Some mobile apps track your location — and secretly report it to services that sell the data. You almost certainly use at least one such app without even knowing it. How do you find out which apps may be problematic — and what can you do about it?
Which mobile apps are tracking you?
When he saw a visualization of spring breakers from just one beach in Florida dispersing all over the US during the COVID-19 pandemic, Kaspersky GReAT’s director, Costin Raiu thought not about the coronavirus, but about apps that track their users’ locations. The report used research including location data from X-Mode. But where did X-Mode get the data?
Well, X-Mode distributes an SDK — a component developers can embed in their apps — and, depending on the number of regular app users, pays developers monthly to include it. In return, the SDK harvests location data, as well as some data from the smartphone sensors, such as the gyroscope, and sends it to X-Mode servers. Later, X-Mode sells the allegedly anonymized data to whoever wants to buy it.
X-Mode claims the SDK doesn’t have a huge impact on battery life, using only about 1%–3% of the charge, so users basically won’t even notice the SDK and won’t be annoyed by it. X-Mode also says that harvesting data this way is “most definitely legal” and that the SDK is fully GDPR compliant.
How many of those tracking apps are there?
Raiu asked himself: Was he being tracked that way? The easiest way to find out was to identify the addresses of the command-and-control servers the tracking SDKs used — and to monitor outbound network traffic from his device. If an app on his smartphone was communicating with at least one such server, that would mean that he was in fact being tracked. To complete the task, Raiu needed to learn the server addresses. His search became the basis for his talk at this year’s SAS@home conference.
After some reverse engineering, some guesswork, some decryption, and some poking around, he found them — and wrote a piece of code that helped him detect if an app was trying to access them. Basically, he found, if an app has a certain line of code, then it uses the tracking SDK.
Raiu found more than 240 distinct apps with the SDK embedded. In total, those apps have been installed more than 500 million times. If we go with a rather rough assumption that the average user installed such an app only once, that would mean about 1 in 16 people worldwide has such a tracking app installed on their device. That’s … a lot. Your chance of being one of them is, well, 1/16.
What’s more, X-Mode is just one of dozens of companies in this industry.
In addition to that, any app can contain more than just one SDK. For example, while Raiu was looking at an app that included the X-Mode SDK in question, he discovered five other components from other companies that were also collecting location data. Obviously, the developer was trying to squeeze as much money as possible out of the app — and it wasn’t even a free app. Paying for an application doesn’t mean, unfortunately, that its creators are not trying to get more money outContinue reading