Researchers from several groups have discovered hidden tracking software inside of more than 300 Android apps available on the Google Play Store. Researchers with a French non-profit organization called Exodus Privacy initially discovered 44 trackers in over 300 Android apps. Researchers at the Yale Privacy Lab, an initiative created by the Information Society Project at the Yale Law School, hope to reproduce Exodus’ findings. Most of the hidden tracking software the researchers discovered is used for creating targeted advertising, behavioral analytics, and for locating tracking. While the researchers from these two organizations are focusing on apps for Google’s Android mobile operating system, they believe that the same hidden trackers are also being included on apps for Apple’s mobile iOS.
On Black Friday, the Yale Privacy Lab released some of its findings on 25 of the hidden trackers that were initially discovered by Exodus Privacy. Some apps which the Yale Privacy Labs confirmed to have hidden trackers include some of the most popular apps for Android. Among the apps confirmed to contain hidden surveillance software include Uber, Tinder, Spotify, Twitter, and Snapchat. Tinder was not the only dating app which the researchers found had six or seven hidden trackers in the app, the OkCupid dating app was also discovered to contain the same number of hidden trackers in it. The researchers also reported that the Uber ride sharing app contained three hidden trackers in it, and the similar ride sharing app Lyft was also discovered to contain hidden trackers. Tune is a tracker which enables rideshare companies like Uber and Lyft to track the offline behavior of their users. Nature apps such as The Weather Channel app and the Accuweather app both contained embedded hidden trackers.
Hundreds of popular apps which have been downloaded billions of times over are sneaking hidden trackers onto mobile devices without the users being made aware the app was secretly tracking them. Some of the apps may disclose their use of trackers in the fine print of privacy policies, user agreements, and terms of service, but not all do, and even the ones that do disclose the use of trackers, the amount of information they collect and how that information is being used and shared is often not disclosed to the end user. “How many people actually know that these trackers are even there? Exodus had to create this software to even detect that they were in there,” Michael Kwet, a visiting fellow at the Yale Privacy Lab, said to The Intercept.
Some of the apps the researchers looked at utilized their own analytics or tracking software, and some of these apps also included third party tracking software in addition to their own. Exodus Privacy developed their own privacy auditing platform to detect hidden trackers in Android apps. Exodus Privacy released their auditing platform as free and open source software. The Exodus auditing platform scans apk files, searching for digital signatures or hashes associated with hidden trackers and analytics software, similar to how anti-virus software searches for a virus embedded in a file.
The hidden trackers that many apps are using are able to track offline movements through the use of machine learning. The trackers allow advertisers to identify users across different devices. Some trackers, such as FidZup, are utilizing ultrasonic sounds that people cannot hear to track users. Hidden trackers are even being inserted into apps which deal with users health information and financial information. Researchers discovered hidden trackers in apps from PayPal, Wells Fargo, American Express, Discover, Aetna, WebMD, and the American Red Cross. Recently we reported about how researchers from Princeton showed how trackers can be used to harm the privacy of cryptocurrency users. Users can fight back against trackers by blocking permissions from apps, using adblockers with lists that block trackers, and by using app stores such as F-Droid, which only hosts free and open source software that does not contain embedded tracking software.