Seventy-five percent of 300 Android apps tested by Exodus Privacy and analyzed by the Yale Privacy Lab contain embedded trackers, including Uber, Tinder, Skype, Twitter, Spotify and Snapchat. The trackers are primarily used for targeted advertising, behavioral analytics and location tracking. They come as part of the app, and their presence and operation is likely unknown to the user at the time of installation.
Details are published in an analysis by the Yale Privacy Lab. It looked at 25 of the 44 trackers known to the French non-profit Exodus Privacy. Exodus analyzed 300 apps using its app scanning platform. According to its own research, the five most common embedded trackers are CrashLytics, DoubleClick, Localytics, Flurry and HockeyApp.
Despite this high number of trackers located by the research, Privacy Lab fears the problem could be worse. “The Exodus platform identifies trackers via signatures, like an anti-virus or spyware scanner, and thus can only detect trackers previously identified by researchers at the time of the scan.” It fears that trackers can be added to apps in software updates after installation, and that new trackers will simply not yet be identified by Exodus.
It also adds, “Tracker companies openly advertise Software Development Kits (SDKs) compatible with multiple platforms. Thus, advertising trackers may be concurrently packaged for Android and iOS, as well as more obscure mobile platforms.”
The analysis from Privacy Lab provides two examples that demonstrate its concern. Fidzup claims it has developed communication between a sonic emitter and a mobile phone. By diffusing a tone, inaudible to the human ear, inside a building Fidzup can detect the presence of mobile phones and therefore their owners. “Users installing ‘Bottin Gourmand’, a guide to restaurants and hotels in France,” warns Privacy Lab, “would thus have their physical location tracked via retail outlet speakers as they move around Paris. Their experience would be shared by readers of car magazine app ‘Auto Journal’ and TV guide app ‘TeleStar’.”
This type of technology has probably been replaced by simple WiFi tracking; but, warns the research, closely resembles the practices of Teemo and SafeGraph. Teemo was embroiled in scandal earlier this year for studying the geolocation of 10 million French citizens, and SafeGraph, who collected 17 trillion location markers for 10 million smartphones during [Thanksgiving] last year.
However, the organization is particularly concerned about the use of trackers on the finances and healthcare of users. It cites Mon AXA, developed by a multinational insurance and finance firm, and found by Exodus to contain six trackers. Privacy Lab does not know what information is shared by these trackers. Other AXA apps, including ‘HealthLook’, ‘AXA Banque’, and ‘My Doctor’ also contain trackers.
Other health and finance apps that contain trackers include those from Aetna, the American Red Cross, WebMD, American Express, Discover, HSBC, Wells Fargo, and PayPal.
Privacy Lab is calling for greater transparency from Google over privacy and security practices for trackers. “Android users, and users of all app stores, deserve a trusted chain of software development, distribution, and installation that does not include unknown or masked third-party code.”