back to article Surprise: Android apps are riddled with trackers

In case you're wondering, yes, there's a good chance at least some of your Android apps have tracked you rather more than you expect. That's the conclusion of a joint project between Yale University's Privacy Lab and French non-profit Exodus Privacy, which has this month documented snoopware features in apps from Uber, Tinder …

  1. Anonymous Coward
    Anonymous Coward

    Google, the retail arm of the NSA...

    ... not only tracks you with Android but so do the Apps you install.

    Privacy? This is better than Big Brother could have wanted, as they are getting you to opt in and pay for it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Google, the retail arm of the NSA...

      It's not Google alone. There are far too many companies selling tracking tools to be embedded into apps. Too many believe it's a huge source of revenues, and want their slice of the cake. Apps developers think too that's another way - and a simple one - to monetize their code. MS turned Windows into a giant tracking tool.

      Once software was a way to speed up tasks, and tackle complexity - now it's mostly tracking people attempting to sell more lame ads and goods.

    2. Anonymous Coward
      Anonymous Coward

      Re: Google, the retail arm of the NSA...

      The NSA dreams of having the amount of data that Google has on people.

      1. wayne 8

        Re: Google, the retail arm of the NSA...

        What makes you think that NSA does not already have access to Google's data?

        1. Anonymous Coward
          Anonymous Coward

          "What makes you think that NSA does not..."

          Because Google today is more powerful than the NSA.. and the NSA today is pretty in trouble, after its tools has been stolen and published...

          It will be more difficult to regulate Google than the NSA - money give a lot of power.

    3. JimboSmith

      Re: Google, the retail arm of the NSA...

      The Relax Vibrator apparently contains a doubleclick tracker so does the Good Vibes app along with recording audio, writing to and reading from your calendar etc. Can't say I'm surprised at the tracker as the apps might contain adverts. I do wonder though is this heralding a new dawn where your vibrator writes in your diary:

      Dear Diary,

      Sarah was off again with that waste of space Carl last night instead of spending time with me. I make you happy in a third of the time he does and I'm ready to go again whenever you are. I don't have to wait 10 minutes to get my strength back or be too tired tonight! You've changed since I've met you, If only they'd let me talk to the Domino's app I could order Pizza and you wouldn't need him at all.

      1. JimboSmith

        Re: Google, the retail arm of the NSA...

        Wait they didn't test the Sonos app?

  2. John Smith 19 Gold badge
    Gimp

    The best kind of surveilance. They kind you pay for yourself.

    You pay. We spy.

    And BTW since when do you take a cookie called "CrashLytics" at face value?

  3. Anonymous Coward
    Anonymous Coward

    'Spy on yourself Culture'

    You do all the hard work, we keep all the juicy data.... Well done plebs!

    (Brought to you by the 5-Eyes)

    1. Mark 85

      Re: 'Spy on yourself Culture'

      You do all the hard work, we keep all the juicy data and make a great amount of profit.... Well done plebs!

      FTFY

  4. Anonymous Coward
    Linux

    F-droid off, PlayStore

    It would be interesting to see a comparative analysis of, say, F-Droid vs playstore. On the face of it, Free-er software (as opposed to gratis) should have less reason to be addicted to data collection.

    Apps - not so much heuristics as voyeuristics

  5. Anonymous Coward
    Anonymous Coward

    Pot v Kettle??

    My company network blocks access to Exodus on the grounds that it's a site known for spreading malware...

  6. TWB

    Drug dealers

    Apple and Google have used the drug dealers technique, get 'em hooked and they'll come back for more.

    How many of would readily give up their smart phones with now?

    There is a gap in the market for a new platform/phone OS - one where tracking/collecting data is the exception and most apps are merely help me and not third parties. Maybe even 'free' ad laden apps are the exception and the paid for ad-free ones come out first. It might get rid of a load of bloat. Or maybe the masses don't care enough and are happy to put up with it.

    So many apps I have seen seem to want to know more about me than I really think is necessary. I am happy to pay for apps - i don't expect free.

    1. Captain Scarlet

      Re: Drug dealers

      We gave up Snake for Smart Phones so I assume we will also give up smart phones for the next biggest craze

  7. Daniel Bower

    GDPR

    It'll be interesting to see what if any teeth the forthcoming GDPR has on all of this. Particularly around specific consent.

    1. Khaptain Silver badge

      Re: GDPR

      GDPR will "proposedly" allow you to request who/what information is held about you by whoever has it.

      It would be interesting for someone to develop an app that provides this information and to provide direct links to the third parties whereby one can contact them directly and request that they stop...

      1. jason 7

        Re: GDPR

        Well if they cant force them to pay millions in tax I doubt any 'legal' obligations will worry them.

        HM Gov haven't been 'in charge' for some time now.

      2. Phil O'Sophical Silver badge

        Re: GDPR

        It would be interesting for someone to develop an app

        Just wait for the text messages:

        Did you give consent? Is your data being used without permission? You may be eligible for compensation. Call the GDPR experts now. No win, no fee.

        1. Khaptain Silver badge

          Re: GDPR

          "Call the GDPR experts now. No win, no fee."

          Agreed, the Ambulance Chasers are probably in the process of Project Analysis and are getting ready to outsource to India..

          1. GcdJ

            Re: GDPR - is a standard - it will have a logo

            The apps and the app stores will change with GDPR

            With GDPR will come a standard along the lines of "GDPR compliant" - probably with a better name.

            An app that is compliant to GDPR will carry a clear logo to make it clear to the propspetive user that it meets GPDR requirements (in the same way that have "HD ready" TV). Then when we are in the APP store we can choose only accept apps with the GDPR compliant logo.

            There will still be apps out that are not complaint - but users will download those non-compliant apps at their own risk. The download rate for these non-GDPR compliant apps will plummet. The store owners will be made responsible for ensuring that no-apps advertise a false GDPR-compliant labels.

            The business model for all these snooping apps (In Europe and the other 100 of countries that copy the EU data protection standards) becomes breaks.

            This will impact the users and the apps in north America too. If you are a well educated or wealthy US citizen given the choice of downloading two similar apps - and one is marked one marked GDPR-compliant what will she do? Even in the US GDPR is going to have a big influence and correct badbehaviour.

            Many of the non-GDPR app providers and trackers will go out of business. The world becomes a better place.

            Geoff

            1. Anonymous Coward
              Anonymous Coward

              Re: GDPR - is a standard - it will have a logo

              Many of the non-GDPR app providers and trackers will go out of business. The world becomes a better place.

              Unless the non-GDPR apps are cheaper, of course. In that case hardly anyone will look beyond the price.

  8. Anonymous Coward
    Anonymous Coward

    interesting

    when you go past the "hall of shame" screen (reports.exodus-privacy.eu.org/reports/apps/)

    However, I am... confused. It appears that a relatively unknown (have you ever heard of privacy issues?!) app called "Whatsapp messanger" contains... NO trackers. Am I supposed to believe that, given the... associations.

    p.s. really ironic that "Firefox Browser fast & private" reports your "private" actitivies to:

    •DoubleClick

    •LeanPlum

    Disappointingly, "Good Vibes", which must be, by the icon, something to do with intimate vibing, only sells your good vibes to the usual culprint (doubleclick). I thought it would go to all the pornhubs of the world united, AT LEAST. Remarkable restraint...

    However, in general, the list of apps (eports.exodus-privacy.eu.org/reports/) seems to me little to do with what I installed on my mobile And I can't see a way to sort that by the "most popular / most downloads", just to see, who's big and naughty...

    1. Anonymous Coward
      Anonymous Coward

      Re: interesting

      It appears that a relatively unknown (have you ever heard of privacy issues?!) app called "Whatsapp messanger" contains... NO trackers. Am I supposed to believe that, given the... associations.

      Maybe it didn't need it because it directly connects to an address with something like this, whatsapp.chatd-edge...facebook.com. You can see it with a network monitoring tool.

  9. Anonymous Coward
    Anonymous Coward

    ? - 2017

    Privacy RIP

  10. lglethal Silver badge
    Go

    OK, so the Information is there that we're all being tracked. Whats the proposed solution? Is there anything out there that acts as a sort of Ghostery/NoScript for apps on Android/Iphone?

    Any suggestions? Since we cant trust the apps themselves, it's time for a new type of anti-Virus (anti-track?) that protects us from the ad slingers...

    1. Wade Burchette

      RE: Whats the proposed solution?

      My tablet is a Samsung Galaxy Note 10.1 and Samsung has long since stopped supporting it. So I installed Cyanogenmod and later Lineage OS on it when Cyanogenmod died. Both have extra privacy built in. In the settings, you can override the privacy settings of any app, including Google's. That is your best choice, to see if your device supports Lineage OS. If that isn't available, you can check to see if you can root your device and manually uninstall any bloat apps you don't want and install a privacy app with root access. I did something like that with my Galaxy S3, but I forgot which app I used.

    2. Anonymous Coward
      Anonymous Coward

      you mention privacy-protecting ghostery? take a look at their trackers! :D

  11. johnfbw

    How is LinkedIn not there?

    The LinkedIn app was installed by default on an old phone (Sony) and once logged in slurped all my email contacts straight back to HQ. If they do that they will certainly track anything they can

    1. Captain Scarlet
      Trollface

      Re: How is LinkedIn not there?

      They have probably copied and pasted code that they arent checking for.

  12. Mr Dogshit

    "Don't feel smug if you're an iPhone user"

    Sounds like the very definition of an iPhone user.

    1. Anonymous Coward
      Linux

      Re: "Don't feel smug if you're an iPhone user"

      Oh I don't think so.

    2. Anonymous Coward
      Anonymous Coward

      Re: "Don't feel smug if you're an iPhone user"

      Indeed, there are less safeguards in place for iPhone, I'd you are wondering why they didn't look at iPhone user tracking, its because apple didn't fund that survey...

      I also note there was no mention of requested permission, so the android story is clearly clickbait (as usual)

    3. Anonymous Coward
      Anonymous Coward

      Re: "Don't feel smug if you're an iPhone user"

      Don't forget macbook users as well, they're pretty smug as well ;))

  13. Terry 6 Silver badge

    Legality

    Until personal data are seen as being property, and treated the same way as other items of value and payment terms with explicit ( not just tick a box or tacit acceptance) agreement the data collection companies can just stick their snouts into the trough. In a sense, we've got valuable property that isn't protected by law, and which is left open to predators.

  14. Pan Handle Door Handle With Care

    Analytics

    Just looking at an Android phone I have to hand with a small set of apps on it, it makes the following DNS queries at startup (amongst other more obviously attributable ones, such as 4 each to Weather Channel, BBC and Google domains, 2 Twitter and 1 Skype):

    s3.amazonaws.com

    mads.amazon-adsystem.com

    device-metrics-us.amazon.com

    mobile.eum-appdynamics.com

    reports.crashlytics.com

    e.crashlytics.com

    settings.crashlytics.com

    ticks2.bugsense.com

    decide.mixpanel.com

    api.mixpanel.com

    There are no open TCP ports, but it is listening on 24 different UDP ports, for whatever reason (some more obvious than others):

    17

    53

    687

    3130

    4444

    6001

    17237

    17629

    17824

    19682

    19687

    19936

    20423

    20522

    21060

    21405

    22914

    34555

    34580

    39217

    42639

    44946

    61412

    63420

    No consumer makes a conscious, informed choice about any of this, let alone about what data is actually transferred. GDPR certainly ought to be relevant...

    1. Anonymous Coward
      Anonymous Coward

      Re: Analytics

      Can I ask what you used to get this information? I'd be curious to audit our phones too...

      Cheers!

      1. Pan Handle Door Handle With Care

        Re: Analytics

        Just dnstop running on a local Unbound resolver, and nmap for the ports.

        1. Anonymous Bullard

          Re: Analytics

          Or good old netstat.

          (to see the apps using the port requires root)

  15. Slx

    The law isn't keeping up with this

    We're supposed to have privacy laws and data protection laws to deal with this stuff, but it's clearly not working.

  16. Anonymous Coward
    Anonymous Coward

    No surprise: Android is riddled with trackers

    ^ see above. Thankyou for your telemetry.

    1. Anonymous Coward
      Anonymous Coward

      Re: No surprise: Android is riddled with trackers

      Show me an OS that isn't?

      Except GNU/Linux, of course.

      1. Anonymous Coward
        Anonymous Coward

        Re: No surprise: Android is riddled with trackers

        Yeah and don't forget just about every web page you ever visited; In fact, like this one you're looking at right now!

      2. Anonymous Coward
        Anonymous Coward

        "Except GNU/Linux, of course."

        IIRC there was an attempt in Ubuntu too.... people's data attract some kind of executives just like honey.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Except GNU/Linux, of course."

          Yes, they captured searches on the "start menu" to include online results (like Windows does)

          But, people objected (or removed it, or switched distro), canonical listened, and life goes on.

  17. NBCanuck
    Unhappy

    Disclosure

    What I would like to see is full disclosure on all apps with a full, but non-legalese, description of why the company is providing the software free.

    "Software is provided to end-user with no fee...

    ...with limited features with the hope that they will upgrade to a paid upgrade."

    ...because we are hoping to profit from in-app purchases."

    ...in exchange for allowing us to track browsing information to sell to third parties for advertising/other uses."

    ...in exchange for allowing us to track user's location data to sell to third parties for advertising/other uses."

    1. ThatOne Silver badge
      Stop

      Re: Disclosure

      > What I would like to see is full disclosure...

      You forgot option "All of the above"

      It's the most common.

  18. Prosthetic Conscience
    Flame

    "via retail outlet speakers"

    Bloody hell what's wrong with normal WiFi tracking like normal scumbag mall operators.

  19. Anonymous Coward
    Anonymous Coward

    What really sucks...

    ...is that while I can understand "free" services including trackers and the like, it is neither understandable nor acceptable for banking apps (where we are supposed to have some measure of trust in the bank (CMB and Banque Postale)), and one can say the same for subscription based services (Ouest France). I ought to fire up the VPN firewall app and see what these apps actually try to contact... Then maybe a letter to each demanding an explanation is in order?

  20. Version 1.0 Silver badge
    Big Brother

    Why the surprise?

    Has everyone been asleep? It's been obvious for years that your phone can track you and that anything on/in your phone can be used to track you and attempt to sell you stuff.

    I'm just amazed that there appear to be people out there who think that this isn't happening - please children, grow up. You are being tracked if you turn your phone on - if you don't like it then turn your phone off and put it in a foil bag.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why the surprise?

      I agree, however it isn't just about being tracked - it's about knowing/deciding who is tracking, and why.

      We all know phone companies do it (they need to, as part of their infrastructure). Well all know why Google does it, and we even benefit from it.

      But Skype? Spotify? Why the feck do they need it?

  21. David Nash

    That reports website

    ...is not very easy to use. Well it is if you want to see a list of trackers, or a screen full of pretty app icons, but what I am sure we would like to see is a table of apps with the number of trackers found in each app.

    If I missed it please enlighten me!

  22. Anonymous Coward
    Anonymous Coward

    It wouldn't surprise me if the torch app is telling them when it's dark.

    It's the future this is, buckle in and enjoy the ride.

  23. Anonymous Coward
    Anonymous Coward

    The worst thing of all is Googles SafetyNet crap in Android.

    A lot of the tracking stuff can be controlled and prevented by rooting your Android phone,

    and installing Adaway, and XPosed-Framework & XPrivacy, ApsOpsExposed, ReceiverStop and BootManager,

    but Google's SafetyNet crap interferes severely with Xposed&friends and a lot of "free" Software doesn't want to run on rooted and tightly security-controlled Android Phones, e.g. SnapChat, Nintendo Games (PokemonGo, Animal Crossing Pocket Camp, etc.) for the sole purpose that snooping and Ad Spamming can not be efficiently prevented.

    SafetyNet provides ZERO real security, because most Android phone are running with Android versions which have DOZENs of well-known security holes, because vendors don't ship updates. Plenty of Samsung smartphones are stuck on Android 5.0.1. SafetyNet check works on these phones in factory-pristine (unrooted) conditions -- and a positive SafetyNet check therefore guarantees a hundred ore more gaping open security holes on each of the phones. And SafetyNet prevents safety measures such as Xposed&Xprivacy, Adaway and a lot of other vital tools to get used more broadly.

    SafetyNet is a total security desaster and a Snooping&AdSpammin enforcement technology from NSA-arm within Google, and every security practition should know and admit that.

    Why doesn't Samsung ship Marshmallow for Galaxy S4 ? Because they fucked up with device encryption in Lollipop on early Snapdragons (600, 800, 805) because it is unreliable and dead slow, but for political reasons "required" in Marshmallow. Android 6 or 7 without encryption would be so much more reasonable that Android 5.0.1 without encryption, but for political reasons undesired by Google. So SafetyNet is extremely counterproductive, and ACTIVELY hurts the userbase.

    https://blog.elcomsoft.com/2016/03/smartphone-encryption-why-only-10-per-cent-of-android-smartphones-are-encrypted/

    https://nelenkov.blogspot.de/2015/05/hardware-accelerated-disk-encryption-in.html

    Kill SafetyNet and kill the FDE-requirement in Android 6+7 for updates to Old Phones/Hardware.

    I have no PIN or other protection on my 2-year old Samsung Android phone (it's rooted), because it would be completely pointless against any attacker who gets physical access to my phone -- because of the endless well-known and unpatched 5.0.1 bugs.

  24. To Mars in Man Bras!
    Thumb Down

    Google Are The Worst of the Lot

    I regularly get notifications from Google popping up on my phone, inviting me to review my stay at this hotel or meal at that restaurant, merely because I've been walking near them, on my way round town.

    I've also got AFWall+ [Android firewall] installed, which is blocking anything which doesn't obviously need to be able to connect to the internet. You wouldn't believe how persistent Google's GBoard keyboard is at trying to phone home. Almost every time you enter text in a web form, or within an app, AFWall+'s notifications that it has blocked GBoard start appearing --and GBoard will keep trying on about a dozen different IP addresses, before it gives up.

    It seems tantamount to having a keyboard with a keylogger built right in.

  25. Michael Thibault

    "Do we violate your privacy? Of course, ...

    but you have no right to know the details of how".

    Transparency Now!

  26. Wisteela

    Am I concerned? Nope.

  27. sloshnmosh

    .....the page you're on now

    "Yeah and don't forget just about every web page you ever visited; In fact, like this one you're looking at right now!"

    According to uMatrix The Register is using Google analytics, Google Tag and something called dpmsrv.com.

    (The page views just fine without them)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like