65 votes

Candy Crush, Tinder, MyFitnessPal: See the thousands of apps hijacked to spy on your location

38 comments

  1. [15]
    DefinitelyNotAFae
    Link
    Can someone break this down to what it means for the average user? Ads in apps have collected a lot more data than the app itself claimed was being collected and that data has been/is being...

    Can someone break this down to what it means for the average user?

    Ads in apps have collected a lot more data than the app itself claimed was being collected and that data has been/is being collected by Gravy who sells it to anyone/everyone?

    Do I have the gist?

    23 votes
    1. [14]
      Rudism
      Link Parent
      That more or less covers it. I think the takeaway is that if you're using apps that display ads, whoever placed the ads being displayed could be tracking your phone's location, and that location...

      That more or less covers it. I think the takeaway is that if you're using apps that display ads, whoever placed the ads being displayed could be tracking your phone's location, and that location data is up for grabs to law enforcement or anyone else who wants to pay for it.

      I think it highlights the importance of blocking ads at the network level via something like ControlD, NextDNS, or even Pi-Hole. It's unfortunate that configuring something like that is probably beyond the reach of the average consumer.

      30 votes
      1. [5]
        Omnicrola
        Link Parent
        I use the DuckDuckGo App Tracking Protection feature on my Android, and it's insane how much stuff it blocks (and yet everything still works fine).

        I use the DuckDuckGo App Tracking Protection feature on my Android, and it's insane how much stuff it blocks (and yet everything still works fine).

        8 votes
        1. [4]
          TommyTenToes
          Link Parent
          Do you use Three Cheers for Tildes? I just started using that tracker you mentioned (thank you) and it's calling out Three Cheers a ton. Maybe because of the webpages that are linked from Tildes.

          Do you use Three Cheers for Tildes? I just started using that tracker you mentioned (thank you) and it's calling out Three Cheers a ton. Maybe because of the webpages that are linked from Tildes.

          1. Omnicrola
            Link Parent
            I don't, I usually use Firefox on either desktop or mobile (Android).

            I don't, I usually use Firefox on either desktop or mobile (Android).

          2. trim
            Link Parent
            Aurora Store says that Three Cheers has one tracker: 1 tracker We have found code signature of the following tracker in the application: Google CrashLytics

            Aurora Store says that Three Cheers has one tracker:

            1 tracker

            We have found code signature of the following tracker in the application:

            Google CrashLytics

          3. CptBluebear
            Link Parent
            Likely, you could ask @talklittle if you want to make sure.

            Likely, you could ask @talklittle if you want to make sure.

      2. DefinitelyNotAFae
        Link Parent
        Thanks yeah not something I can really stop myself. A good reminder that phones don't need to come with you everywhere.

        Thanks yeah not something I can really stop myself. A good reminder that phones don't need to come with you everywhere.

        3 votes
      3. [6]
        CptBluebear
        Link Parent
        I need to find a good DNS level block that doesn't interfere with a home network. Every time I set one up I invariably end up affecting my wife's work laptop due to the DNS requirements for their...

        I need to find a good DNS level block that doesn't interfere with a home network. Every time I set one up I invariably end up affecting my wife's work laptop due to the DNS requirements for their vpn or the block list contains Teams or something similar. I can't find it because I have zero access to that device.

        Any suggestions about one that's relatively easy to set up with regards to exclusion lists?

        2 votes
        1. Rudism
          Link Parent
          NextDNS is the one I'm currently using. It's a paid service, but adding domains to the exclusion list is pretty simple (their control panel has an "Allow List" tab where you can plug in the...

          NextDNS is the one I'm currently using. It's a paid service, but adding domains to the exclusion list is pretty simple (their control panel has an "Allow List" tab where you can plug in the domains). It's also possible to enable logging to see what's getting blocked over a period of time and add them to your allow list with a click.

          There are at least a couple options to work around getting local domains on a home network to work... the way I solve it is by using NextDNS as the upstream provider for my router's built-in DNS server, so any domains defined at the router take precedence. The downside of that is it doesn't work if you plug NextDNS's servers into an Android device's secure DNS setting (since it bypasses your router). Other option is that NextDNS lets you define your own domain -> IP overrides so you could potentially define your local domains there to get them working.

          edit--I should mention that NextDNS is the only paid service I've used, so I can only really compare it to ControlD's free DNS servers (which have zero customizability) or self-hosting a Pi-Hole (which I did use for a while, but decided it wasn't worth the hassle to maintain when I can just pay someone else to do it).

          2 votes
        2. winther
          Link Parent
          I use Nextdns and haven't have any such issues. You can have different profiles for devices and for example the seperate profile for your home network can be configured to be less strict and have...

          I use Nextdns and haven't have any such issues. You can have different profiles for devices and for example the seperate profile for your home network can be configured to be less strict and have it's own exceptions.

          1 vote
        3. [2]
          pienix
          Link Parent
          Depending on your level of technical expertise, I would suggest setting up a PiHole. It's quite easy to set up, and you have full control over what gets through. Combining it with a PiVPN ensures...

          Depending on your level of technical expertise, I would suggest setting up a PiHole. It's quite easy to set up, and you have full control over what gets through.

          Combining it with a PiVPN ensures ad blocking on the go.

          1 vote
          1. Drewbahr
            Link Parent
            I agree wholeheartedly with Pihole+PiVPN. Setting up a Pihole only requires as much money as you wish to throw at it, along with a certain degree of know-how. I opted to buy an actual Raspberry Pi...

            I agree wholeheartedly with Pihole+PiVPN.

            Setting up a Pihole only requires as much money as you wish to throw at it, along with a certain degree of know-how. I opted to buy an actual Raspberry Pi and set it up on its own hardware, but you can just as easily run an instance of it off of a home PC, old laptop, whatever. It does not demand much in the way of resources.

            I know my way around building a desktop PC well enough, but I'm not terribly tech-savvy beyond that. I know nothing about programming or Linux in general. Even then, I'm able to get around well enough to keep my Pihole maintained, updated, and in working shape.

            https://pi-hole.net/

            https://discourse.pi-hole.net/

            https://www.pivpn.io/

            The Discourse channel is full of very knowledgeable and helpful people; there's also a dedicated subreddit if you run into any issues with Discourse for whatever reason.

            4 votes
        4. ShroudedScribe
          Link Parent
          I gave up on network level a long time ago. I now have nextdns running only on our iPhones, but we still have to toggle it off fairly frequently due to some sites or apps (especially restaurant...

          I gave up on network level a long time ago. I now have nextdns running only on our iPhones, but we still have to toggle it off fairly frequently due to some sites or apps (especially restaurant ones) not loading at all.

          It will always be a cat and mouse game - you either aggressively block and then have to whitelist a ton as you go, or keep it limited and probably still have some ads and trackers get through.

  2. [2]
    slashtab
    (edited )
    Link
    A must read. ... ... Achieve Link

    A must read.

    The list includes dating sites Tinder and Grindr; massive games such as Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.

    ...

    Gravy is a company that powers much of the rest of the location data industry. It collates mobile phone location data from various sources, then sells that to commercial companies or, through its subsidiary Venntel, to US government agencies. Norwegian outlet NRK and I previously revealed the flow of location data from a handful of ordinary apps to Gravy and then to Venntel. Venntel’s clients have included Immigration and Customs Enforcement, Customs and Border Protection, the IRS, the FBI, and the Drug Enforcement Administration.

    ...

    Muslim Pro, one of the Muslim prayer apps included in the list, said in an email that it was not aware of Gravy. “Yes, we display ads through several ad networks to support the free version of the app. However, as mentioned above, we do not authorize these networks to collect location data of our users,” the email said. That does not necessarily mean that a member of the advertising ecosystem can’t extract such data, though. (In 2020 I revealed Muslim Pro was selling its users’ location data to a company called X-Mode, whose clients included US military contractors; Muslim Pro stopped the practice after my reporting.)
    ...

    He pointed out some of the user-agents in the file, which show how a user’s device connected to a service, referenced “afma-sdk.” That is a string used by Google’s Mobile Ads SDK (software development kit). In other words, in some cases, it is Google’s advertising platform that is delivering the ads that are eventually leading to this tracking by outside companies and potentially government contractors.

    Google did not respond to multiple requests for comment for this article. Neither did Apple.

    Achieve Link

    21 votes
    1. slashtab
      (edited )
      Link Parent
      There is 3455 listed app in one of the list and 16K in another. I kept scrolling and it didn't end. I'm loling in terror although I'm not surprised.

      There is 3455 listed app in one of the list and 16K in another. I kept scrolling and it didn't end. I'm loling in terror although I'm not surprised.

      8 votes
  3. [3]
    phoenixrises
    Link
    Why is the headline truncated? It's an important thing that's happening, obviously, but it's still clickbait to truncate it specifically at that place in the headline.

    Why is the headline truncated? It's an important thing that's happening, obviously, but it's still clickbait to truncate it specifically at that place in the headline.

    4 votes
  4. [18]
    Perryapsis
    Link
    To what extent does turning off your location in Android help avert some of this? If I turn off my location unless I actively need it for maps, revoke all location permissions from all apps, and...

    To what extent does turning off your location in Android help avert some of this? If I turn off my location unless I actively need it for maps, revoke all location permissions from all apps, and only grant location permission to the map app "only this time" when I do use it, does that reduce the data collection at all? Or does the GPS antenna stay on anyway and log data under the hood, waiting to phone home as soon as any app gets location permissions again?

    4 votes
    1. [9]
      TaylorSwiftsPickles
      Link Parent
      I will not claim I'm a privacy expert (because I am not) but Google also tracks your location via other sources, e.g. nearby wireless transmissions (Wi-Fi, Bluetooth, Cellular), and it works...

      I will not claim I'm a privacy expert (because I am not) but Google also tracks your location via other sources, e.g. nearby wireless transmissions (Wi-Fi, Bluetooth, Cellular), and it works pretty well. You have to explicitly disable that as well (and trust them to actually keep their word... e.g. see one of the top results for "google tracked data illegally")

      9 votes
      1. [3]
        Weldawadyathink
        Link Parent
        I am pretty sure that android location tracking covers all sources of gathering location. It’s why apps that need to access Bluetooth must request the location permission, since it could be used...

        I am pretty sure that android location tracking covers all sources of gathering location. It’s why apps that need to access Bluetooth must request the location permission, since it could be used to extrapolate location.

        5 votes
        1. [2]
          slashtab
          Link Parent
          Any app with permission of nearby device, WiFi discovery can get an idea where you are, similar to how cellular triangulation works

          Any app with permission of nearby device, WiFi discovery can get an idea where you are, similar to how cellular triangulation works

          3 votes
          1. Weldawadyathink
            Link Parent
            And that’s why those permissions are behind the location permission in Android. That is what I am saying.

            And that’s why those permissions are behind the location permission in Android. That is what I am saying.

            7 votes
      2. [5]
        trim
        Link Parent
        It's why I sacked off Google, and run Graphene OS with no Google services, and select apps from f-droid, plus my bank, which doesn't have ads or request location. I just don't see why companies...

        It's why I sacked off Google, and run Graphene OS with no Google services, and select apps from f-droid, plus my bank, which doesn't have ads or request location.

        I just don't see why companies should make money from tracking my whereabouts. That's just creepy

        4 votes
        1. [2]
          imperator
          Link Parent
          Been thinking about going this route for a year. Big thing I use is Android Auto. I could probably love without the other apps

          Been thinking about going this route for a year. Big thing I use is Android Auto. I could probably love without the other apps

          1 vote
          1. trim
            Link Parent
            Auto works on Graphene now. Though it does of course mean installing more bits of Google into your phone. Auto was a big necessity for a lot of people.

            Auto works on Graphene now. Though it does of course mean installing more bits of Google into your phone. Auto was a big necessity for a lot of people.

            1 vote
        2. [2]
          kjw
          Link Parent
          No Google services? Afaik GOS has Google services, only that it's sandboxed and you can choose what to give it access to. Or am I wrong?

          No Google services? Afaik GOS has Google services, only that it's sandboxed and you can choose what to give it access to. Or am I wrong?

          1 vote
          1. trim
            Link Parent
            It can do that yes, and it's a safer way to consume Google services, but I strive to not use them

            It can do that yes, and it's a safer way to consume Google services, but I strive to not use them

            1 vote
    2. [8]
      slashtab
      Link Parent
      Yes! It helps It is better than nothing. Always monitor permission manager, use RethinkDNS app, get rid of Advertisement ID, opt out of any kind of data collection(google may still collect data...

      Yes! It helps It is better than nothing. Always monitor permission manager, use RethinkDNS app, get rid of Advertisement ID, opt out of any kind of data collection(google may still collect data but at least that will be illegal).

      Prefer to not use apps which have ads, if you must, use them through progressive web apps or in browser(must have ad and tracker blocker).

      2 votes
      1. [7]
        Rudism
        Link Parent
        An unfortunate thing I've found is that if you have any apps that need to know when you're connected to specific wifi networks, for some inexplicable reason Google has tied that ability to...

        An unfortunate thing I've found is that if you have any apps that need to know when you're connected to specific wifi networks, for some inexplicable reason Google has tied that ability to location permissions.

        For example an app I use to backup photos has the option to only upload stuff when I'm connected to my home wifi network, but I have to enable location services and give the app location permissions for that to work. Same goes if you use Tasker and want to use profiles that trigger when you connect or disconnect from specific wifi networks (I use one to disable private DNS on my home network and re-enable it when I disconnect), without location turned on and location permissions Tasker isn't able to know that.

        It's infuriating because other than those two cases I don't use any location-based functionality at all and would absolutely have it turned off all the time.

        2 votes
        1. [6]
          Weldawadyathink
          Link Parent
          It’s a very explicable reason. If you know when you are nearby a WiFi network, you can pretty easily determine the location. It requires location permission because it gives the app something that...

          It’s a very explicable reason. If you know when you are nearby a WiFi network, you can pretty easily determine the location. It requires location permission because it gives the app something that is essentially location.

          4 votes
          1. [3]
            Rudism
            Link Parent
            That makes sense from the permissions angle--I would have no problem granting an app explicit permission to know what wifi network I am actively connected to, understanding that it also possibly...

            That makes sense from the permissions angle--I would have no problem granting an app explicit permission to know what wifi network I am actively connected to, understanding that it also possibly gives some location information. What baffles me is if an app only cares about which wifi network I'm actively connected to, why must I enable location services/GPS on my phone in order to give it that ability? I can scan and connect to wifi networks without location/GPS turned on, so why does a 3rd party app needing access to that information suddenly require location/GPS features on all the time?

            2 votes
            1. [2]
              Weldawadyathink
              Link Parent
              Because location services is not “should we turn on the GPS radio”, it is “should we allow the system and apps to access the device location”. If you turn it off, you should be confident that apps...

              Because location services is not “should we turn on the GPS radio”, it is “should we allow the system and apps to access the device location”. If you turn it off, you should be confident that apps cannot access your location except through a system exploit.

              What you really want is for the location services to be off except for tasker, backups, and some other apps. The correct way to do that is keep location services turned on and disable the location permission for all your other apps.

              You can scan networks with location services turned off because that is a system function built into Android. The system does not need to use the same permission model that apps do.

              5 votes
              1. Rudism
                Link Parent
                In my mind, my intent when turning off location services would be to block all of the non-uninstallable Google system apps and manufacturer bloatware installed on the phone (which I assume doesn't...

                In my mind, my intent when turning off location services would be to block all of the non-uninstallable Google system apps and manufacturer bloatware installed on the phone (which I assume doesn't ask for or need special permission) from reading the phone's location. That's the thing I want to be confident about, while still allowing a few select apps that I've installed and explicitly permitted to know what wifi network I'm connected to. But what you say makes some sense--I could be wrong in my assumptions about the scope of location services.

                1 vote
          2. [2]
            jcd
            Link Parent
            I do use identically named (SSID) personal wifis (same password as well), but I suspect this practice cannot scale :)

            I do use identically named (SSID) personal wifis (same password as well), but I suspect this practice cannot scale :)

            1. Weldawadyathink
              Link Parent
              I am pretty sure most implementations use a combo of MAC address and ssid, so your setup would still be locatable to the nearest access point. But even without that, being able to see other nearby...

              I am pretty sure most implementations use a combo of MAC address and ssid, so your setup would still be locatable to the nearest access point. But even without that, being able to see other nearby ssid, especially if you can also get rssi, would be plenty to differentiate between different locations that have the same ssid.

              3 votes