppCensus is an organization based in Berkeley, California, and created by researchers from all over the world with expertise in a wide range of fields, ranging from networking and privacy to security and usability. The project is supported by "grants from the National Science Foundation, the Department of Homeland Security, and the Data Transparency Lab." By highlighting this behavior, AppCensus shows that while users are being offered the option to reset the advertising ID, doing so will not immediately translate into getting a new "identity" because app developers can also use a multitude of other identifiers to keep their tracking and targeting going.

Google did not yet respond to a report sent by AppCensus in September 2018 containing a list of 17,000 Android apps that send persistent identifiers together with ad IDs to various advertising networks, also attaching a list of 30 recipient mobile advertising related domains where the various IDs were being sent. While looking at the network packets sent between the apps and these 30 domains, AppCensus observed that "they are either being used to place ads in apps, or track user engagement with ads." In a statement to CNET, a Google spokesperson said: "We take these issues very seriously. Combining Ad ID with device identifiers for the purpose of ads personalization is strictly forbidden. We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies."

Some of the most popular applications found to be violating Google's Usage of Android Adverting ID policies include Clean Master, Subway Surfers, Flipboard, My Talking Tom, Temple Run 2, and Angry Birds Classic. The list goes on and on, and the last app in the "Top 20" list still has over 100 million installations.

33 comments

  1. Shocked, shocked to find gambling going on here by sinij · · Score: 2

    Google, here is your winnings.

  2. Google won't give up app revenue by Anonymous Coward · · Score: 0

    Google will definitely not give up in app purchase revenue from their most downloaded apps.

  3. I installed a firewall by Snotnose · · Score: 3, Informative

    and found out my flashlight app was calling home every 3-4 seconds. I hadn't used the app in months. Deleted it, installed a new one, things were good.

    Uninstalled a couple other apps for the same reason. But the flashlight was the one that stuck in my head.

    Unfortunately I had to uninstall the firewall app because it was draining my battery at a ridiculous rate. But I haven't installed an app since then so I think I'm good.

    Seriously folks, if you run Android install a firewall app and be prepared to be shocked.

    1. Re:I installed a firewall by Anonymous Coward · · Score: 0

      > But I haven't installed an app since then so I think I'm good.

      Are you sure about that? You don't think there's a chance you downloaded an update to an app you already have that introduced bad behavior after uninstalling the firewall?

    2. Re:I installed a firewall by Anonymous Coward · · Score: 0

      Seriously, you're an idiot either way.

    3. Re:I installed a firewall by Aighearach · · Score: 1

      Well, if you were ever paying attention you wouldn't be shocked at all.

      A flashlight app needs no permissions at all. None. No permissions. If you try to install a flashlight app and it asks for networking, don't install it.

      It seems rather simple, actually. Does following that type of system cut down the available apps? Yes, drastically! It cuts it all the way down to the ones that only do what you want.

      If you can't find any, try f-droid.

    4. Re: I installed a firewall by astrofurter · · Score: 2

      Try this one instead:

      https://github.com/M66B/NetGua...

      It's open source (GPL) and appears to improve battery life on my Android, by blocking the incessant network chatter of many apps.

    5. Re:I installed a firewall by iamwahoo2 · · Score: 1

      we need more app repositories like f-droid that cater toward users that are not getting what they need out of play store. I personally do not mind paying for my apps from a repository that gauranteed privacy. What is a few dollars in the grand scheme of things, but it is actually getting hard to find quality apps that will respect your privacy for a price.

  4. Say it isn't so by JustAnotherOldGuy · · Score: 2

    ME SO SHOCKED

    Seriously- who thought these fuckers weren't breaking every rule and sucking up every bit of data they could?

    The next big thing in data will be vehicular data- where you drive, when you dive, how fast, how often, etc etc etc. Everyone wants this data and many of the newer crop of cars collect LOTS of it, then beam it back to the manufacturer or one of their paid data collectors.

    Do you think a Tesla isn't recording what the driver does when they take their foot off the brake or roll down a window? Of course they are.

    Soon all the major car manufacturers will be collecting "driver data". It's a gold mine for them because advertisers will pay real money for the data.

    Eventually you won't be able to drive past a Burger King without a 10% off coupon flashing on your in-car display, and they'll probably interrupt your music or radio to tell you about it. They already do it in malls.

    You laugh now, but it's coming.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Say it isn't so by Anonymous Coward · · Score: 0

      Funny thing is the rules are set by the biggest ad monopolies, Google who also just so happens to own the Android platform which has an ad network integrated in the OS. While app developers get shunned for this, Google is allowed to combine your ad id with any tracking information because they have no checks on what they do.

      Sure, it's a good thing these developers stop tracking you, but whenever Google points the finger, nobody looks at the elephant in the room who benefits by shutting down potential ad network competition.

    2. Re:Say it isn't so by Anonymous Coward · · Score: 0

      They already do it in malls.

      Turn your fucking Bluetooth off when you're in the mall. I've been doing that since I owned a Motorola RAZR. First generation.

  5. Birds of a feather by Anonymous Coward · · Score: 0

    They're all just following in the footsteps of mumma bear.

  6. vs Apple by Anonymous Coward · · Score: 0

    Compared with Apple who revoked developer certificates within days of being notified of violations. Though to be fair, that was after news articles and they only had a couple companies to check rather than thousands. We'll see how 'good' Google is if they ban all those apps next week.

  7. hey Google, get up and get to work by FudRucker · · Score: 2

    and purge google playstore of all these apps that violate the terms of service and violate people's privacy, and offer to purge people's phones, i would like to see apps just dissappear if they are violating my privacy, you better do it or my next phone will be a dumb phone like one of those nokia 3310,

    --
    Politics is Treachery, Religion is Brainwashing
  8. Re: Shocked, shocked to find gambling going on her by Anonymous Coward · · Score: 0

    Oh google abides by the same rules though so we can trust them to put their junk on our devices. Or not.

  9. Left hand not talking to the right by Anonymous Coward · · Score: 0

    Chrome didn't implement the DO NO TRACK header because they knew it was stupid. Asking websites "Here's all my data but please don't use it" is a stupid idea

    Apparently the Android team didn't get the memo and implemented a similar policy "Here's all the data on the user's device but please don't use it"

    The only real solution is not to make that data available in the first place.

  10. Google? by Mr.+Dollar+Ton · · Score: 2

    This ain't simply a "google" issue, but a bright example of how "markets will self-regulate". Joker: they won't, not without a body that can draw regulations AND dispense "justice" in the form of sufficient extra costs so that it is more expensive to the user.

    This is the main reason why I've not and I am not buying, installing or using "apps" that are just front-ends to network services, if I cannot use it behind a firewall, it isn't worth having.

    It is also an example of how low the app hygiene of the "average user is".

    Incidentally, if you pick a public finance textbook, you'll see that these three problems - lack or regulations, lack of enforcement and cost asymmetries - are the most important failures that help capitalism subvert capitalist democracy :)

    1. Re: Google? by Anonymous Coward · · Score: 0

      Tainted data... sooo anyone with these databases of ad ID + IMEI can basically be sued for illegally obtaining these IMEI if they have an Android phone LOL

      OMG the entire freaking advertisement industry is open to class action lawsuits now for being so dumbassed about collecting and correlating all these data points! LOL any company caught with an IMEI tagged database is literally asking for a lawsuit down the road because it was illegal abuse of Google policyâ(TM)s in the first place and any continued use of that data is going to make them liable for continued infringement of privacy issues and illegal data collection.

      Ouch!

    2. Re: Google? by Anonymous Coward · · Score: 0

      Nothing is illegal about it, all what âoethe googsâ can do is disable the app pissing off its lovely customers

    3. Re: Google? by Anonymous Coward · · Score: 0

      You have an iPhone. Haha

  11. full list? by Anonymous Coward · · Score: 0

    where is the full list? i only see the top 20

  12. By taking action... by scdeimos · · Score: 1

    We're constantly reviewing apps -- including those listed in the researcher's report -- and will take action when they do not comply with our policies.

    By taking action they mean laughing maniacally at all the extra advertising revenue they're raking in.

    1. Re:By taking action... by Anonymous Coward · · Score: 0

      Probably. I mean, the damage is already done and the data's out there. We've caught enough in our fish net, haul it in and let the fish stock stabilize, then do it again. I wouldn't be surprised with the stiff penalties being threatened on data mishandling if certain companies just let someone else just break the law for them and then reap the benefits. Kind of a legal firewall against things like GDPR.

  13. Libraries by Tomahawk · · Score: 4, Interesting

    Many apps use advertising libraries from other companies, and it's mainly these libraries that collect this data. The app writer may not even be aware of this, content in the fact that for a few lines of additional code they get ads in their so e, and thus revenue.

    The question here is, are the app developers at fault here, or the advertising companies that provide the libraries?

    1. Re:Libraries by pushing-robot · · Score: 3, Insightful

      Google is at fault for allowing unfettered access to data that 99.999% of honest apps would never need.

      If an app has a valid need for SIM card info, or any private, exploitable, or uniquely identifiable data for your device, it can bloody well ask for it.

      Letting apps apparently work on the honor system, and not even policing apps in their own store, puts the blame squarely in Google's lap.

      --
      How can I believe you when you tell me what I don't want to hear?
    2. Re:Libraries by Anonymous Coward · · Score: 0

      All three are at fault.
      1) Google for the reasons you listed.
      2) Lazy app developers that don't notice what permissions their app is requesting.
      3) Scummy marketing firms - if you're a software engineer working at one of these places, you should feel bad about your choices in life.

    3. Re:Libraries by hraponssi · · Score: 2

      I wrote some simple games few years back, added the game development platforms libraries in it for ads. Because no-one wants to pay for anything anyway. Some year(s) later, got a message from Google they removed some of the app(s) due to some advertisement id violations. I did not care much since the games were not that great and had few downloads, so I let them take them down rather than start investigating and rewriting. I still have no idea what that was, just used the platform for what I though it was.. I can imagine many more are in similar situation.

    4. Re:Libraries by Anonymous Coward · · Score: 0

      Google is at fault for allowing unfettered access to data that 99.999% of honest apps would never need.

      Agreed. Why isn't the operating system preventing these data points from being probed? An app wouldn't be able to determine your IMEI if it wasn't so easy to get the O/S to report that information to the app. Better permissions and data isolation should happen at the O/S level.

      Android runs Linux under the hood, so it's not like it would be difficult. This leads me to believe this lack of security is a deliberate choice Google made, not a limitation they were stuck with. Lock down /proc and /sys/class for starters, not every fucking application needs unfettered access to that shit.

  14. List of 18k apps? by Freshly+Exhumed · · Score: 2

    Where the hell is the damned list of all ~18,000 apps? None of the given links provide this obviously necessary information.

    --
    I deny that I have not avoided attaining the opposite of that which I do not want.
    1. Re:List of 18k apps? by Anonymous Coward · · Score: 0

      This. And also the names and home addresses of the developers.

    2. Re:List of 18k apps? by Anonymous Coward · · Score: 0

      If a developer was knowingly breaking the ID Policies for some not so good intentions, there is a chance that they might start throwing around legal threats if someone outed their not good practises.

      I think that these types of news stories will not usually name the apps to avoid a fuck ton of legal worries from dodgy app developers.

  15. hmm.. by Anonymous Coward · · Score: 0

    doesn't google's own apps pull shit shit and more? and then also tie your device (and your device's google account) to the massive trove of data that google has on you.. from other sources, other google accounts, pc use, public (and private records), web crawls and more?

  16. W T F by Anonymous Coward · · Score: 0

    What shocks me (and probably shouldn't) is that Google didn't make an actual security mechanism to prevent this. More like "Okay, foxes, the door to the henhouse is unlocked but I know you'll run along and play nice".
    Functionality wise I have always preferred Android but this is just mind blowingly stupid. Just another reason to use a different phone OS.