Security

Over 75% of Android apps are secretly tracking users

Yale Privacy Lab has discovered hidden trackers in hundreds of popular Android apps that send app manufacturers your location, activity, and other personal info.

Yale Privacy Lab (YPL) has just published the results of research that should be startling to any Android user: Over 75% of Android apps tested contain trackers that are unknown to their users.

Android apps tracking users aren't just small timers looking to make a buck selling data—it's apps like Tinder, Spotify, Uber, PayPal, Twitter, and Snapchat. YPL adds that there are likely many more that haven't been detected, as tracking users via mobile apps is an entire industry.

Android users with privacy concerns are right to be worried about these findings. If YPL's study is correct, three out of the four apps installed on your device are tracking your location, device use, and behavior and even accessing your camera without your knowledge.

SEE: Information security incident reporting policy (Tech Pro Research)

Scanning for trackers

YPL was able to scan for trackers using open source tracker detection software Exodus, which acts like an antivirus scan. It checks for tracker signatures in its database to determine which apps are using what.

In this case YPL used Exodus to scan for 25 of the 44 trackers in its system. That 75% figure? That's only considering half of what's out there, so the number of apps tracking you could be much higher.

Like much of the Android malware currently infecting devices, trackers don't necessarily come along with the initial install of the app, so Exodus might not detect it. App updates can add trackers later on, making an app that once asked transparently for permissions a spy that steals your data.

SEE: Android users: Google is collecting your location data even if location services are off (TechRepublic)

Trackers that YPL found can do a lot of different things. One they identified, called FidZup, (contained in the Bottin Gourmand app and several others) can track a user's locations by pinging their device with an ultrasonic frequency. The device can pick it up, but humans can't hear it, and any retail space with a speaker can broadcast a tone and gather user location data.

Finance and medical apps contain trackers as well, which YPL points out is a serious privacy issue: "exactly what information is shared is unknown, though the data stored by the app is extremely sensitive."

To demonstrate the capabilities of trackers that could be hiding in your Android device, YPL developed an app called FaceGrok. It's a simple app that recognizes faces in the Android camera, and it contains a whole bunch of trackers.

YPL assures those who want to test it that FaceGrok doesn't transmit any data, but that "it could do so with simple modifications." YPL also points out that getting the app onto Google Play "has revealed the ease of adding tracker code and the ubiquity of trackers," which isn't reassuring to users.

Is it possible to protect yourself?

With a likely three-quarters of Android apps tracking your information, you may feel powerless to protect your personal data and habits, and rightly so. There's no way to identify or block trackers on your device right now, short of deleting affected apps.

SEE: Reducing the risks of BYOD in the enterprise (free PDF) (TechRepublic)

Those with coding know-how can try their hands at setting up an instance of Exodus, which has been released freely on GitHub.

Apple users shouldn't think they're safe, either. YPL said that many of the companies that produce trackers market themselves as being cross-platform, so they're likely on iOS as well. YPL says detection of trackers found in apps from the Apple App Store isn't possible yet, but that it's entirely possible they're in those apps too.

It's alarming to hear that so many apps are secretly tracking users. YPL said Android users "deserve a trusted chain of software development, distribution, and installation that does not include unknown or masked third-party code," which it is calling on Google and Android developers to implement.

Time will tell if user privacy begins to trump the profit gained from trackers. Don't hold your breath, though.

The top three takeaways for TechRepublic readers:

  1. Yale Privacy Lab has discovered that over 75% of Android apps contain trackers that are unknown to users. The trackers primarily gather location data, user habits, and other information to be used to target ads.
  2. YPL tested Android apps for 25 tracker signatures, but the software it used is capable of tracking 44. It's possible that more apps are using more trackers to collect more data than the research found.
  3. iOS apps are likely filled with trackers as well, as many tracker companies market the cross-platform capabilities of their software.
istock-513639320.jpg
Getty Images/iStockphoto

Also see

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox