Your mobile apps are tracking you

apps tracking
Photo by Adam Fagen. (CC BY-NC-SA 2.0)

If you have any apps installed on your mobile phone — be it games, news or fitness apps — it’s likely that you are sending some kind of data about your identity, preferences, or physical location to Google, Facebook and other companies without even knowing. This alone shouldn’t be news to you, but new research now documents how significant the issue is in scale.

An Oxford University study of nearly 1 million free Android apps in 2018 revealed that the majority of mobile apps contain utilities from companies — including Alphabet, Facebook, Twitter, Verizon, Microsoft and Amazon — that enable them to track and send data about users to these companies. These utilities are incorporated by app developers for a variety of reasons. For instance, the app developer might use them to monitor the use of the app or to display ads.

The researchers make no claims about what data is transferred to companies, but warn that it’s common for them to gain access to data that is not directly related to the app in use. Depending on app permissions, this could be as broad as a contact list or location history.

With transparency lacking about what is tracked by whom, the researchers see potential privacy risks that leave people vulnerable. Data combined from multiple apps, along with other online history and behavior, can be used to generate very detailed profiles of individuals. From the apps on a person’s phone you could estimate interests, sexual orientation, health status and the identities of their children.

Google disputed the negative implications of the study, telling the Financial Times in October that the researchers mischaracterize “ordinary functions” such as an app merely sending a crash report. Reuben Binns, the computer scientist who led the study, says, “Nobody has disputed that the third parties we identify in the study are capable of tracking user behaviour across multiple apps. This includes when data is used for analytics, crash reporting or ––as in 60% of apps with Google’s DoubleClick tracker embedded–– behaviourally targeted advertising.”

On the Web, trackers can log information about what you search, click and type. A variety of browser tools (like Privacy Badger, Ghostery or Lightbeam) exist to see who is tracking you. You can also block access to third party trackers or tracking cookies (see Brave or Firefox, Chrome or Safari) though this usually also means blocking ads because they have the capability to track.

On mobiles, users can turn off or reset advertising identifiers that track them across apps, similar to blocking cookies on the Web. But since many users have no idea this tracking is occurring across apps, they also don’t know they can take control.

In the case of Google, they control what apps are available in the Google Play Store for the Android operating system and also benefit from the data generated by those apps. The Oxford University study found that Alphabet is the ultimate owner of several subsidiaries that together were found to have trackers in more than 88% of the analyzed apps (as shown below).

New research on smartphones sold by more than 200 different vendors points to an additional risk of invasive data collection with some apps that are pre-installed by manufacturers. “Users are clueless about the various data-sharing relationships and partnerships that exist between companies that have a hand in deciding what comes pre-installed on their phones,” says the study, while calling for more transparency and real opportunity for consent about data collection.

Privacy protections could be built into phones from the start, but they are not. With an app ecosystem that is designed for maximum data collection behind the scenes we should not be surprised. As more of us wake up to privacy risks online, we also need to recognize the privacy risks of the smartphones that are now so important to our lives. Knowing is half the battle.


Which companies get data from 959,000 mobile apps?

Subsidiaries of Google’s parent company Alphabet get data from 88% of apps via different types of utilities for ads, traffic analytics and more that can track users.

Third Party Tracking in the Mobile Ecosystem by Reuben Binns, Ulrik Lyngs, Max Van Kleek, Jun Zhao, Timothy Libert, Nigel Shadbolt. In: Proceedings of the 10th ACM Conference on Web Science, 2018

How do you protect your privacy on your smartphone?

  1. Snowy

    Once I was using Youtube for computer related research and the ads were all PC related, however I suddenly had a coughing fit in front of my laptop and straight away without changing my computer related searches ALL my ads on Youtube were for throat lozenges! This happened a few years ago now. Also I've had ads for topics I've been talking about, with my phone in my pocket appear next time I logged into my computer at University. I checked my phone usage and the university app (which I almost NEVER used) used up most of my battery life, memory usage and bandwidth compared to ALL my other apps. The app itself was made on top of a 3rd party app not related to my university.

    I now have edited my 'hosts' file on my Linux system to block lots of common ad sites. I browse in Private Mode and I regularly delete all cookies. I was surprised to see that I could aquire nearly 0.7 gig of cookies with one session of browsing on the net! I assume some of the 0.7 gig is to help pages render faster but now with Firefox being so fast I realise I don't need cookies to make my browsing experience enjoyable. I switched off all cookie collection, blocked all tracking requests and keep my microphone muted. Now Youtube actually asks me if their adverts are relevant for me with a survey I never bother about.

    I understand these are businesses who need to make money to operate but if you do make money from other people's information then that needs to be explained in very precise, open and simple ways so users can choose how to use the service.

    Finally I've stopped using AirBnB because they requested I upload a photo directly from my computer's webcam to their servers! I've never felt so violated from a business before! I understand there are safety issues but it feels overkill and I'm sure there's got to be a better way then biometric scanning! Now I'm trying to get other personal data back from them that is of a sensitive nature!

  2. Anonymous

    Delete all apps you haven't used for more than a year. Then go through your phone settings, going through every menu and reading all the options. You may discover very interesting options you can disable and not only save your battery but keep private your location or any other specific data. Then do the same with every app you have, since in app settings there are also interesting check boxes.

  3. konstantinos

    hallo. interesting this report, but you dont TELL us what to do. we are not the experts, you are. so be more specific.
    how can we know who apps track us? which are they?
    how can we stop them track us?

  4. Kris

    As this piece points out, our internet browsing history allows trackers to create profiles, with or without mobile apps. My Kaiser Permanente EMR (HealthConnect) requires third party trackers to be on in its privacy statement.
    "The Websites and the App do not honor a browser’s signal or header request not to track the user's activity."

    This feature is not standard operating procedure for Epic electronic health records.

    Think about what that would look like when looking up an abnormal lab or disease! Even if that data are not repurposed as targeted advertising, lots of interested parties (insurers, PhRMA, future employers) would gladly purchase this valuable data linked to the electronic health record.

    Third party trackers should be forbidden when we access electronic health records. But Health & Human Services Office for Civil Rights dismissed my complaint even with Lightbeam evidence showing a constellation of trackers linked to my EMR after I started browsing sites like WebMD.

    And since I have done that experiment searching depression, my "personalized" duck duck go search on my firefox browser (with privacy extenders on) of WebMD immediately comes up with this default:

    There seems to be no way to get rid of these persistent cookies--even on firefox.

    The P in HIPAA is for portability. It's not for privacy.

  5. Garc

    Turn off no need apps .
    No actual location access, if possible no access to microphone or (front) camera.
    Use Google's privacy profile to share what I want to.
    Download/activate only needed app's. Minimum browsing.
    Use a home network PC for some anonimity during Moz. browsing and mail.

  6. Horatio Hornblower

    We use a very secure VPN at all times on our phones, whether connected by the phone network or by wireless. We also customize the permissions for all apps where possible. We also uninstall all software that we are not currently using and reinstall it if and when we need it again.

    We also limit or prevent google location services when not required. We use DuckDuckGo as our internet browser. Now that we are better aware of it, we will be trying out the TOR network and/or the TOR browser.

    We still feel VERY naked when on line with our phones!

See Mozilla Community Participation guidelines: [English | Español | Deutsch | Français]. This is a moderated comment space. We will remove comments that are offensive or completely off topic.