
Sensor Tower owns ad blocker and VPN apps that collect user data - jmsflknr
https://www.buzzfeednews.com/article/craigsilverman/vpn-and-ad-blocking-apps-sensor-tower
======
rubyn00bie
This is literally, one among many reasons (ha!), why I use Firefox. Every
other browser vendor is a for-profit entity, and as such will limit good ad-
blocking measures as Safari and Chrome have done recently with their new
"security" policies.

This is also why I don't use a VPN I don't run (or certainly not one that
hasn't been audited with a good reputation), and I certainly would never
fucking dream of using a free VPN unless all the traffic over it is absolutely
worthless.

... How many of these things install root certs where even after you've
canceled your subscription you're still accepting their bullshit?

On the other hand, this could make for a hilarious experiment using
adversarial neural networks to troll the assholes mining data from the VPNs.

~~~
Angostura
> Every other browser vendor is a for-profit entity, and as such will limit
> good ad-blocking measures as Safari

I thought Safari introduced support for Content Blockers _specifically_ to
avoid ad blockers from phoning home and passing potentially sensitive
information to the ad blocker's writer.

Lots of people then got quite cross that their favourite blocker had been
blocked.

~~~
jackewiehose
That is exactly the bullshit they want you to believe. Restricting your
ability to install/modify software on your computer because bad software could
harm you. You have been bamboozled.

~~~
Razengan
... This entire discussion IS about bad software that DOES harm you, and you
rag on the measures to specifically protect against something like that? What
the heck?

~~~
jackewiehose
Yes, I'm not saying there is no harmful software, I'm saying these kind of
"protections" are the wrong solution. The same people who install blindly any
add-ons will also install any exe-files if the promising website tells them to
because the browsers add-on-system does not provide the required mechanics.

So the next step is to disallow exe-files. But of course you can let the exe-
file get signed for a "small" fee...

~~~
madeofpalk
> The same people who install blindly any add-ons

Like Facebook?

Should installing the Facebook app on your phone allow them to intercept any
network requests your web browser makes?

~~~
jackewiehose
Sure, if the app asks for that permission and you allow it.

------
etaioinshrdlu
Haha, I quietly called them out few years ago:
[https://news.ycombinator.com/item?id=17823292](https://news.ycombinator.com/item?id=17823292)

Their CEO is one shady dude. Evasive. Knew his company was sitting on a shady
foundation and just kept it going.

Large companies buy Sensor Tower's data.

~~~
AznHisoka
SimilarWeb is another company with millions of funding that is sitting on a
shady foundation as well.

~~~
vgaldikas
Can you elaborate?

~~~
AznHisoka
They own a bunch of chrome extensions that track all the websites you visit
and queries you enter into google

------
userbinator
This is basically a MITM proxy, which I'd say is really _essential_ for true
adblocking and content filtering, especially on the locked-down mobile
platforms and with the rise of HTTPS. The question is then who runs the proxy
and whether you trust them.

I've been doing the same with Proxomitron for years, although in that case I
run the proxy, I certainly trust myself, and --- I'm not sure about whether
these apps even have such a feature --- I can modify how/what it
filters/blocks at any time.

~~~
saagarjha
It should be entirely possible to run the MITM proxy completely on-device, in
which case you don't need to trust anything.

~~~
cortesoft
How do you block the app from phoning home with the data? You have to trust it
not to do that.

~~~
3xblah
I use two devices. The first runs a kernel+userland I can edit and acts as the
gateway/AP and DNS server for the second, which runs some commercially-
motivated, "locked-down" consumer OS.

~~~
sneak
What hardware are you using for the gateway/AP? What's the backhaul, a USB LTE
modem? Do you carry it in a handbag with a USB battery pack?

I've been thinking about doing this and scrapping all but one of my data
plans, and having a robust default-deny whitelist of allowed
IPs/netblocks/hostnames on the phone vlan/ssid, but haven't worked out all the
details yet.

How are you doing it?

~~~
3xblah
The gateway is a small form-factor computer with a rechargeable battery, e.g.,
a netbook or laptop. The AP is a SBC that the preferred kernel, e.g., NetBSD,
OpenBSD, Linux, etc., supports. The AP draws power from the gateway's battery
via USB.

Regarding LTE modems, I do not use a data plan on "locked-down" mobile devices
for personal use. Somehow I have been able to survive on WiFi alone.

~~~
sneak
So you carry around a laptop powered on all day when you are out? What about
battery life?

I’m looking at something like a raspberry pi zero, using the built in wifi to
serve as an AP, powered from a large-ish USB battery pack, something that
could run 18h+, with a USB LTE modem. Ideally I could get it small enough to
strap to an ankle or something so I don’t need to bring a bag.

------
saagarjha
> Armando Orozco, an Android analyst for Malwarebytes, said giving root
> privileges to an app exposes a user to significant risk.

Root certificate ≠ root privileges

~~~
kevingadd
It's true for both!

~~~
saagarjha
It is, but this isn't the first time mainstream news has confused certificates
with privileges. (Remember the Facebook VPN thing?)

------
chimen
Most of them are using your connection to sell access to residential proxies:
oxylabs (NordVPN), luminati (Holla) etc.

~~~
TedDoesntTalk
Good related article, in case anyone still thinks well of NordVPN:

[https://medium.com/@derek./how-is-nordvpn-unblocking-
disney-...](https://medium.com/@derek./how-is-nordvpn-unblocking-
disney-6c51045dbc30)

~~~
Dylan16807
That article isn't good at all. It jumps to conclusions that are not at all
justified.

~~~
lonelappde
How about this?

[https://medium.com/@xianghangmi/resident-evil-
understanding-...](https://medium.com/@xianghangmi/resident-evil-
understanding-residential-ip-proxy-as-a-dark-service-dea9010a0e29)

------
tlogan
Does this break "California Consumer Privacy Act" of 2020?

As far as I now, companies are now legally obligated to give California
residents the opportunity to see how their personal information is being
tracked, how it's being sold, and how to opt out.

------
cik
I've built more than one VPN network over the years - and I don't use the ones
I built. My philosophy has always been that I can't trust the network after I
no longer own it - and if the code isn't open.

The hard reality is that you have no way of knowing what's being logged if you
don't have full access to the servers. I've always pushed for leaving VPN
servers on operating systems running in read-only, on read-only disks, and
open to the world (i.e customers who log in). It's one of the best forms of
real transparency that I can think of.

Funny, I never won that one.

~~~
eternalban
Why not start your own virtuous VPN company.

~~~
cik
It's not a business I'm interested in running.

------
matheusmoreira
Proprietary ad blockers cannot be trusted. It is better to use something like
AdAway and Firefox with uBlock Origin.

~~~
chimen
Even that setup fails: [https://blog.dnsadblock.com/you-are-still-being-
tracked-even...](https://blog.dnsadblock.com/you-are-still-being-tracked-even-
with-ad-blockers-installed/)

~~~
mrob
Already fixed in uBlock Origin:
[https://github.com/gorhill/uBlock/releases/tag/1.25.0](https://github.com/gorhill/uBlock/releases/tag/1.25.0)

~~~
GoblinSlayer
Looks like sites use first party trackers too for some reason, see the pixel
at the end of another posted article: [https://www.the-tls.co.uk/articles/the-
opt-out-illusion/](https://www.the-tls.co.uk/articles/the-opt-out-illusion/)
(it's fully packed with trackers though).

------
mlthoughts2018
> “ Apple and Google restrict root certificate privileges due to the security
> risk to users. Sensor Tower’s apps bypass the restrictions by prompting
> users to install a certificate through an external website after an app is
> downloaded.”

Seems like it will be open and shut case, quickly banning the apps and
hopefully Sensor Tower entirely, especially given the other details of the
article explaining they’ve already banned apps from Sensor Tower for previous
violations.

~~~
AznHisoka
if they ban their apps, would the certificate still be installed in your phone
if you installed it previously?

------
adwi
What is current best-practice ad blocker for iOS Safari? AdGuard? Ad-Blocker
Pro? I’ve tried Firefox but besides their tracker blocking ads are still
prevalent.

------
justlexi93
I guess that's one way to get gacha games' player stats.

------
jsilence
Anyone in Europe suing based on GDPR regulations?

~~~
chopin
Unfortunately, GDPR doesn't give you the right to sue. Enforcement is only
possible via (hollowed out) data protection agencies.

------
risyachka
Sensor tower is a mobile intelligence tool. Correct me if I am missing
something, but what is a big deal here? And when you use free apps, obviously
they sell your data (or with a high chance), they are not charities. But in
return, you get hassle-free ad-blocking or VPN. It looks like a fair deal to
me. Or you can find a good one that will be expensive, or do it yourself
(paying the same or more, just with your time).

And there is a huge difference between what they can do and what they actually
do. In coffee shops and other places, surveillance systems can be used to
steal your passwords and logins etc. But I strongly suspect each and everyone
has entered their personal details while been recorded bt the surveillance
system for many times. Or just in public place where someone can see, etc.

~~~
Krasnol
How about the huge difference of knowing that you give away your data and not
knowing? There is nothing "fair" about it and just the fact that they are now
gone from the stores should...I don't know...maybe make you think about that a
bit?

PS: just because there are worse situations, doesn't make this a good one.

~~~
risyachka
I meant general practice done legally, e.g. stating this in their policy and
showing when you run the app for the first time that it will sell their not
personal data in exchange for free service.

The concept is fair as some are willing to pay with money, some are ok to pay
with their data. Hiding the fact that you will sell data obviously deserves
the punishment.

~~~
Krasnol
And that's the big deal here.

