Android Trackers

#BlackFriday Announcement from Privacy Lab

Visiting Fellows Sean O'Brien and Michael Kwet, November 24, 2017

Privacy Lab has published details from its research[1] into 25 trackers hidden inside popular Google Play apps such as Uber, Tinder, Skype, Twitter, Spotify, and Snapchat. Publication of this information is in the public interest, as it reveals clandestine surveillance software that is unknown to Android users at the time of app installation. These trackers vary in their features and purpose, but are primarily utilized for targeted advertising, behavioral analytics, and location tracking.

The 25 trackers are a sample of the 44 identified-to-date by security researchers at Exodus Privacy, a non-profit organization based in France. Their Web-based privacy auditing platform, also named Exodus, analyzes apps available via Google Play. Exodus scans apps for the signatures of known trackers and identifies Android operating system permissions. To coincide with Privacy Lab's publication, the Exodus organization has made its app auditing platform available to the public at https://exodus-privacy.eu.org and is releasing the code as Free and Open-Source Software.[2]

At Privacy Lab, we've studied the data from Exodus output, providing insight into the origin of advertising trackers, the companies behind them, and their surveillance practices. Network activity originating from these Android apps crosses multiple countries and legal jurisdictions. Lack of transparency about the collection, transmission, and processing of data via these trackers raises serious privacy concerns and may have grave security implications for mobile software downloaded and in active use by billions of people worldwide.

More than 75% of the 300+ apps analyzed by Exodus contain the signatures of trackers, though this data does not tell the whole story. There is an entire industry based upon these trackers, and apps identified as "clean" today may contain trackers that have not yet been identified. Tracker code may also be added by developers to new versions of apps in the future. The Exodus platform identifies trackers via signatures, like an anti-virus or spyware scanner, and thus can only detect trackers previously identified by researchers at the time of the scan.

For this reason, new trackers will be added as the software is developed, and apps should continue to be scanned over time. Privacy Lab urges the information security community to help expedite this process. Thanks to the hard work of the Exodus team, a simple Web-based interface can peer into this worldwide market of approximately 3.3 million apps and reveal to the public the "open secret" of clandestine trackers.

Trackers and the Android apps wrapped around them are partial "black boxes", as is Google Play itself. Other software markets such as the Apple iOS store also have this deficiency, making app analysis and auditing difficult. Many of the same companies distributing Google Play apps also distribute apps via Apple, and tracker companies openly advertise Software Development Kits (SDKs) compatible with multiple platforms. Thus, advertising trackers may be concurrently packaged for Android and iOS, as well as more obscure mobile platforms.

We believe strongly in independent verification and have utilized a variety of tools, such as mitmproxy, to reproduce traces of trackers identified by Exodus. We have compiled profiles on tracker companies and have developed and launched a Google Play app called FaceGrok that includes advertising trackers.[3]

FaceGrok recognizes faces in view of the camera, a simple demonstration of the type of data which may be collected and transmitted via trackers. Though FaceGrok does not transmit any facial recognition data, it could do so with simple modifications. The process of Android app development and submission to the Google Play store has revealed the ease of adding tracker code and the ubiquity of trackers, as well as a glimpse into Google Play policies and app review.

Insights into the advertising tracker business are often gleaned directly from tracker companies. FidZup, for example, has developed "communication between a sonic emitter and a mobile phone... by diffusing a tone, inaudible to the human ear, inside a building [FidZup] can detect the presence of mobile phones and therefore their owners".[4][5] Users installing "Bottin Gourmand", a guide to restaurants and hotels in France, would thus have their physical location tracked via retail outlet speakers as they move around Paris. Their experience would be shared by readers of car magazine app "Auto Journal" and TV guide app "TeleStar".

FidZup's practices closely resemble those of Teemo (formerly known as Databerries), the tracker company that was embroiled in scandal earlier this year for studying the geolocation of 10 million French citizens,[6] and SafeGraph, who "collected 17 trillion location markers for 10 million smartphones during [Thanksgiving] last year".[7] Both of these trackers have been profiled by Privacy Lab and can be identified by Exodus scans.

Perhaps more disconcerting is the potential impact of advertising trackers on the finances and healthcare of users. One app analyzed by Exodus, Mon AXA ("My AXA"), is developed by a multinational insurance and financial firm, and was found to contain six trackers. Exactly what information is shared is unknown, though the data stored by the app is extremely sensitive: "All Services of AXA France in Your Pocket".[8] Other AXA apps have been found to contain trackers, including "HealthLook", "AXA Banque", and "My Doctor". They are joined by apps from Aetna, the American Red Cross, WebMD, American Express, Discover, HSBC, Wells Fargo, and PayPal.

Privacy Lab is calling upon the developers of such apps as well as Google, the distributor of these apps and steward of Google Play, for increased transparency into privacy and security practice as it relates to these trackers. Android users, and users of all app stores, deserve a trusted chain of software development, distribution, and installation that does not include unknown or masked third-party code. Scholars, privacy advocates, and security researchers should be alarmed by the data, and can provide further analysis now that these findings and the Exodus platform have been made public. Privacy Lab will continue its research, preparing more in-depth reports and analysis. The Exodus Privacy non-profit organization will continue to develop and grow its privacy auditing software. To find out how you can support these efforts, please contact us via our directory.

[1] https://github.com/YalePrivacyLab/tracker-profiles

[2] https://github.com/Exodus-Privacy/exodus

[3] https://github.com/seandiggity/FaceGrok

[4] https://web.archive.org/web/20171015025307/http://v2.fidzup.com/en/notre-solution/

[5] https://web.archive.org/web/20171123081837/https://www.fidzup.com/en/live

[6] https://lexpansion.lexpress.fr/high-tech/teemo-la-start-up-qui-traque-10-millions-de-francais-en-continu_1937638.html

[7] https://theoutline.com/post/2490/why-is-this-company-tracking-where-you-are-on-thanksgiving

[8] https://web.archive.org/web/20171124110514/https://group.axa.com/en/newsroom/news/mon-axa-app-en