Yale Privacy Lab has discovered hidden trackers in hundreds of popular Android apps that send app manufacturers your location, activity, and other personal info.
Android apps tracking users aren't just small timers looking to make a buck selling data--it's apps like Tinder, Spotify, Uber, PayPal, Twitter, and Snapchat. YPL adds that there are likely many more that haven't been detected, as tracking users via mobile apps is an entire industry.
Android users with privacy concerns are right to be worried about these findings. If YPL's study is correct, three out of the four apps installed on your device are tracking your location, device use, and behavior and even accessing your camera without your knowledge.
SEE: Information security incident reporting policy (Tech Pro Research)
Scanning for trackers
YPL was able to scan for trackers using open source tracker detection software Exodus, which acts like an antivirus scan. It checks for tracker signatures in its database to determine which apps are using what.
In this case YPL used Exodus to scan for 25 of the 44 trackers in its system. That 75% figure? That's only considering half of what's out there, so the number of apps tracking you could be much higher.
Like much of the Android malware currently infecting devices, trackers don't necessarily come along with the initial install of the app, so Exodus might not detect it. App updates can add trackers later on, making an app that once asked transparently for permissions a spy that steals your data.
Trackers that YPL found can do a lot of different things. One they identified, called FidZup, (contained in the Bottin Gourmand app and several others) can track a user's locations by pinging their device with an ultrasonic frequency. The device can pick it up, but humans can't hear it, and any retail space with a speaker can broadcast a tone and gather user location data.
Finance and medical apps contain trackers as well, which YPL points out is a serious privacy issue: "exactly what information is shared is unknown, though the data stored by the app is extremely sensitive."
To demonstrate the capabilities of trackers that could be hiding in your Android device, YPL developed an app called FaceGrok. It's a simple app that recognizes faces in the Android camera, and it contains a whole bunch of trackers.
YPL assures those who want to test it that FaceGrok doesn't transmit any data, but that "it could do so with simple modifications." YPL also points out that getting the app onto Google Play "has revealed the ease of adding tracker code and the ubiquity of trackers," which isn't reassuring to users.
Is it possible to protect yourself?
With a likely three-quarters of Android apps tracking your information, you may feel powerless to protect your personal data and habits, and rightly so. There's no way to identify or block trackers on your device right now, short of deleting affected apps.
SEE: Reducing the risks of BYOD in the enterprise (free PDF) (TechRepublic)
Those with coding know-how can try their hands at setting up an instance of Exodus, which has been released freely on GitHub.
Apple users shouldn't think they're safe, either. YPL said that many of the companies that produce trackers market themselves as being cross-platform, so they're likely on iOS as well. YPL says detection of trackers found in apps from the Apple App Store isn't possible yet, but that it's entirely possible they're in those apps too.
It's alarming to hear that so many apps are secretly tracking users. YPL said Android users "deserve a trusted chain of software development, distribution, and installation that does not include unknown or masked third-party code," which it is calling on Google and Android developers to implement.
Time will tell if user privacy begins to trump the profit gained from trackers. Don't hold your breath, though.
The top three takeaways for TechRepublic readers:
- Yale Privacy Lab has discovered that over 75% of Android apps contain trackers that are unknown to users. The trackers primarily gather location data, user habits, and other information to be used to target ads.
- YPL tested Android apps for 25 tracker signatures, but the software it used is capable of tracking 44. It's possible that more apps are using more trackers to collect more data than the research found.
- iOS apps are likely filled with trackers as well, as many tracker companies market the cross-platform capabilities of their software.
- Verizon's new app launcher brings spyware to all its Android phones, says EFF (TechRepublic)
- Samsung opens its browser to all Android users, with ad-tracking blocker, night mode (ZDNet)
- How to improve the security and privacy of your iPhone: 5 steps (TechRepublic)
- What does Google know about you? Its new privacy dashboard should reveal all (ZDNet)
- Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (Tech Pro Research)