Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Privacy Android Google

Researchers Identify 44 Trackers in More Than 300 Android Apps (bleepingcomputer.com) 87

Catalin Cimpanu, reporting for BleepingComputer: A collaborative effort between the Yale Privacy Lab and Exodus Privacy has shed light on dozens of invasive trackers that are embedded within Android apps and record user activity, sometimes without user consent. The results of this study come to show that the practice of collecting user data via third-party tracking code has become rampant among Android app developers and is now on par with what's happening on most of today's popular websites. The two investigative teams found tracking scripts not only in lesser known Android applications, where one might expect app developers to use such practices to monetize their small userbases, but also inside highly popular apps -- such as Uber, Twitter, Tinder, Soundcloud, or Spotify. The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps. In total, researchers said they identified 44 trackers embedded in over 300 Android apps.
This discussion has been archived. No new comments can be posted.

Researchers Identify 44 Trackers in More Than 300 Android Apps

Comments Filter:
  • by TheFakeTimCook ( 4641057 ) on Tuesday November 28, 2017 @11:05AM (#55636545)

    This stuff will NEVER cease until Google themselves stops being the greatest Data Sink of all time, and puts some actual Privacy into Android. ...and we ALL know when that will be.

    • by Anonymous Coward

      This stuff will NEVER cease until Google themselves stops being the greatest Data Sink of all time, and puts some actual Privacy into Android. ...and we ALL know when that will be.

      Yup, I want OS-level selectable permissions I can apply to each application, whenever I wish ... and if that utterly breaks an application too bad.

      If I download a calculator, I want to be able to go in and pretty much explicitly turn off everything, because it has no business accessing my contacts, my location, or pretty much anyt

      • by chill ( 34294 ) on Tuesday November 28, 2017 @12:00PM (#55636853) Journal

        I'm not sure what version of Android you're talking about, but granular permissions have been available for some time now.

        My current phone is a OnePlus 3T and running Android 8.0.0 with the September 1, 2017 patch level. Yes, I know that is a very recent version of Android, but much of this was introduced earlier.

        I can go into Settings --> Apps and from there, view and control app permissions by permission or by app. That is, I can see every app that has access to something like SMS or my camera. Or, I can go in and see what permissions a specific app has. In both views, I can toggle specific permissions on and off.

        • Which is a completely useless waste of time as the application will simply refuse to run. This is universal on both Android, iOS, and even BB10. Granular permissions are meaningless since the applications will only give a complaint about you taking away camera, mic, and addressbook permissions and quit without letting you use them. I've yet to see a single application that didn't do this and you can bet the ones doing stupid shit you wouldn't want are going to be even more militant. So, I get it, in your pa
          • by chill ( 34294 )

            The ability to work with the removal of specific permissions depends on the minimum level of Android that the app was designed for. This works better on newer apps.

            However, not all older apps have issues with disabling certain permissions. Just because *you* haven't seen one doesn't mean they don't exist. For example, Skype for Business is one of those apps designed for an older version of Android, yet survives my removal of its permission to access my calendar. It still works fine.

            Yes, it is perfectly func

            • You managed to find one app that doesn't freak out and obstinately refuse to run after having it's permissions altered. Congrats. I don't really see that as validating your excitement about the nearly useless granular permissions feature, but if your point is "Hey! It's possible. It was done once. See?" Okay, wonderful, but that damn sure isn't the norm for new or old applications. That's what these constant drumbeat of horrifying news about mobile security are elucidating. Now, do you really think that an
      • Install fdroid and then install apps that only ask for permisions you are willing to grant.

        Installing a calculator that requires network and location access is foolhardy on your part unless you are cool with allowing the ads that it will be "giving" you to pay the developer.

        • This is exactly it!

          If it is asks for your phone ID and also network access, it is tracking you. It even told you and asked! LOL

          With fdroid, if an app asks for permissions it doesn't need I can just download it and take them out of the code.

          Never trust. Never.

          • With fdroid, if an app asks for permissions it doesn't need I can just download it and take them out of the code.

            Yep, completely reasonable. Modify the source and recompile and sideload all of your apps. Also make sure you keep up with new releases merging in changes with your modifications, rebuilding, and re-installing by hand.

            Thanks for the useful suggestion.

            • Yes you have to do a bit of work to stop the developer from monetizing an app they created, you found valuable, but don't want to pay for.

        • by tepples ( 727027 )

          Install fdroid

          That might work for a calculator or a flashlight. But it doesn't help much for things like games, for reasons that have been explained elsewhere [pineight.com].

          Or has a viable business model emerged for developing video games for distribution as free software from day one? If the model involves developing the engine as free software but everything but the engine as non-free and paywalled, F-Droid currently considers that an anti-feature called NonFreeAssets [f-droid.org].

          • That's the price for playing these games. It's not like there is a need for these games and there are plenty of alternative (maybe less flashy) games to play.

            I understand the frustration. Trying to find even a solitaire game on the play store that doesn't request access to everything under the sun is a challenge. It's why I check fdroid first. That said, I understand why they developers do it since most people don't want to pay currency for anything and get bombarded enough with ads to not be outraged w

        • Install fdroid and then install apps that only ask for permisions you are willing to grant.

          Or, install from Google Play and then install apps that only ask for permissions you are willing to grant.
          Or, sideload apps that only ask for permissions you are willing to grant.

          You are *always* prompted to grant permissions.

      • Yup, I want OS-level selectable permissions I can apply to each application, whenever I wish ... and if that utterly breaks an application too bad.

        Good thing Android added that two releases ago. Phew! We almost had a problem on our hands there.

      • On Android 5+, apps now have pops up (one time) for you to grant it permission to use those permissions.

        If you have LineageOS, you can turn off everything including network for apps.

    • This stuff will NEVER cease until Google themselves stops being the greatest Data Sink of all time, and puts some actual Privacy into Android. ...and we ALL know when that will be.

      Per TFA (toward the bottom), the tracking providers also provide iOS components/libraries, so it's likely they are affected/infected as well. It's just that this study didn't look at them (for whatever reason).

      • Maybe that reason is more careful app review, or the fact that it's not nearly so easy to collect interesting data from an iOS app because the user has to agree to access and the app has to declare its intent to access (which is also part of the review), nor or iOS apps as freely able to run all the time.

        I've no doubt there are some trackers embedded in iOS apps, but I would think it would be a lot more limited scene because few apps would garner much use or ability to mine data.

        • Maybe that reason is more careful app review, or the fact that it's not nearly so easy to collect interesting data from an iOS app because the user has to agree to access and the app has to declare its intent to access (which is also part of the review), nor or iOS apps as freely able to run all the time.

          I've no doubt there are some trackers embedded in iOS apps, but I would think it would be a lot more limited scene because few apps would garner much use or ability to mine data.

          I think you are absolutely right.

          Between the App Review, Sandboxing, and iOS' OS-level "User Account Control"-like system of asking for User-permission to access data outside of an App, it just doesn't seem too likely that iOS would be affected to any great extent, if at all...

          • it just doesn't seem too likely that iOS would be affected to any great extent, if at all...

            I have this great bridge I'm selling at an incredible discount. Interested?

            • it just doesn't seem too likely that iOS would be affected to any great extent, if at all...

              I have this great bridge I'm selling at an incredible discount. Interested?

              Put your Citations where your foot/mouth is.

              • Put your Citations where your foot/mouth is.

                You first. "it just doesn't seem ..." isn't a citation, or a fact, or otherwise useful data.

                • Put your Citations where your foot/mouth is.

                  You first. "it just doesn't seem ..." isn't a citation, or a fact, or otherwise useful data.

                  Neither is your Apple-Hating screed.

                  Stalemate.

                  • Neither is your Apple-Hating screed.

                    Apple-hating? No, I have many Apple products. I am just pointing out the level of your naivety.

                    • Neither is your Apple-Hating screed.

                      Apple-hating? No, I have many Apple products. I am just pointing out the level of your naivety.

                      No naivety here.

                      Simply a considered opinion, just like yours.

                    • Simply a considered opinion, just like yours.

                      Yes, we both have opinions. So after several days of back and forth, you've worked as back to zero. Good job.

    • by Anonymous Coward

      Seriously, this is really holding back mobile computing.

      My bank asked if I'd installed their mobile app. Are you kidding? I would never put any important information into my phone. I don't trust it at all.

  • by dryriver ( 1010635 ) on Tuesday November 28, 2017 @11:07AM (#55636561)
    Reverse tracking would be that whenever someone tracks your life, you get the legal right to track them back. So if the CEO of Company X puts a tracker on your Android phone peering into your private life, for example, you'd get the legal right to track that CEO back and peer into HIS private life and habits. If a big data company is collecting data on you, your spouse, your kids, you would have the legal right to collect big data on THAT big data company's activities, including insight into that company's most private activities. Watch how quickly all tracking stops when such a law is passed.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      What we need a law that makes it illegal to track users without explicit consent and whose violation ends the perpetrator (or company) not only with giant fines but jailtime too. And to the question "how can you jail a corporation ?" you can't but you can sure as hell jail the CEO and other executives. You know the ones how give the go ahead to enact such privacy invading policies. How fucking hard can it be ?
      Your reverse tracking law is pie in sky and serves no purpose beyond making you feel all warm and f

      • "Explicit consent" is a worthless and meaningless measure.
        Everyone already agrees to all the bullshit that a particular piece of software demands of them - either during the installation or when starting the software.
        Or during updates. [youtube.com]

        What would be necessary goes beyond tracking or consent.
        Basically, there's a need for legislation treating software and hardware developers as presumed criminals and fraudsters - requiring proof and regular inspection that they are not defrauding or abusing their customers, at

      • Not quite what you want perhaps, but EU has mandated something called General Data Protection Regulation (GDPR) for EU citizens, that will be enforced in May 2018. After that people can ask a company what personal data it store about them, and to explain why it stores that data. GDPR also contains the "right to erasure" with which anyone can ask a company to remove their personal data. Google is located in Ireland due permissive legislation. That disappears with GDPR.
    • by geekmux ( 1040042 ) on Tuesday November 28, 2017 @11:21AM (#55636635)

      Reverse tracking would be that whenever someone tracks your life, you get the legal right to track them back. So if the CEO of Company X puts a tracker on your Android phone peering into your private life, for example, you'd get the legal right to track that CEO back and peer into HIS private life and habits. If a big data company is collecting data on you, your spouse, your kids, you would have the legal right to collect big data on THAT big data company's activities, including insight into that company's most private activities. Watch how quickly all tracking stops when such a law is passed.

      Most CEOs don't have a fucking clue as to how their own products abuse privacy. They're never punished for abusing privacy, which is why they don't give a shit. Even when they do risk punishment or fines, they still weigh it against profit, which is truly all they care about. They continue to abuse privacy because they found out long ago that it's worth it.

      And do you know what happens when you try and do a WHOIS lookup on the worlds most popular domains? You get some generic result-by-proxy bullshit, which is exactly what any executive of any corporation would do if a reverse-tracking law were passed. You would never be allowed to track them, you would be allowed to track a sanitized proxy.

      • Since WHOIS records are totally public, and accessible via the internet at no cost whatsoever, MILLIONS OF PEOPLE can view them. In fact, I'm sure there are bots that are scraping that info RIGHT NOW, in order to SPAM THE HELL out of those contacts with unwanted email, snail mail, phone calls, etc.

        It's really no wonder that ANY company uses that 'Result-by-proxy bullshit' as you call it. I wouldn't want all that spam either.
    • by mi ( 197448 )

      you get the legal right to track them back.

      You already have that right — and always did. With very few exceptions, whatever you can legally see, hear, or otherwise perceive, you can record and even sell the recordings others.

      Watch how quickly all tracking stops when such a law is passed.

      Watching...

  • by Oliver Wendell Jones ( 158103 ) on Tuesday November 28, 2017 @11:24AM (#55636651)
    From the article:

    "In total, researchers said they identified 44 trackers embedded in over 300 Android apps. Overall, three-quarters of the 300+ apps Exodus analyzed contained at least one tracking component, with Google's CrashLytics and DoubleClick being the most popular trackers.

    While some trackers collected only app crash reports (such as Google's CrashLytics), some of these trackers also collected app usage info and user details, some of which were sensitive in nature."

    So, a majority of the apps are "contaminated" only with a plug-in from Google that collects "only app crash reports" - but somehow this indicates a massive privacy breach in 300+ Android apps? I think they may be a little overly paranoid on this one. Get back to me with legit numbers of "real, scary" tracking plug-ins...
    • Just look at the number of apps which ask for permission to read the IMEI number, whose only purpose is for individual user tracking. It's possible that permission in Android has some other purpose, the permission dialog isn't very informative. I'd really like a current app or rom which can provide false information for apps which shouldn't have it.
    • When apps like "DuckDuckGo Search & Stories" seem to be in there because they want INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE & INSTALL_SHORTCUT permissions, a perfectly reasonable and tight set for what it does, you have to question the quality of this research. When apps can get on the list for blocking known trackers that's even more worrying.

    • Really, how about this:

      http://mashable.com/2017/11/15... [mashable.com]

      And another tibit: I was interviewed by a mobile app company that will remain nameless, but my primary job would have been to organize and analytic database so the company could find data trends to sell. They had so much raw data they didn't know how to use it yet. Company rep said: "People have idea how much data they are giving".

      This isn't scare mongering, this is reality, until we start saying "no thanks". There are ways.
    • by Rakarra ( 112805 )

      If you read through and start clicking on the app reports, you'll get this disclaimer:

      Privacy protecting applications embed lists of trackers signatures in order to block them. xodus could find tracker signatures in these blacklists and falsely report them as part of the application. If you have doubts about this report, contact us at contact@exodus-privacy.eu.org

      Looking through some of the commercial apps that I have installed, it's pretty clear that a number of apps here are on the list which have 0 trackers (or a crash dump "tracker" which doesn't mean shit) but they have permissions which their service finds.. suspicious?

      Let's use Discord as an example. exodus found 15 permissions that it thought were suspicious that this app should need. Sounds bad, right? Except there are va

  • Is this a problem iPhones too, or is this just an android problem?

    • by Anonymous Coward
      Affects iOS 100%. These tracking SDKs have iOS versions as well.
    • Is this a problem iPhones too, or is this just an android problem?

      Why track an apple user? We know where they are at all times. ... standing in line to buy the next iPhone.

  • by crow ( 16139 ) on Tuesday November 28, 2017 @11:41AM (#55636739) Homepage Journal

    Do they have an app that I can install to check the apps on my phone? Not that it will do me much good if I still want to run those apps.

    What I really want is a fake location service that returns a fake cell phone tower ID and fake GPS, but based on a real location of my choice. Then apps that want location data will get the fake location except for ones that I want to give the real location to (for example, Waze).

    • Say you have downloaded an application to stream a particular movie from a particular provider. This movie is an adaptation of a novel whose copyright has expired in country A but not yet in country B, whose copyright term is longer than that of country A. This means the provider holds the rights to stream the movie to viewers in country A, not to viewers in country B. Without tracking the user's true location, how should the provider determine whether it has the rights to stream the movie to a particular v

  • So, where is the App that scans for these, and blocks the data endpoints?

    I have Ad-Away from the F-Droid store, but I'm betting that my patched hosts file doesn't block them all.

  • by Anonymous Coward
    If in 2017 you're still using a smartphone then you're signing off on being monitored, tracked, and surveilled continuosly, plain and simple. Dump the smartphone, get the cheapest dumbphone you can manage to have, only turn it on when you really need to use it, and otherwise learn to do without. Enough people do this and the wireless companies and phone manufacturers will get the idea: stop spying on people or you'll lose money.
  • by Anonymous Coward

    Every app at every company I've worked at has implemented Crashlytics / analytics services so that developers can fix issues, and marketing can get off to user events inside the app. This is exactly the same on iOS. There are no doubt apps out there that sell user data (I mean It's the damn business model of the internet) but it's not the primary use of these trackers.

  • Some of knew that virtually every app made by a commercial enterprise had trackers to extract data. This is why so much money has been spent on creating apps for phones instead of Phone friendly websites: you can get a LOT more data and have viewer options to block it. Otherwise it would be cheaper in development and maintenance to do a mobile friendly website. Data mining is the biggest business in the world right now and google is one of the leaders of this charge. Now, for those who WANT to get rid of th
  • These trackers are all installed by Santa! How else is he going to know if you're being naughty or nice.

    You better watch out,
    You better not cry,
    You better not pout,
    I'm telling you why,
    Santa Clause is tracking your phone.

    He sees you when you're naked,
    he watches you undress,
    he tracks your phones movement,
    upon his G. P.S.

  • So what's the link? (Score:4, Informative)

    by wardrich86 ( 4092007 ) on Tuesday November 28, 2017 @01:23PM (#55637403)

    The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps. In total, researchers said they identified 44 trackers embedded in over 300 Android apps.

    Why mention this if you're not even going to link to it?! Here's the URL that should have been plastered in the summary, and made more visible in TFA [eu.org]

  • Why not link to the source of the story instead of some commercial middleman? Is it all about kickbacks? Here's the list: https://reports.exodus-privacy... [eu.org]

  • by afgam28 ( 48611 ) on Tuesday November 28, 2017 @04:02PM (#55638761)

    Ironically TFA is on a site that's full of trackers. I'm using the EFF's Privacy Badger [eff.org] extension, and I get:

    detected 23 potential trackers on this page.

  • ...they're even recording my kegel exercise history damnit!

Nothing recedes like success. -- Walter Winchell

Working...