65
votes
Candy Crush, Tinder, MyFitnessPal: See the thousands of apps hijacked to spy on your location
Link information
This data is scraped automatically and may be incorrect.
- Authors
- Joseph Cox, Gear Team, Parker Hall, Elena Capilupi, Brian Barrett, Lisa Wood Shapiro, Nena Farrell, Ryan Waniata, Martin Cizmar, Kat Merck, Andrew Williams, Simon Hill, Adrienne So
- Published
- Jan 9 2025
- Word count
- 1891 words
Can someone break this down to what it means for the average user?
Ads in apps have collected a lot more data than the app itself claimed was being collected and that data has been/is being collected by Gravy who sells it to anyone/everyone?
Do I have the gist?
That more or less covers it. I think the takeaway is that if you're using apps that display ads, whoever placed the ads being displayed could be tracking your phone's location, and that location data is up for grabs to law enforcement or anyone else who wants to pay for it.
I think it highlights the importance of blocking ads at the network level via something like ControlD, NextDNS, or even Pi-Hole. It's unfortunate that configuring something like that is probably beyond the reach of the average consumer.
I use the DuckDuckGo App Tracking Protection feature on my Android, and it's insane how much stuff it blocks (and yet everything still works fine).
Do you use Three Cheers for Tildes? I just started using that tracker you mentioned (thank you) and it's calling out Three Cheers a ton. Maybe because of the webpages that are linked from Tildes.
I don't, I usually use Firefox on either desktop or mobile (Android).
Aurora Store says that Three Cheers has one tracker:
1 tracker
We have found code signature of the following tracker in the application:
Google CrashLytics
Likely, you could ask @talklittle if you want to make sure.
Thanks yeah not something I can really stop myself. A good reminder that phones don't need to come with you everywhere.
I need to find a good DNS level block that doesn't interfere with a home network. Every time I set one up I invariably end up affecting my wife's work laptop due to the DNS requirements for their vpn or the block list contains Teams or something similar. I can't find it because I have zero access to that device.
Any suggestions about one that's relatively easy to set up with regards to exclusion lists?
NextDNS is the one I'm currently using. It's a paid service, but adding domains to the exclusion list is pretty simple (their control panel has an "Allow List" tab where you can plug in the domains). It's also possible to enable logging to see what's getting blocked over a period of time and add them to your allow list with a click.
There are at least a couple options to work around getting local domains on a home network to work... the way I solve it is by using NextDNS as the upstream provider for my router's built-in DNS server, so any domains defined at the router take precedence. The downside of that is it doesn't work if you plug NextDNS's servers into an Android device's secure DNS setting (since it bypasses your router). Other option is that NextDNS lets you define your own domain -> IP overrides so you could potentially define your local domains there to get them working.
edit--I should mention that NextDNS is the only paid service I've used, so I can only really compare it to ControlD's free DNS servers (which have zero customizability) or self-hosting a Pi-Hole (which I did use for a while, but decided it wasn't worth the hassle to maintain when I can just pay someone else to do it).
I use Nextdns and haven't have any such issues. You can have different profiles for devices and for example the seperate profile for your home network can be configured to be less strict and have it's own exceptions.
Depending on your level of technical expertise, I would suggest setting up a PiHole. It's quite easy to set up, and you have full control over what gets through.
Combining it with a PiVPN ensures ad blocking on the go.
I agree wholeheartedly with Pihole+PiVPN.
Setting up a Pihole only requires as much money as you wish to throw at it, along with a certain degree of know-how. I opted to buy an actual Raspberry Pi and set it up on its own hardware, but you can just as easily run an instance of it off of a home PC, old laptop, whatever. It does not demand much in the way of resources.
I know my way around building a desktop PC well enough, but I'm not terribly tech-savvy beyond that. I know nothing about programming or Linux in general. Even then, I'm able to get around well enough to keep my Pihole maintained, updated, and in working shape.
https://pi-hole.net/
https://discourse.pi-hole.net/
https://www.pivpn.io/
The Discourse channel is full of very knowledgeable and helpful people; there's also a dedicated subreddit if you run into any issues with Discourse for whatever reason.
I gave up on network level a long time ago. I now have nextdns running only on our iPhones, but we still have to toggle it off fairly frequently due to some sites or apps (especially restaurant ones) not loading at all.
It will always be a cat and mouse game - you either aggressively block and then have to whitelist a ton as you go, or keep it limited and probably still have some ads and trackers get through.
Thanks for the suggestions!
A must read.
...
...
Achieve Link
There is 3455 listed app in one of the list and 16K in another. I kept scrolling and it didn't end. I'm loling in terror although I'm not surprised.
Why is the headline truncated? It's an important thing that's happening, obviously, but it's still clickbait to truncate it specifically at that place in the headline.
Fixed! 👍
you are literally the best!
To what extent does turning off your location in Android help avert some of this? If I turn off my location unless I actively need it for maps, revoke all location permissions from all apps, and only grant location permission to the map app "only this time" when I do use it, does that reduce the data collection at all? Or does the GPS antenna stay on anyway and log data under the hood, waiting to phone home as soon as any app gets location permissions again?
I will not claim I'm a privacy expert (because I am not) but Google also tracks your location via other sources, e.g. nearby wireless transmissions (Wi-Fi, Bluetooth, Cellular), and it works pretty well. You have to explicitly disable that as well (and trust them to actually keep their word... e.g. see one of the top results for "google tracked data illegally")
I am pretty sure that android location tracking covers all sources of gathering location. It’s why apps that need to access Bluetooth must request the location permission, since it could be used to extrapolate location.
Any app with permission of nearby device, WiFi discovery can get an idea where you are, similar to how cellular triangulation works
And that’s why those permissions are behind the location permission in Android. That is what I am saying.
It's why I sacked off Google, and run Graphene OS with no Google services, and select apps from f-droid, plus my bank, which doesn't have ads or request location.
I just don't see why companies should make money from tracking my whereabouts. That's just creepy
Been thinking about going this route for a year. Big thing I use is Android Auto. I could probably love without the other apps
Auto works on Graphene now. Though it does of course mean installing more bits of Google into your phone. Auto was a big necessity for a lot of people.
No Google services? Afaik GOS has Google services, only that it's sandboxed and you can choose what to give it access to. Or am I wrong?
It can do that yes, and it's a safer way to consume Google services, but I strive to not use them
Yes! It helps It is better than nothing. Always monitor permission manager, use RethinkDNS app, get rid of Advertisement ID, opt out of any kind of data collection(google may still collect data but at least that will be illegal).
Prefer to not use apps which have ads, if you must, use them through progressive web apps or in browser(must have ad and tracker blocker).
An unfortunate thing I've found is that if you have any apps that need to know when you're connected to specific wifi networks, for some inexplicable reason Google has tied that ability to location permissions.
For example an app I use to backup photos has the option to only upload stuff when I'm connected to my home wifi network, but I have to enable location services and give the app location permissions for that to work. Same goes if you use Tasker and want to use profiles that trigger when you connect or disconnect from specific wifi networks (I use one to disable private DNS on my home network and re-enable it when I disconnect), without location turned on and location permissions Tasker isn't able to know that.
It's infuriating because other than those two cases I don't use any location-based functionality at all and would absolutely have it turned off all the time.
It’s a very explicable reason. If you know when you are nearby a WiFi network, you can pretty easily determine the location. It requires location permission because it gives the app something that is essentially location.
That makes sense from the permissions angle--I would have no problem granting an app explicit permission to know what wifi network I am actively connected to, understanding that it also possibly gives some location information. What baffles me is if an app only cares about which wifi network I'm actively connected to, why must I enable location services/GPS on my phone in order to give it that ability? I can scan and connect to wifi networks without location/GPS turned on, so why does a 3rd party app needing access to that information suddenly require location/GPS features on all the time?
Because location services is not “should we turn on the GPS radio”, it is “should we allow the system and apps to access the device location”. If you turn it off, you should be confident that apps cannot access your location except through a system exploit.
What you really want is for the location services to be off except for tasker, backups, and some other apps. The correct way to do that is keep location services turned on and disable the location permission for all your other apps.
You can scan networks with location services turned off because that is a system function built into Android. The system does not need to use the same permission model that apps do.
In my mind, my intent when turning off location services would be to block all of the non-uninstallable Google system apps and manufacturer bloatware installed on the phone (which I assume doesn't ask for or need special permission) from reading the phone's location. That's the thing I want to be confident about, while still allowing a few select apps that I've installed and explicitly permitted to know what wifi network I'm connected to. But what you say makes some sense--I could be wrong in my assumptions about the scope of location services.
I do use identically named (SSID) personal wifis (same password as well), but I suspect this practice cannot scale :)
I am pretty sure most implementations use a combo of MAC address and ssid, so your setup would still be locatable to the nearest access point. But even without that, being able to see other nearby ssid, especially if you can also get rssi, would be plenty to differentiate between different locations that have the same ssid.