igor - Fotolia
Security researchers found that hundreds of apps in the Google Play Store had trackers that were keeping tabs on users. What, if anything, was compromised because of these app trackers, and how can app trackers be dealt with?
Most people who use computers and other smart devices to connect to the internet are aware, to a greater or lesser extent, that some of their activities may be tracked either by the websites they visit or the apps they use. The scope and nature of this tracking appears to have increased dramatically over the last few years, particularly in the area of real-world surveillance.
A joint project between Privacy Lab, an initiative of the Information Society Project at Yale Law School, and French nonprofit Exodus Privacy found that companies are using Wi-Fi, Bluetooth and even ultrasonic sound inaudible to the human ear to track users' geolocations and in-store behavior in real time.
Exodus Privacy scanned Google Play apps using its own analysis software looking for signatures it developed to identify tracking code. Of the 300 apps Exodus analyzed, 75% contain trackers. From a list of 86 tracking apps drawn up by Exodus, Privacy Lab looked into 25 trackers present in popular Google Play apps, such as Uber, Tinder, Skype, Twitter, Spotify and Snapchat.
These trackers vary in their features and purpose, but are primarily utilized for targeted advertising, behavioral analytics and location tracking, according to Privacy Lab. Although there are no iOS apps included in their studies, as they are a lot harder to audit, the Privacy Lab post said tracker companies do advertise iOS versions of their software.
While these may be legitimate -- and, in many cases, benign -- applications, the amount of data captured by these app trackers and the level of user awareness, if any, raises serious privacy concerns and may have security implications for some users. Data collected via app trackers is often shared across many companies and apps with little opportunity for the user to opt out of such widespread dissemination of their data.
Developers want to monetize their code, and selling personal data is an easy way to do that. For example, many apps were found to send the user's name, phone number, email address, login, IP address and device ID to Outbrain, a discovery platform that helps connect marketing companies to their target audience.
Probably the most unusual form of tracking was the use of supersonic tone tracking by Fidzup. Although Fidzup stated it no longer uses this form of tracking, it previously tracked users' physical location via a retail outlet's ultrasonic beacons.
Location data in the wrong hands can put people at physical risk, while personal data can be used to not only target legitimate adverts, but also for phishing emails and identity theft.
Users are encouraged by most app stores to only grant permissions that have relevant context for an app's purpose. But, for most apps to be useful, they do need access to certain functions or data sets. A big problem is that it is not easy to find out all the things an app actually does with these permissions.
The General Data Protection Regulation (GDPR), which will be enacted on May 25, 2018, may reduce the amount of data being captured by app trackers and the extent to which it is resold.
Under GDPR, companies will no longer be able to use illegible terms and conditions, as the request for consent must be in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Also, it must be as easy for a user to withdraw consent as it is to give it, and noncompliant organizations can face heavy fines.
While GDPR may not immediately deter international cybercriminals, legitimate companies may find the risk of fines running as high as 4% of annual global turnover too much, leading them to make how they track their users more transparent. We may even see apps carrying a logo stating that they are GDPR compliant.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)