Researchers Identify 44 Trackers in More Than 300 Android Apps (bleepingcomputer.com) 87
Catalin Cimpanu, reporting for BleepingComputer: A collaborative effort between the Yale Privacy Lab and Exodus Privacy has shed light on dozens of invasive trackers that are embedded within Android apps and record user activity, sometimes without user consent. The results of this study come to show that the practice of collecting user data via third-party tracking code has become rampant among Android app developers and is now on par with what's happening on most of today's popular websites. The two investigative teams found tracking scripts not only in lesser known Android applications, where one might expect app developers to use such practices to monetize their small userbases, but also inside highly popular apps -- such as Uber, Twitter, Tinder, Soundcloud, or Spotify. The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps. In total, researchers said they identified 44 trackers embedded in over 300 Android apps.
Android: The Gift That Keeps on Taking... (Score:4, Insightful)
This stuff will NEVER cease until Google themselves stops being the greatest Data Sink of all time, and puts some actual Privacy into Android. ...and we ALL know when that will be.
Re: (Score:2)
Yup, I want OS-level selectable permissions I can apply to each application, whenever I wish ... and if that utterly breaks an application too bad.
If I download a calculator, I want to be able to go in and pretty much explicitly turn off everything, because it has no business accessing my contacts, my location, or pretty much anyt
Re:Android: The Gift That Keeps on Taking... (Score:5, Informative)
I'm not sure what version of Android you're talking about, but granular permissions have been available for some time now.
My current phone is a OnePlus 3T and running Android 8.0.0 with the September 1, 2017 patch level. Yes, I know that is a very recent version of Android, but much of this was introduced earlier.
I can go into Settings --> Apps and from there, view and control app permissions by permission or by app. That is, I can see every app that has access to something like SMS or my camera. Or, I can go in and see what permissions a specific app has. In both views, I can toggle specific permissions on and off.
Re: (Score:1)
Granular Permissions have been in Android since 6.0. Apps that target a lower version (i.e. you wouldn't be able to see them otherwise) will present the information.
That said, if you don't trust the app developer with the information, why are you installing it to begin with? They could quite easily build a profile on you without these premissions, and all they need is you to cllick yes once from another app they use.
Re: (Score:2)
Granular Permissions have been in Android since 6.0.
Given that half of all Android users are at lower versions than 6.0, that isn't ultimately helpful.
Google really needs to start forcing vendors to take responsibility, for example by requiring 3 years of OS upgrades before granting a license.
3 years is not too long a lifespan to expect from a phone; while most of us are reasonably well off and can afford to change more often, a lot of people aren't all that affluent, and need to use their phone for several years.
As long as Google allows and encourage compan
Re: (Score:2)
Re: (Score:2)
The ability to work with the removal of specific permissions depends on the minimum level of Android that the app was designed for. This works better on newer apps.
However, not all older apps have issues with disabling certain permissions. Just because *you* haven't seen one doesn't mean they don't exist. For example, Skype for Business is one of those apps designed for an older version of Android, yet survives my removal of its permission to access my calendar. It still works fine.
Yes, it is perfectly func
Re: (Score:2)
Re: (Score:2)
Install fdroid and then install apps that only ask for permisions you are willing to grant.
Installing a calculator that requires network and location access is foolhardy on your part unless you are cool with allowing the ads that it will be "giving" you to pay the developer.
Re: (Score:2)
This is exactly it!
If it is asks for your phone ID and also network access, it is tracking you. It even told you and asked! LOL
With fdroid, if an app asks for permissions it doesn't need I can just download it and take them out of the code.
Never trust. Never.
Re: (Score:2)
With fdroid, if an app asks for permissions it doesn't need I can just download it and take them out of the code.
Yep, completely reasonable. Modify the source and recompile and sideload all of your apps. Also make sure you keep up with new releases merging in changes with your modifications, rebuilding, and re-installing by hand.
Thanks for the useful suggestion.
Re: (Score:2)
Yes you have to do a bit of work to stop the developer from monetizing an app they created, you found valuable, but don't want to pay for.
Re: (Score:2)
Install fdroid
That might work for a calculator or a flashlight. But it doesn't help much for things like games, for reasons that have been explained elsewhere [pineight.com].
Or has a viable business model emerged for developing video games for distribution as free software from day one? If the model involves developing the engine as free software but everything but the engine as non-free and paywalled, F-Droid currently considers that an anti-feature called NonFreeAssets [f-droid.org].
Re: (Score:2)
That's the price for playing these games. It's not like there is a need for these games and there are plenty of alternative (maybe less flashy) games to play.
I understand the frustration. Trying to find even a solitaire game on the play store that doesn't request access to everything under the sun is a challenge. It's why I check fdroid first. That said, I understand why they developers do it since most people don't want to pay currency for anything and get bombarded enough with ads to not be outraged w
Space Trader (Score:2)
I miss Space Trader on my Palm V
Re: (Score:2)
Install fdroid and then install apps that only ask for permisions you are willing to grant.
Or, install from Google Play and then install apps that only ask for permissions you are willing to grant.
Or, sideload apps that only ask for permissions you are willing to grant.
You are *always* prompted to grant permissions.
Re: (Score:2)
Yup, I want OS-level selectable permissions I can apply to each application, whenever I wish ... and if that utterly breaks an application too bad.
Good thing Android added that two releases ago. Phew! We almost had a problem on our hands there.
explicitly turn off everything (Score:2)
On Android 5+, apps now have pops up (one time) for you to grant it permission to use those permissions.
If you have LineageOS, you can turn off everything including network for apps.
Re: (Score:2)
This stuff will NEVER cease until Google themselves stops being the greatest Data Sink of all time, and puts some actual Privacy into Android. ...and we ALL know when that will be.
Per TFA (toward the bottom), the tracking providers also provide iOS components/libraries, so it's likely they are affected/infected as well. It's just that this study didn't look at them (for whatever reason).
"for whatever reason" (Score:1)
Maybe that reason is more careful app review, or the fact that it's not nearly so easy to collect interesting data from an iOS app because the user has to agree to access and the app has to declare its intent to access (which is also part of the review), nor or iOS apps as freely able to run all the time.
I've no doubt there are some trackers embedded in iOS apps, but I would think it would be a lot more limited scene because few apps would garner much use or ability to mine data.
Re: (Score:3)
Maybe that reason is more careful app review, or the fact that it's not nearly so easy to collect interesting data from an iOS app because the user has to agree to access and the app has to declare its intent to access (which is also part of the review), nor or iOS apps as freely able to run all the time.
I've no doubt there are some trackers embedded in iOS apps, but I would think it would be a lot more limited scene because few apps would garner much use or ability to mine data.
I think you are absolutely right.
Between the App Review, Sandboxing, and iOS' OS-level "User Account Control"-like system of asking for User-permission to access data outside of an App, it just doesn't seem too likely that iOS would be affected to any great extent, if at all...
Re: (Score:2)
it just doesn't seem too likely that iOS would be affected to any great extent, if at all...
I have this great bridge I'm selling at an incredible discount. Interested?
Re: (Score:2)
it just doesn't seem too likely that iOS would be affected to any great extent, if at all...
I have this great bridge I'm selling at an incredible discount. Interested?
Put your Citations where your foot/mouth is.
Re: (Score:2)
Put your Citations where your foot/mouth is.
You first. "it just doesn't seem ..." isn't a citation, or a fact, or otherwise useful data.
Re: (Score:2)
Put your Citations where your foot/mouth is.
You first. "it just doesn't seem ..." isn't a citation, or a fact, or otherwise useful data.
Neither is your Apple-Hating screed.
Stalemate.
Re: (Score:2)
Neither is your Apple-Hating screed.
Apple-hating? No, I have many Apple products. I am just pointing out the level of your naivety.
Re: (Score:2)
Neither is your Apple-Hating screed.
Apple-hating? No, I have many Apple products. I am just pointing out the level of your naivety.
No naivety here.
Simply a considered opinion, just like yours.
Re: (Score:2)
Simply a considered opinion, just like yours.
Yes, we both have opinions. So after several days of back and forth, you've worked as back to zero. Good job.
Re: (Score:1)
Seriously, this is really holding back mobile computing.
My bank asked if I'd installed their mobile app. Are you kidding? I would never put any important information into my phone. I don't trust it at all.
Re: (Score:2)
Trolling troll is a little too obvious.
Making Reverse-Tracking Legal Would Solve This (Score:3)
Re: (Score:2, Insightful)
What we need a law that makes it illegal to track users without explicit consent and whose violation ends the perpetrator (or company) not only with giant fines but jailtime too. And to the question "how can you jail a corporation ?" you can't but you can sure as hell jail the CEO and other executives. You know the ones how give the go ahead to enact such privacy invading policies. How fucking hard can it be ?
Your reverse tracking law is pie in sky and serves no purpose beyond making you feel all warm and f
Re: (Score:2)
"Explicit consent" is a worthless and meaningless measure.
Everyone already agrees to all the bullshit that a particular piece of software demands of them - either during the installation or when starting the software.
Or during updates. [youtube.com]
What would be necessary goes beyond tracking or consent.
Basically, there's a need for legislation treating software and hardware developers as presumed criminals and fraudsters - requiring proof and regular inspection that they are not defrauding or abusing their customers, at
Re: (Score:2)
Re:Making Reverse-Tracking Legal Would Solve This (Score:5, Insightful)
Reverse tracking would be that whenever someone tracks your life, you get the legal right to track them back. So if the CEO of Company X puts a tracker on your Android phone peering into your private life, for example, you'd get the legal right to track that CEO back and peer into HIS private life and habits. If a big data company is collecting data on you, your spouse, your kids, you would have the legal right to collect big data on THAT big data company's activities, including insight into that company's most private activities. Watch how quickly all tracking stops when such a law is passed.
Most CEOs don't have a fucking clue as to how their own products abuse privacy. They're never punished for abusing privacy, which is why they don't give a shit. Even when they do risk punishment or fines, they still weigh it against profit, which is truly all they care about. They continue to abuse privacy because they found out long ago that it's worth it.
And do you know what happens when you try and do a WHOIS lookup on the worlds most popular domains? You get some generic result-by-proxy bullshit, which is exactly what any executive of any corporation would do if a reverse-tracking law were passed. You would never be allowed to track them, you would be allowed to track a sanitized proxy.
Re: (Score:2)
It's really no wonder that ANY company uses that 'Result-by-proxy bullshit' as you call it. I wouldn't want all that spam either.
Re: (Score:2)
You already have that right — and always did. With very few exceptions, whatever you can legally see, hear, or otherwise perceive, you can record and even sell the recordings others.
Watching...
Scare Mongering Story is Scare Mongering (Score:4, Interesting)
"In total, researchers said they identified 44 trackers embedded in over 300 Android apps. Overall, three-quarters of the 300+ apps Exodus analyzed contained at least one tracking component, with Google's CrashLytics and DoubleClick being the most popular trackers.
While some trackers collected only app crash reports (such as Google's CrashLytics), some of these trackers also collected app usage info and user details, some of which were sensitive in nature."
So, a majority of the apps are "contaminated" only with a plug-in from Google that collects "only app crash reports" - but somehow this indicates a massive privacy breach in 300+ Android apps? I think they may be a little overly paranoid on this one. Get back to me with legit numbers of "real, scary" tracking plug-ins...
Re: (Score:2)
Re: (Score:3)
When apps like "DuckDuckGo Search & Stories" seem to be in there because they want INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE & INSTALL_SHORTCUT permissions, a perfectly reasonable and tight set for what it does, you have to question the quality of this research. When apps can get on the list for blocking known trackers that's even more worrying.
Re: (Score:2)
http://mashable.com/2017/11/15... [mashable.com]
And another tibit: I was interviewed by a mobile app company that will remain nameless, but my primary job would have been to organize and analytic database so the company could find data trends to sell. They had so much raw data they didn't know how to use it yet. Company rep said: "People have idea how much data they are giving".
This isn't scare mongering, this is reality, until we start saying "no thanks". There are ways.
Re: (Score:2)
If you read through and start clicking on the app reports, you'll get this disclaimer:
Privacy protecting applications embed lists of trackers signatures in order to block them. xodus could find tracker signatures in these blacklists and falsely report them as part of the application. If you have doubts about this report, contact us at contact@exodus-privacy.eu.org
Looking through some of the commercial apps that I have installed, it's pretty clear that a number of apps here are on the list which have 0 trackers (or a crash dump "tracker" which doesn't mean shit) but they have permissions which their service finds.. suspicious?
Let's use Discord as an example. exodus found 15 permissions that it thought were suspicious that this app should need. Sounds bad, right? Except there are va
Also on iOS? (Score:2)
Is this a problem iPhones too, or is this just an android problem?
Re: (Score:1)
Re: (Score:2)
Is this a problem iPhones too, or is this just an android problem?
Why track an apple user? We know where they are at all times. ... standing in line to buy the next iPhone.
App? (Score:3)
Do they have an app that I can install to check the apps on my phone? Not that it will do me much good if I still want to run those apps.
What I really want is a fake location service that returns a fake cell phone tower ID and fake GPS, but based on a real location of my choice. Then apps that want location data will get the fake location except for ones that I want to give the real location to (for example, Waze).
Country-specific entertainment rights (Score:2)
Say you have downloaded an application to stream a particular movie from a particular provider. This movie is an adaptation of a novel whose copyright has expired in country A but not yet in country B, whose copyright term is longer than that of country A. This means the provider holds the rights to stream the movie to viewers in country A, not to viewers in country B. Without tracking the user's true location, how should the provider determine whether it has the rights to stream the movie to a particular v
Re: (Score:2)
How about asking "what is your location"?
That's exactly what these apps do. The user can choose to deny location services to a particular application through the operating system's Settings. This would cause a movie streaming application to display only those movies to which the provider owns worldwide rights. Browse and search results would include a notice:
Tapping "Learn More" would display a help page:
Re: (Score:2)
How about asking "what is your location"? My grand mother thought me that if I want something from someone I should ask for it, not just take it.
If you ask, someone could lie. What the GP is talking about is a service where it is imperative that valid location data be passed back.
Blocking (Score:2)
So, where is the App that scans for these, and blocks the data endpoints?
I have Ad-Away from the F-Droid store, but I'm betting that my patched hosts file doesn't block them all.
Like an ankle monitor except you carry it (Score:1)
Re: (Score:2)
Actually, if they don't track you and the software just runs on the phone then it doesn't create a bill for the developer at all!
This may be a bit circular.
When I download an app from fdroid, nobody gets a bill.
Oh please (Score:1)
Every app at every company I've worked at has implemented Crashlytics / analytics services so that developers can fix issues, and marketing can get off to user events inside the app. This is exactly the same on iOS. There are no doubt apps out there that sell user data (I mean It's the damn business model of the internet) but it's not the primary use of these trackers.
Is this news to us..? (Score:2)
Santa Claus (Score:2)
These trackers are all installed by Santa! How else is he going to know if you're being naughty or nice.
You better watch out,
You better not cry,
You better not pout,
I'm telling you why,
Santa Clause is tracking your phone.
He sees you when you're naked,
he watches you undress,
he tracks your phones movement,
upon his G. P.S.
So what's the link? (Score:4, Informative)
Why mention this if you're not even going to link to it?! Here's the URL that should have been plastered in the summary, and made more visible in TFA [eu.org]
linkbait? (Score:2)
Why not link to the source of the story instead of some commercial middleman? Is it all about kickbacks? Here's the list: https://reports.exodus-privacy... [eu.org]
Re: (Score:2)
Irony: Ghostery is on the list of apps.
TFA also has embedded trackers (Score:3)
Ironically TFA is on a site that's full of trackers. I'm using the EFF's Privacy Badger [eff.org] extension, and I get:
detected 23 potential trackers on this page.
Not content with recording our sex habits.. (Score:1)