Your mobile apps are tracking you

apps tracking
Photo by Adam Fagen. (CC BY-NC-SA 2.0)

If you have any apps installed on your mobile phone — be it games, news or fitness apps — it’s likely that you are sending some kind of data about your identity, preferences, or physical location to Google, Facebook and other companies without even knowing. This alone shouldn’t be news to you, but new research now documents how significant the issue is in scale.

An Oxford University study of nearly 1 million free Android apps in 2018 revealed that the majority of mobile apps contain utilities from companies — including Alphabet, Facebook, Twitter, Verizon, Microsoft and Amazon — that enable them to track and send data about users to these companies. These utilities are incorporated by app developers for a variety of reasons. For instance, the app developer might use them to monitor the use of the app or to display ads.

The researchers make no claims about what data is transferred to companies, but warn that it’s common for them to gain access to data that is not directly related to the app in use. Depending on app permissions, this could be as broad as a contact list or location history.

With transparency lacking about what is tracked by whom, the researchers see potential privacy risks that leave people vulnerable. Data combined from multiple apps, along with other online history and behavior, can be used to generate very detailed profiles of individuals. From the apps on a person’s phone you could estimate interests, sexual orientation, health status and the identities of their children.

Google disputed the negative implications of the study, telling the Financial Times in October that the researchers mischaracterize “ordinary functions” such as an app merely sending a crash report. Reuben Binns, the computer scientist who led the study, says, “Nobody has disputed that the third parties we identify in the study are capable of tracking user behaviour across multiple apps. This includes when data is used for analytics, crash reporting or ––as in 60% of apps with Google’s DoubleClick tracker embedded–– behaviourally targeted advertising.”

On the Web, trackers can log information about what you search, click and type. A variety of browser tools (like Privacy Badger, Ghostery or Lightbeam) exist to see who is tracking you. You can also block access to third party trackers or tracking cookies (see Brave or Firefox, Chrome or Safari) though this usually also means blocking ads because they have the capability to track.

On mobiles, users can turn off or reset advertising identifiers that track them across apps, similar to blocking cookies on the Web. But since many users have no idea this tracking is occurring across apps, they also don’t know they can take control.

In the case of Google, they control what apps are available in the Google Play Store for the Android operating system and also benefit from the data generated by those apps. The Oxford University study found that Alphabet is the ultimate owner of several subsidiaries that together were found to have trackers in more than 88% of the analyzed apps (as shown below).

New research on smartphones sold by more than 200 different vendors points to an additional risk of invasive data collection with some apps that are pre-installed by manufacturers. “Users are clueless about the various data-sharing relationships and partnerships that exist between companies that have a hand in deciding what comes pre-installed on their phones,” says the study, while calling for more transparency and real opportunity for consent about data collection.

Privacy protections could be built into phones from the start, but they are not. With an app ecosystem that is designed for maximum data collection behind the scenes we should not be surprised. As more of us wake up to privacy risks online, we also need to recognize the privacy risks of the smartphones that are now so important to our lives. Knowing is half the battle.

 

Which companies get data from 959,000 mobile apps?

Subsidiaries of Google’s parent company Alphabet get data from 88% of apps via different types of utilities for ads, traffic analytics and more that can track users.

Third Party Tracking in the Mobile Ecosystem by Reuben Binns, Ulrik Lyngs, Max Van Kleek, Jun Zhao, Timothy Libert, Nigel Shadbolt. In: Proceedings of the 10th ACM Conference on Web Science, 2018

How do you protect your privacy on your smartphone?

  1. Slovik

    One asks "what to do"? Well here's some steps. Many solutions will be unpalatable for most smartphone users.

    1. Throw away your whatever phone you have. Smash it, will likely be the safer solution.

    2. Close down your facebook account. Also, close down your Google account/gmail.

    3. Buy a phone with a Linux operating system. If that is too heavy (learning curve), get a de-googled phone with GrapheneOs or LineageOs installed. Get a new Sim Card and new number when you do.

    4. Don't load any apps directly out of the Google Play store onto your new phone. Use f-Droid apps preferably. If you must have a Google Play store app by necessity, download only through the Aurora Store. Only do this if absolutely necessary for you have that app on your new phone (ie work-related).

    5. Before loading any app through Aurora Store, look at the Exodus-privacy website. Run an analysis through Exodus for the app you want to download. Check the analysis results of trackers and permissions. See if you can live with those permissions. Exodus will show Red flags next to permissions that are DANGEROUS in their analysis. Preferably, you will only download apps from the f-Droid store or another open source repository.

    6. Get a privacy valued email account (proton mail, tunota mail, etc.) Don't chose an email account address with your real name in it. These email accounts aren't perfect, but they are better than gmail, hotmail, yahoo etc. You will need an email address to open other accounts later on. Use a private one if possible.

    7. Hopefully you didn't put any Google Play store apps on your new phone. Please, don't even think about loading any direct Google service apps (Google photos, gmail, ect). Your new phone will like try to stop from loading those direct Google products, but I'm sure there is a work around. Don't do it.

    8. Similar to #7, don't even think about loading the Facebook App. In fact, don't even go there (FB) with your browser on your new phone. You should have already closed your FB account by now anyways.

    9. Back at home, be sure to have purchased a (not free) VPN which is known not to keep any types of logs. Download a VPN client from F-Droid onto your new phone. Program it with you VPN service information. Keep the VPN client in "on" position whether at home or travelling. Also, download the TOR Browser for your phone should privacy be an absolute one day.

    10. Hopefully, you have not downloaded any commercial shopping apps (i.e. Walmart app, Home Depot app, eBay app).
    Many of those type apps cross communicate with Google and Facebook. Your new phone may come with the Vandium Browser. That's good. If not, downloading the Bromite browser, or the Brave browser, are good second choices. But if you need something a little more familiar, use the Firefox browser. Add the DuckDuckGo extension. Did I mention....Stay away from google products...like Chrome?

    11. You will now need to go back to the old days of computer internet surfing using one of those privacy enhanced browsers mentioned above to visit HomeDepot and ebay. Make bookmarks just like the old days. You can even make some shortcuts on your Home screen on the phone if you have room, esp for the frequently visited websites. Will this be pleasant (using a browser rather than an app)-NO. You are looking at small everything on your screen. But is it more private-Yes to a degree. You have not given the web site direct permission to look at your contact list, turn on your microphone, search your account user names/passwords, or turn on your GPS, at least not very easily. Having used the app version, you would have just handed them the keys to your life.

    12. Buy one of those Mission Darkness Faraday bags that preppers always have on hand. In addition to not letting nuclear blast EMP's in, they have the advantage of keeping your cell phone radio transmissions from getting out. If by some sneaky means somehow you are being location tracked on your new smartphone, pop your new phone into the Faraday Bag when you leave the office, go ahead and proceed to the strip club, blow you cash, then head home. Take your new phone out of the bag when you get to your drive way. Your tracker will think you got magically transported from work to home, with no record of your pitstops along the way.

    Bonus Tip: Load the SIGNAL App. You likely will not be able to download it from the Google Play store, because you shouldn't have the Google Play store on that new phone. But you can go to the SIGNAL web page by using your new privacy browser, and do a direct download from the site. Try to get your friends to use SIGNAL rather than direct SMS messaging. SIGNAL to SIGNAL is encrypted and as of , yet, no one has been able to break the encryption, not even branches of Uncle Sam's Alphabet agencies.

    None of my tips are perfect, but if you you are willing to put up with a little inconvenience and some learning curve of the new operating system, you'll get through it and cut way down on what other agencies know about you.

  2. Final Reflection – Site Title

    […] because they were about topics that I could relate to such as social media. Articles such as “Your mobile apps are tracking you” and “Understand the issue” tackled some pretty interesting issues that made me more […]

  3. Digital Literacy Step 3 – Site Title

    […] was the extent of privacy and protection we have on social media. The three articles I read were “Your Mobile Apps Are Tracking You”, “Understand The Issue”, and “Coordinating complaints for data privacy in […]

  4. Digital Literacies Blog Post: – Zeina's blog

    […] https://internethealthreport.org/2019/your-mobile-apps-are-tracking-you/ […]

  5. Digital Literacy Step 3 – Mirnan Meligy

    […]          The main goal that I have in mind after reading 3 main articles, is to try decreasing the usage of social media. Because from the article I read, I have learned more about the topic of how we are always being tracked. The 3 articles that I have read are “Understand the Issue”, “Show me my data, and I’ll tell you who I am”, and “Your mobile apps are tracking you”. […]

  6. Digital Literacy – Zeina's Blog

    […] digital literacy path. I decided on the Theory path. Thus, I read three articles; the first, “Your mobile apps are tracking you,” second, “Understand the issue,” third, “Show me my data, and I’ll […]

  7. Snowy

    Once I was using Youtube for computer related research and the ads were all PC related, however I suddenly had a coughing fit in front of my laptop and straight away without changing my computer related searches ALL my ads on Youtube were for throat lozenges! This happened a few years ago now. Also I've had ads for topics I've been talking about, with my phone in my pocket appear next time I logged into my computer at University. I checked my phone usage and the university app (which I almost NEVER used) used up most of my battery life, memory usage and bandwidth compared to ALL my other apps. The app itself was made on top of a 3rd party app not related to my university.

    I now have edited my 'hosts' file on my Linux system to block lots of common ad sites. I browse in Private Mode and I regularly delete all cookies. I was surprised to see that I could aquire nearly 0.7 gig of cookies with one session of browsing on the net! I assume some of the 0.7 gig is to help pages render faster but now with Firefox being so fast I realise I don't need cookies to make my browsing experience enjoyable. I switched off all cookie collection, blocked all tracking requests and keep my microphone muted. Now Youtube actually asks me if their adverts are relevant for me with a survey I never bother about.

    I understand these are businesses who need to make money to operate but if you do make money from other people's information then that needs to be explained in very precise, open and simple ways so users can choose how to use the service.

    Finally I've stopped using AirBnB because they requested I upload a photo directly from my computer's webcam to their servers! I've never felt so violated from a business before! I understand there are safety issues but it feels overkill and I'm sure there's got to be a better way then biometric scanning! Now I'm trying to get other personal data back from them that is of a sensitive nature!

  8. Anonymous

    Delete all apps you haven't used for more than a year. Then go through your phone settings, going through every menu and reading all the options. You may discover very interesting options you can disable and not only save your battery but keep private your location or any other specific data. Then do the same with every app you have, since in app settings there are also interesting check boxes.

  9. konstantinos

    hallo. interesting this report, but you dont TELL us what to do. we are not the experts, you are. so be more specific.
    how can we know who apps track us? which are they?
    how can we stop them track us?

  10. Kris

    As this piece points out, our internet browsing history allows trackers to create profiles, with or without mobile apps. My Kaiser Permanente EMR (HealthConnect) requires third party trackers to be on in its privacy statement.
    https://healthy.kaiserpermanente.org/privacy.html
    "The Websites and the App do not honor a browser’s signal or header request not to track the user's activity."

    This feature is not standard operating procedure for Epic electronic health records.

    Think about what that would look like when looking up an abnormal lab or disease! Even if that data are not repurposed as targeted advertising, lots of interested parties (insurers, PhRMA, future employers) would gladly purchase this valuable data linked to the electronic health record.

    Third party trackers should be forbidden when we access electronic health records. But Health & Human Services Office for Civil Rights dismissed my complaint even with Lightbeam evidence showing a constellation of trackers linked to my EMR after I started browsing sites like WebMD.

    And since I have done that experiment searching depression, my "personalized" duck duck go search on my firefox browser (with privacy extenders on) of WebMD immediately comes up with this default: webmd.com/depression/

    There seems to be no way to get rid of these persistent cookies--even on firefox.

    The P in HIPAA is for portability. It's not for privacy.

  11. Garc

    Turn off no need apps .
    No actual location access, if possible no access to microphone or (front) camera.
    Use Google's privacy profile to share what I want to.
    Download/activate only needed app's. Minimum browsing.
    Use a home network PC for some anonimity during Moz. browsing and mail.

  12. Horatio Hornblower

    We use a very secure VPN at all times on our phones, whether connected by the phone network or by wireless. We also customize the permissions for all apps where possible. We also uninstall all software that we are not currently using and reinstall it if and when we need it again.

    We also limit or prevent google location services when not required. We use DuckDuckGo as our internet browser. Now that we are better aware of it, we will be trying out the TOR network and/or the TOR browser.

    We still feel VERY naked when on line with our phones!

See Mozilla Community Participation guidelines: [English | Español | Deutsch | Français]. This is a moderated comment space. We will remove comments that are offensive or completely off topic.