Privacy on Google’s Android operating system is always under scrutiny. Between malicious apps stealing your data and integrated trackers, Android users have a rough ride. But the customization, the open-source development platform, and the huge range of handsets attract hundreds of millions of users, myself included.
Privacy Plundering Apps
Exodus security researchers identified 71 trackers in more than 800 Android apps. The apps have billions of downloads between them. The Yale Privacy Lab team is working to replicate the findings of the Exodus team. So far, they’ve released reports on 25 of the trackers.
Amongst the worst offenders (meaning six or seven ad trackers each) were dating apps Tinder and OkCupid, the Weather Channel app, and Super-Bright LED Flashlight. Spotify contains four trackers, while Uber, Lyft, Skype, AccuWeather, and Microsoft Outlook each have three. Furthermore, some trackers feature in hundreds of apps.
Sean O’Brien, visiting fellow at Yale Privacy Lab thinks “people are used to the idea, whether they should be or not, that Lyft might be tracking them. And they’re used to the fact that if Lyft is on Android and coming from Google Play, that Google might be tracking them. But I don’t think that they think their data is being resold or at least redistributed through these other trackers.”
“The real question for companies is, what is their motivation for having multiple trackers?”
Who Owns Them?
Given we are discussing the Android platform, you can guess who has the most trackers. That’s right: Google features in a huge number of apps. You can see the Exodus Most Frequent Trackers list below.
The vast majority of apps report back to and feed into the Google Ads network. I’m sure most people understand this. After all, the vast majority of Android apps are free, and if it is free, you’re the product. While we accept this explicit data-for-free-apps arrangement, some apps appear to take advantage of the data mountains.
For instance, Tinder has leveraged their incredible insight into dating patterns and image choices to create highly detailed behavioral analytics. Gillette is one such company to purchase highly targeted research from Tinder. (“Is some facial hair more or less desirable?”)
Also unsurprisingly, Facebook’s well-known tracking programs are also near the top of the list.
The recycling of data goes further than this, though. A large proportion of the Android ad trackers identified by Exodus target users based on third-party data. The trackers identify offline movement through machine learning algorithms, track behavior across devices to build unique profiles, as well as target users that abandon their online shopping carts.
Your mobile device is assigned a unique tracking code that is shared between third-party trackers. The apps then tie tracking data to your profile, added to over time, to streamline the advertising process.
What Data Do Ad Trackers Collect?
As mentioned, the most active trackers belong to Google. The Google DoubleClick ad platform targets users by location, across devices, by online behavior, and offers integration with other advertising platforms. Furthermore, in 2016, Google dropped one of their longstanding anonymity features, allowing personally identifying data to mingle with its unfathomably large database of web-browsing records.
Of course, Google is at the forefront of tracking apps distributed on its platform. It engrains their most profitable activity — advertising. And, although users can control the information Google uses to display ads, there is no DoubleClick opt-out. Once you’re in, the only way to stop is by leaving the ecosystem entirely. (Or use a combination of privacy-granting extensions.) Google operates the DoubleClick and AdMob platforms on both iOS and Android.
Google are prolific but by no means the worst tracking offender. That ignominious title falls to Fidzup (view their tracker report), a French mobile performance marketing platform. Fidzup use a sonic emitter to directly communicate with your smartphone when you enter a mall. Your smartphone receives the inaudible signal and betrays your location within the mall. Fidzup then serves geo-targeted ads for specific advertisers, potentially offering deals for competing retailers.
A Fidzup spokesman said that the company hasn’t used inaudible tracking signals for over two years. Rather, they now prefer to identify location using Wi-Fi-based tech. The Wi-Fi model allows greater insight into user behavior within stores, targeting with specific ads for the store or its competitors.
The company predominantly operate in France, though plan to begin operations in San Francisco in the near future. And, as we know, U.S. consumer protections are vastly reduced in comparison to the European Union. Other trackers using similar technology were found also to collect a wide range of information about the devices, as well as also combining that data with third-party sources to build more accurate profiles.
Other trackers suffer from “mission-creep.” That is to say, their design is for one job, but their reach within a device allows them to perform unintended (or secretly intended) data gathering.
A prime example is Google-owned Crashlytics (view their tracker report). A simple crash-reporting app used by Tinder, OkCupid, Spotify, Dailymotion, Trello, Spotify, Uber, and more, can also link users across cookies and devices.
Microsoft’s HockeyApp features in Microsoft Outlook, Skype, and the Weather Channel, but also tracks daily active users, monthly active users, new users, and session counts.
AppsFlyer is a fraud prevention and malware protection tracker, but also fingerprints devices by IDs, tracking users across datasets to keep tabs on users across multiple devices.
Hoovering Up Data with Android Trackers
Trackers are after one thing: personal data. We’re bombarded with security news and privacy tips. After a while, it becomes a single easy-to-ignore background noise. Likewise, if you cannot even see what is tracking you, or app developers purposefully fail to inform users about trackers, how can we respond appropriately?
Broaching the subject of invasive trackers is difficult. How many of us love the extensive free app platforms? How about the myriad social media platforms where we so happily splurge? Nearly 80 percent of social media time now comes from mobile devices, and we spend around five hours per day glued to our screens (according to MediaKix, 1 hour 56 minutes of that is social media time). All that time amounts to a data goldmine for trackers.
Unfortunately, there isn’t much you can do to escape integrated trackers in your favorite apps. The F-Droid app repository features Android apps guaranteed to be free of trackers. But for the vast majority of people the choice of free apps a single-click away, and a time-consuming alternative process is an easy choice.
I’m not knocking you — I’m the same. But realizing how far trackers go to create nuanced unique advertising profiles is disconcerting. I’m certainly considering better securing my data, at least where I can. Perhaps you should too.
Is it too late to change the system? Have we accepted too many free apps and services in exchange for our data? Does the level of tracking make you uneasy, unhappy, or something else? Let us know your thoughts on mobile tracking below!