Staggering Variety of Clandestine Trackers Found in Popular Android Apps

Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, ride-sharing, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising.

Exodus security researchers identified 44 trackers in more than 300 apps for Google’s Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university’s law school, is working to replicate the Exodus findings and has already released reports on 25 of the trackers.

Yale Privacy Lab researchers have only been able to analyze Android apps but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital “signatures” distilled from known trackers. A signature might be a telltale set of keywords or string of bytes found in an app file, or a mathematically derived “hash” summary of the file.

The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking.

“I think people are used to the idea, whether they should be or not, that Lyft might be tracking them,” said Sean O’Brien, a visiting fellow at Yale Privacy Lab. “And they’re used to the fact that if Lyft is on Android and coming from Google Play, that Google might be tracking them. But I don’t think that they think that their data is being resold or at least redistributed through these other trackers.”

Among the Android apps researchers identified were, with six or seven trackers each, dating apps Tinder and OkCupid, the Weather Channel app, and Super-Bright LED Flashlight; the app for digital music service Spotify, which embedded four trackers, including two from Google; ride-sharing service Uber, with three trackers; and Skype, Lyft, AccuWeather, and Microsoft Outlook.

(A Spotify spokesperson wrote, “We take data security and privacy very seriously. Our goal is to give both our users and advertising partners a great experience while maintaining consumer trust.” An Uber spokesperson referred The Intercept to its published details on its use of cookies, which lists some of their third-party cookie providers but is not intended to be comprehensive. Users who visit the privacy policy section of Uber’s website can follow an opt-out link that appears to only apply to interest-based advertising on web traffic. The preferences do not work if a user disables third-party cookies, and users must opt out again after deleting their cookies.)

Some apps have their own analytics platforms but include other trackers as well. For example, Tinder uses a total of five trackers in addition to its own.

“The real question for the companies is, what is their motivation for having multiple trackers?” asked O’Brien.

“Data is the oil in the machinery here, and I think they’re just trying to find different ways to extract it.”

Tinder’s heavy use of trackers means the company has been able to make use of behavior analytics and accept payment from shaving company Gillette for highly targeted research: Do college-aged male Tinder users with neatly groomed facial hair receive more right swipes than those with untidy facial hair?

Capabilities of the trackers Exodus uncovered include targeting users based on third-party data, identifying offline movement through machine learning, tracking behavior across devices, uniquely identifying and correlating users, and targeting users who abandon shopping carts. Most trackers work by deriving an identification code from your mobile device or web browser and sharing it with third parties to more specifically profile you. App makers can even tie data collected from trackers with their own profiles of individuals, including names and account details. Some tracking companies say they anonymize data and have strict rules against sharing publicly identifiable information, but the sheer wealth of data collected can make it possible to identify users even in the face of such safeguards.

Although some or all of the apps identified by Exodus and Yale researchers may technically disclose the use of trackers in the fine print of their privacy policy, terms of service, or app description, it is difficult, to say the least, for smartphone users to get a clear handle on the extent and nature of the monitoring directed at them. The whole point of using a mobile app, after all, is often to save time.

“How many people actually know that these trackers are even there?” said Michael Kwet, another visiting fellow at Yale Privacy Lab. “Exodus had to create this software to even detect that they were in there.”

A few of the trackers offer users the option to opt-out via email or through their privacy settings. But tracking can resume even after this step is taken. For example, one app requires that users who clear their cache set up the opt-out again. Some opt-outs are temporary. Even if the opt-outs do end up being permanent, few users would even know to activate them in the first place.

Google Vice President of Engineering David Singleton speaks during the Google I/O 2015 keynote presentation in San Francisco.

Meet the Trackers

Google has a vested interest in allowing liberal use of trackers in apps distributed through Google Play. One of the most ubiquitous in-app trackers is made by Google’s DoubleClick ad platform, which targets users by location and across devices and channels, segments users based on online behavior, connects to personally identifiable information, and offers data sharing and integration with various advertising systems. DoubleClick’s tracker is found in many popular apps, including Tinder, OkCupid, Lyft, Uber, Spotify, the Weather Channel, AccuWeather, and the popular flashlight apps Super-Bright LED Flashlight and LED Light.

A Google spokesperson confirmed that its ad platforms DoubleClick for Publishers and AdMob serve ads on both Android and iOS devices and that it ties information collected by the networks to a persistent identifier to measure engagement. Although users can control information Google uses to show them ads, they cannot specifically opt-out of DoubleClick.

DoubleClick prohibits vendors from sharing personally identifiable information or other unique identifiers, and states that it only stores general location data, like city and ZIP code, rather than precise location information unless users enable location history in their Google account. App developers who use DoubleClick Ad Exchange are required to disclose in their privacy policies that the user’s identifier will be shared unless the user opts-out of ad tracking, and to explain how the user can reset their identifier. Google shares attribution data with advertisers and third-party measurement partners using these identifiers.

Perhaps the most invasive of the trackers is Fidzup, a France-based mobile performance marketing platform for brick-and-mortar retailers. The company has stated in its advertising copy that it has developed communication between a sonic emitter and a mobile phone (either iOS or Android) by emitting an inaudible tone to locate a user within a shopping mall or a store. User phones receive the signal and decode it to give away their location. The company further uses geofencing to track users to a so-called catchment area, such as a specific section within a store, where it can serve them targeted ads, possibly for a competing retailer.

Mathieu Vaas, a spokesperson for Fidzup, said that the company has not used inaudible tones in two years, but is instead using Wi-Fi-based technology to obtain data regarding how customers behave within stores and re-target them with ads. But information on sonic technologies is posted on Fidzup’s website (as of November 21) and detailed further in an older version of the site accessed October 15. Vaas stated that these pages are outdated and inaccessible from the main page, and will be scrubbed from a new website that’s currently being prepared.

Vaas also confirmed that, even just using Wi-Fi technology, Fidzup can track highly specific in-store behavior, such as aisles visited, the time spent in them, the number of visits to a store, and so forth. Fidzup can also leverage other apps to obtain geolocation data, but the only third parties receiving that data are retailers that have installed the company’s Wi-Fi technology within their store, he added, and the data is only related to behavior within the store.  Vaas later said that Fidzup does not share information with third parties.

“In every store where we are present, we inform the public of the presence of data-gathering technology in the store and indicate to them that they can turn their Wi-Fi off, as well as provide them with a link that allows them to permanently opt-out of Fidzup. In that case, their data will be recognized and scrapped automatically and they won’t be retargeted with ads from Fidzup ever,” he said via email.

Though based in France, Fidzup has a presence in San Francisco, and Vaas said that the company plans to start effectively operating in the U.S. soon. Vaas said the company is subject to stricter privacy laws and regulations in France than the U.S. has, and as they “deeply respect consumers’ rights to privacy and their civil liberties,” they plan to operate under those standards in the U.S. as well.

O’Brien and Kwet seemed less impressed with the company’s privacy commitment, writing, “Fidzup’s practices mirror that of Teemo (formerly known as Databerries), the tracking company that was embroiled in scandal earlier this year for studying the geolocation of 10 million French citizens.” Teemo collected navigation data from mobile users and used it to drive in-store sales by targeting users based on locations they had visited. Its website states that it may collect location data using GPS, cell towers, Wi-Fi access points, wireless networks, and sensors, such as gyroscopes, accelerometers, compasses, and barometers. In addition to collecting IP addresses and identifiers assigned to mobile devices, it also may obtain information from third parties to combine with what it has and share its information with third parties (with some stipulations) as well. As with Fidzup, it is not immediately clear to what extent Teemo is operating in the U.S. Although Teemo is a French company based in Paris, it has an office in New York. Teemo did not respond to request for comment.

Surveillance Mission Creep

Not all trackers are equally invasive, though many grab more information than they arguably should. For example, Google-owned Crashlytics is presumably just a crash reporter, but it does much more than simply performing analytics on app logs. The app, used by Tinder, OkCupid, Spotify, Uber, Super-Bright LED, and LED Light, can also link users across multiple cookies and devices. Microsoft’s HockeyApp, used by Microsoft Outlook, Skype, and the Weather Channel, goes beyond simply collecting and analyzing crash reports but can also track daily active users, monthly active users, the net number of new users, and session counts. AppsFlyer (used by Tinder, Super-Bright LED, and the Weather Channel) does fraud prevention and protects from malware, but also fingerprints devices by their IDs, tracks users across datasets to circumvent the fragmentation caused by users with different devices, and tracks which users install which apps. A spokesperson for AppsFlyer directed The Intercept to the company’s privacy policy and stated that the tracker only works with businesses and advertisers, and does not engage with end users. Its terms and conditions also require clients to disclose the collection and use of data in their own privacy policies.

In addition to DoubleClick, Teemo, and Fidzup, Braze (formerly Appboy) and Salesforce DMP (formerly Krux) appear to collect large amounts of user data. Braze, used by OkCupid and Lyft, can track users by location, target them across devices and channels, and serve targeted advertising based on consumer actions. Salesforce DMP, used by OkCupid, not only captures user clicks, downloads, and other interactions, but also uses hashed device management to effectively circumvent Safari’s third-party blocking. The tracker allows marketers to use machine learning to discover personas, uses cross-device ID, and even uses behavioral analysis to guess when a user is sleeping, and a probabilistic matching algorithm to match identities across devices. There is an opt-out on the Salesforce website, though it’s unclear what percentage of OkCupid users are aware that the dating site is wrapped around the Salesforce DMP tracker and would even know to opt-out. (OkCupid did not respond to request for comment.)

Weather apps are ubiquitous, and one wouldn’t guess that they’d include surveillance. But both AccuWeather and the Weather Channel apps (along with Spotify) use the ScorecardResearch tracker, which can also track data on usage, including information on web browsing and app usage behavior over time and across digital properties, possible relationships between browsers and devices — which can be provided to third parties for advertising purposes. The tracker can even use third-party service providers to obtain more non-personally identifiable information to add to unique profiles using cookies.

The tracker Millennial Media (formerly Nexage) is used by AccuWeather and Super-Bright LED to “automate the buying and selling of mobile advertising” targeting channel and demographic segments, such as a shampoo company targeting “women ages 25-55 with an emphasis on … pregnancy, stress, and bleach/coloring.”

Microsoft Outlook, the Weather Channel, Super-Bright LED, and LED Light use Flurry, a mobile ad platform acquired from Yahoo by Verizon subsidiary Oath. Flurry tracks device and app performance metrics and analyzes user interactions, identifies user interests, stores data profiles as personas, groups and correlates user data, and injects both native and video ads. A spokesperson for Oath said that Flurry’s terms of service require app developers to post a privacy policy notifying what data is collected, stored, and shared, and either linking to Flurry’s privacy policy or describing their opt-out service. In addition, the spokesperson said only information that’s not personally identifiable leaves Flurry’s system.

Another tracker, Tune, follows ride-sharing users’ online and offline behavior across devices and also tracks in-app user behavior, uniquely identifies users, and tracks their location.

The AppNexus tracker, used by, among other apps, Super-Bright LED, uses machine learning for targeted advertising. In a phone call, AppNexus spokesperson Joshua Zeitz confirmed that the tracker collects mobile advertising identifiers, type of phone, IP addresses, and a unique app identifier. The company does store mobile advertising identifiers, as well as cookies from web users, but Zeitz said data on what ads have been served to what identifiers is only retained for up to 33 days, and that the tracker does not collect names, numbers, or account numbers, that it only keeps device and browser identifiers and cookies, and that it cannot de-anonymize users from its data set. AppNexus stated that it does not share device and browser identifiers tied with third parties.

O’Brien said app developers can choose the types of advertising they embrace, but that it’s unlikely users are thinking about those decisions when installing apps. He also doesn’t see permissions as a solution. “If you’re in a situation where you’re asking the victim of the tracking how much tracking they want, you’ve already gone too far. It’s already a problem,” he said.

Without an overhaul of the advertising-rich phone system, O’Brien said the best solution may be to use the software repository F-Droid, which distributes only free and open source software that does not include unknown or masked trackers or code.