
Three quarters of Android apps track users with third party tools - dberhane
https://www.theguardian.com/technology/2017/nov/28/android-apps-third-party-tracker-google-privacy-security-yale-university
======
sixbrx
"Many of these trackers are also available in the Apple iOS app store, though
__technical and legal barriers limit privacy and security analysis __. "

[https://law.yale.edu/yls-today/news/isp-privacy-lab-
publishe...](https://law.yale.edu/yls-today/news/isp-privacy-lab-publishes-
research-hidden-trackers)

And from [https://boingboing.net/2017/11/25/la-la-la-cant-hear-
you.htm...](https://boingboing.net/2017/11/25/la-la-la-cant-hear-you.html):

"As Exodus and Yale note, these trackers are almost certainly also present in
iOS: the companies that make them advertise their iOS compatibility, for one
thing. But iOS is DRM-locked and it’s a felony – punishable by a 5-year prison
sentence and a $500,000 fine for a first offense in the USA under DMCA 1201,
and similar provisions of Article 6 of the EUCD in France where Exodus is
located – to distribute tools that bypass this DRM, even for the essential
work of discovering whether billions of people are at risk due to covert
spying from the platform."

~~~
cageface
In four years of developing iOS apps I can't think of a single client that
_didn 't_ want some kind of third party analytics service installed. This is
SOP for pretty much anybody trying to drive user growth on mobile and isn't
specific to one platform or the other.

~~~
JumpCrisscross
Would it be more pro-privacy than anti-developer if Apple sensible integrated
such analytics into its platform?

~~~
cageface
Apple does now offer integrated analytics in iOS but it's pretty limited
compared to what the third party services offer so it's not really a viable
replacement for most people yet.

------
sjbase
This thread is a really interesting example of how easily humans can
simultaneously hold conflicting beliefs/opinions. I'm gathering that a lot of
developers and businesspeople here:

a) are very concerned about collection of their own data

b) derive material value from Crashlytics, Mixpanel and other "tracking tools"
for their work

It's tricky to reconcile those two ideas.

~~~
shostack
I'm a good example of this. I'm an ad guy and a marketer, and as such I'm much
more intimately familiar with how this stuff works, what it collects, and how
it is used than most. I'm also going to expand what I say beyond just the
world of apps, because it is really applicable to anything digital these days,
whether it is in an app or on the web, because I hate thinking of those things
in silos.

To be a successful marketer in this day and age, proper analytics is a non-
negotiable requirement. If I was interviewing somewhere and they told me that
I had to market and advertise for an app or website, but that I couldn't track
things, that would be the end of that discussion. I would be set up for
failure from day one. If anyone wants to make a case otherwise, I'd ask that
they share their credentials as someone sufficiently experienced and qualified
to make such a case, and how they would go about being successful without that
data when pretty much any significant digital (or non-digital to an extent)
strategy these days requires that data to measure success and optimize for it.

So there's that piece.

As an end-user, this is often a source of cognitive dissonance for me, and it
has grown over the years. 8+ years ago, I had very different feelings when
people talked to me about what was being tracked and how it was being used. It
was less audience-centric, cross-device/channel tracking was not really a
thing yet, and we didn't have anywhere near the aggressive tracking that FB
and Google have today (even though some of the first signs of that were
showing up publicly perhaps).

Today I'm pretty paranoid about the data out there, who has access to it, and
how that data can be used, both for anti-competitive business purposes, as
well as more nefarious uses, even if unintended (such as via a data breach). I
run noscript at home, and Firefox with uBlock Origin at home and on my phone.

I personally don't have an issue with people collecting usage data for
improving the product and their business, but there's a weird gray area for me
when they start using that data _against me_ for things like dynamic pricing,
dark patterns, selling email hashes to cookie onboarding services for
retargeting, etc. I also recognize that while I may not have much to hide, I
know I'm pretty lucky in that regard compared to others who may not want to be
identified by certain means, and I fully respect and appreciate their desires
to remain untracked in that way.

For example, I am pretty upset at how Reddit is moving towards increased
tracking and verification as they march towards heavier monetization. That's
an example of a community with many people who NEED to remain untracked for
safety purposes, and that data, were it to fall into the wrong hands, could
prove dangerous for them. Likewise, the simple act of forcing the collection
of it could turn them away from such a platform which could indirectly cause
them harm (suicidal users seeking help, abuse victims, whistle-blowers, etc.).

So where do I net out with all of this and how do I sleep at night? Well, for
my part I do what I can to be sensitive to protecting PII, not collecting data
that I'm likely to never need, and really weighing heavily the tradeoffs and
risks when I implement something like the Google or FB tracking tags anywhere,
and what I may pass into them. I also make an effort to set the record
straight and educate people on what I know of tracking, and how to best limit
collection if you are concerned, because I think it is something everyone
should be educated about so they can make those decisions in an informed
matter themselves.

I respect that some people hate my profession and think I'm evil, and I'm
never going to win those people over, nor do I really feel the need to. But
I'll say that to be competitive with marketing a product or service in this
day and age, you dramatically hurt your chances of success if you DON'T have
some decent tracking, and so the realities of the situation often dictate what
happens in many businesses. My guess is the people who have such black and
white views haven't ever been tasked with marketing a product in a true
professional capacity, and if they have I'd love to hear their stories and
what led them to their views.

~~~
blub
If you really cared about privacy you would have quit your job and would have
found a decent way of making a living. You’re just making excuses and you’re
trying to elicit sympathy.

It costs next to nothing to add a toggle in an app which disables analytics.
If the company’s too lame to have an on-boarding screen where they ask the
user for permission, they could even hide it in the settings.

And yet almost no companies do any of the above, because the only thing they
care about is money. Crushing these abusive marketing efforts with regulation
is the only workable solution, we've already seen what the industry's best
effort looks like with "Do Not Track".

~~~
Feniks
I've seen apps that asked me to submit a crash report. That seems like a
better solution than monitoring all the data all the time.

But I don't think it is REALLY about improving the app.

------
harryf
The surprising part to me is that it's only 3/4\. I assume the rest are not
doing any real analytics.

Of course they are using 3rd party tools, because the software and
infrastructure required to do meaningful analytics on a large user base is way
beyond what any startup or independent developer can afford to invest. There
aren't even decent Open Source options - Google Analytics long ago sucked the
air out of Open Source in this space and choosing Open Source means running
your own infrastructure, which is non-trival the moment you start having
Gigabytes+ of usage data.

~~~
marpstar
Exactly this. We're constantly told not to "roll our own X", making paid
offerings like Azure App Insights, which is more robust than any hand-rolled
solution we could ever develop, so appealing.

We're not trying to _sell_ the user, or their data. We just want to know which
features are being used and whether or not it's meeting our performance
criteria, thus doing the user a favor by meeting those criteria.

~~~
johnny_and1
The problem is not informing the user that you use SDKs from third party
providers, although using them for login services (Facebook, Google+, twitter)
or tracking (Crashlytics, Microsoft App Insights). The other problem is not
knowing exactly what these SDKs can collect. They basically have the same
permissions as the apps that include them. Crashlytics will collect and send
location data alongside bug reports if the crashed app has this permission.
(Source: Study on the most popular 200 apps in Germany done on real network
traffic. We don't know if the study will be available for the public.)

We are currently pushing for legislation changes in Europe. Users should be
informed about SDKs and data destination. Europe has 3 main data sinkholes,
Ireland (EU data centres for US companies), Netherlands (Akamai) and Germany
(probably selection bias). Nobody knows where the data ends up afterwards and
under which legislation it falls.

~~~
harryf
This is certainly a good move. The Facebook SDK for example is widely used by
many apps for Facebook ad performance tracking and analytics and that's
something he public should be aware of.

See [https://medium.com/ios-os-x-development/libraries-used-in-
th...](https://medium.com/ios-os-x-development/libraries-used-in-the-
top-100-ios-apps-5b845ad927b7) for example

------
kitsunesoba
I can’t say I’m thrilled with using Crashlytics in my own iOS apps, but I’m
not aware of any better options when it comes to crash tracking. A handful of
crashes come in through Apple’s opt in crash report sharing but when compared
to the data I’m getting from Crashlytics, it’s clear that a _lot_ of info is
missing. If I relied only on manually submitted bug reports and what Apple is
telling me, I never would’ve come to know about many of the bugs I’ve fixed.
Better testing could’ve caught some of them, but many just won’t surface in
any other place except out in the wild.

Is increased privacy worth decreased stability? I won’t claim to know the
answer to that question, but I suspect it’s more murky than some think,
especially when you have paid customers who expect a throughly solid product
for their money.

~~~
blub
It's not privacy vs stability, that's a favourite red herring around here.

The problem is your development process is not capable of producing stable
enough software. I don't know why that's the case, but you should work on that
first.

Deming: "Inspection does not improve the quality, nor guarantee quality.
Inspection is too late. The quality, good or bad, is already in the product.
As Harold F. Dodge said, “You can not inspect quality into a product"". This
goes even more for crash-reporting quality into a product.

~~~
kitsunesoba
I see what you’re getting at, but the reality is that there’s only so far
massaging and rethinking your process can take you. No matter what you do,
some number of bugs are going to find their way through. There’s going to be
unforeseen combinations of variables and edge cases you’d never predict. The
best one can ever do is reduce the frequency of occurrence to a minimum. Bugs
are an inevitability, and I’d rather not be at the mercy of my users when it
comes to finding out about them.

------
guelo
This is a bit alarmist. I develop a popular app that has no advertising but I
still ship mixpanel and crashlytics. I do that because I need to know how
people are using the app in order to make the app better. That's it. If the
app crashes and I don't know about it then I can't fix it and my users would
hate me. Without these tools the apps would be worse.

~~~
lightswitch05
I believe the point of the article is that the data belongs in 3rd party
hands. You might not be doing anything nefarious with the data, but that data
does not belong to you and it is outside of your control to protect your
users.

Given IP addresses, device identifiers, application identifiers, and
timestamps - these 3rd party applications now have some pretty valuable
signals that can be aggregated with other signals from other tracking methods
to create a detailed profile linking users across devices, browsers, and geo
locations.

~~~
jtmcmc
many of those third parties do not own the data - the data is owned by
whoever's account (will obviously vary).

~~~
lightswitch05
That is like saying Facebook does not own the content uploaded to it. These
analytic tools are the ones doing the collection, at the end of the day it is
their data that they allow you to use.

~~~
jtmcmc
no it's entirely unlike that. From the Amplitude MSA

[https://amplitude.com/msa/](https://amplitude.com/msa/)

All Customer Data is, or shall be, and shall remain the property of Customer.
Customer Data shall not be used by Amplitude or its agents other than in
connection with providing the Service or support under the terms of the
applicable Order Form and this Agreement. Customer hereby grants Amplitude a
non-exclusive, non-transferable, non-sublicensable, worldwide, royalty-free
license to use, collect, transfer and process, the Customer Data for the sole
purpose of Amplitude providing the Service and support to Customer under the
terms of the applicable Order Form and this Agreement. In addition, Customer
shall own all right, title and interest to the Results obtained by Customer
through Customer’s use of the Service. For purposes of this Agreement,
“Results” shall mean the data based on Customer Data resulting from Customer’s
use of the Service.

------
nucleartacos
I don't get it. If you're in IT in any role, you know this is happening. I
install zero apps on my iPhone. I don't need them. Banking and other secure
things are more properly done on a desktop or laptop running some form of _nix
with proper security in place.

I would never access my bank or other secure website with crucial information
via a mobile phone. Call me an anachronism should you wish, but I've never had
the tracking worries or data leak worries others do.

On my _nix desktops, I block all ads, all tracking cookies, no third-party
cookies, I whitelist my bank and Fastmail account for cookies, and I block
coin mining, HTML canvassing, HTTP/S referrer, CSS history lookups, and so
much more. In addition, I surf through a VPN. Why risk it?

~~~
__sha3d
I'm not sure why you are being downvoted here. I learned a lot from your post!
I set up my cookies to stop 3rd party and delete at the end of a session. I
also learned about /etc/hosts and blocked a ton of bad stuff at the system
level. You are awesome, thank you!

~~~
wfo
It will never be reasonable, feasible, or worth discussing that e.g. every day
users run a linux only locked down desktop and never use their mobile phones.
Every time a privacy topic comes up, there is always someone to come in and
say "uninstall windows and OSX, delete all of your social media accounts and
block the entire Internet, quit your job that requires you to use these
devices and services, run your own mail server, if you REALLY care about
privacy you'll essentially stop using the Internet, cut yourself off from all
of society and make your devices unusable" \-- which can offer advice for
people looking to do this but adds little to the discussion around tracking,
privacy, data security.

If you try to fight against advertisers and privacy-invading trackers and
malware alone you will always lose. They are huge companies. They bribe your
computer manufacturers to auto-install malware. They infect your operating
systems. They have CAs. They have millions to spend on thousands of brilliant
engineers who will work around anything you come up with to attack your
security and privacy. An answer must be feasible for almost everybody so that
we can all enact it collectively, technical or not, or it is no answer at all.

~~~
mirimir
Very true. I mean, I have an iPhone for work. And a dumb cellphone for
personal stuff. I do use social media with family and close friends, but
that's from notebook and desktop. I don't mix social and work on the same
devices, and I'd be out of work if I did.

However, I strive on such insecure channels to be very uninteresting. I
restrict everything that's potentially controversial to channels that are more
private and anonymous, using VPNs and Tor. I share about that stuff with
nobody who knows who I am in meatspace. And vice versa.

So it's not that I'm "cut[ting] [my]self off from all of society". But I am
revealing different aspects of myself to society through channels that would
take considerable effort to link. That is, I compartmentalize.

I realize that I've gone to extremes. But for me, it's mainly become a hobby.
Or rather, LARP. Still, anyone can start compartmentalizing. Just get a used
low-end gaming machine, install Linux and VirtualBox, and learn to use VMs.
Run a VPN client in the host, and learn enough iptables to lock it down. Run
Linux VMs with other VPN clients, to get nested VPN chains. Run Whonix VMs to
connect via Tor.

------
dmitriid
3/4 of apps? I'm surprised it's not higher. Probably similar thing for iOS:
everyone installs ads, translations, google analytics, data-mining and data-
analysing tools, or feeds logs to such tools.

------
j_s
What alternatives are out there for mobile developers?

Is there an open source Android and/or iOS equivalent allowing self-hosting
analytics like Piwik does for web (without a 3rd party)? Piwik does ship an
Android SDK; anyone have experience to compare to 3rd party options?

[https://github.com/piwik/piwik-sdk-android](https://github.com/piwik/piwik-
sdk-android)

Hat tip to user johnny_and1 for mentioning ACRA for Android crash reporting
elsewhere in this thread. Are there any similar libraries for iOS?

[https://github.com/ACRA/acra](https://github.com/ACRA/acra)

------
deltaprotocol
To help mitigate this situation, users can and should start to use blockers
just like we do on browsers. The best and less invasive I've found so far is
Blokada[1].

It works as a fake VPN giving you the power use blocklists to filter all your
connections.

Downside is that I believe in doesn't work if you already use a VPN.

So far it has helped me block 80.921 ads and trackers. As a bonus it saved me
242.79MB.

By default it whitelists Google Analytics, so if you don't want that you
should disable the whitelist or configure it.

[1] [http://blokada.org/index.html](http://blokada.org/index.html)

------
thisisit
I wonder if there is a comparable study for iOS apps? Or are there iOS
versions of "Tinder, Spotify, Uber and OKCupid" better than the Android
counterparts.

> Both of these trackers have been profiled by Privacy Lab and can be
> identified by _Exodus scans_.

I have tried looking up Exodus but can't find any info. Anyone knows what this
tool and how does it work?

~~~
ickwabe
[https://exodus-privacy.eu.org/](https://exodus-privacy.eu.org/)

[https://github.com/exodus-privacy/exodus](https://github.com/exodus-
privacy/exodus)

[https://github.com/YalePrivacyLab/tracker-
profiles](https://github.com/YalePrivacyLab/tracker-profiles)

~~~
GrayShade
Does anyone know why Firefox uses DoubleClick?

[https://reports.exodus-privacy.eu.org/reports/177/](https://reports.exodus-
privacy.eu.org/reports/177/)

~~~
ickwabe
My suspicion is that this is a false-positive. If you go to about:config and
search for doubleclick there is an entry called:
browser.urlbar.doubleClickSelectsAll

Use is self-explanitory in the name.

This twitter thread indicates same:

[https://twitter.com/rnewman/status/934861503630643204](https://twitter.com/rnewman/status/934861503630643204)

Also, LeanPlum is explained here:

[https://support.mozilla.org/en-US/kb/send-usage-data-
firefox...](https://support.mozilla.org/en-US/kb/send-usage-data-firefox-
mobile-devices)

Quote:

Firefox for Android, Firefox for iOS, Firefox Rocket and Firefox Focus collect
data about installations and retention using a third-party tracking framework
called Adjust and Leanplum. This helps Mozilla determine the origin of the
installation by answering the question, "Did this user on this device install
the application in response to a specific advertising campaign performed by
Mozilla?"

------
unethical_ban
I wish I could edit the hosts file of Android devices without root. Barring
that, I wish I could force a DNS server for both wi-fi and mobile data links,
which I believe also requires root.

Either one of these options would allow the use of DNS blackholing for
adware/malware domains. Without it, protecting yourself on mobile is that much
more difficult.

~~~
nucleartacos
I've long thought about setting up a service that people can connect to with
their mobiles or other devices (who don't want or can't root) that basically
sanitizes their connection: strips out ads, beacons, tracking cookies, etc.

Or, set up virtual desktops that people can connect to that also use VPNs that
could allow people to originate their traffic from a given region.

I'm primarily interested in created a sanitized stream more than anything.
People have a right to surf without being tracked.

~~~
shabble
you'd need them to install a custom root cert if you wanted to MITM their
secure traffic, and still wouldn't be able to do much with any app or service
that pins or bundles its own certs without going through PKI system though?

I guess you could just block that traffic and let people deal with the
breakage, maybe. I wonder how common it actually is.

------
TeeWEE
This is completely normal, just like any (web,ios) app, apps are generating
analytics point to know how the app is doing, and where to improve. If an app
doesnt have a 3rd party analytics tool, you can be almost certain they are
using an inhouse tool.

These tools never really track individual users outside of the app context.

------
dep_b
Something like a trackblocker could be the next step for privacy concerned
companies. Or an opt-in variety.

~~~
_up
That is already a thing. There are lists you can subscribe your adblocker to.
They also cover Malware, Badware, Resource Abuse (Bitcoin Miners), Anti
Cookie, Anti Social, Anti Adblock and more.

~~~
dep_b
Sorry for not being clear. I mean a track blocker that blocks applications
from tracking you. Of course I've took measures in my browsers already.

------
tonymet
Only 3/4? That only means the "researchers" didn't try hard enough on the
remaining 1/4.

100% of every app you use, mobile or web, has user behavior tracking.

~~~
TheCapn
Oh common, even you have to believe your statement is hyperbolic. What about
the little crud apps people write for convenience? I wrote a weather app that
scrapes data that I look at but made it faster so I don't need to load the
entire website every time I want to review it. 0 tracking what-so-ever. I've
come across several apps published by friends that do the same and couldn't
imagine it's hardly a strange thing to write an app and not want to see it as
some sort of monetization scheme.

------
SubiculumCode
Spotify windows app. I wonder what it gets to spy on.

------
leroman
The real price of "free"

~~~
lern_too_spel
Nonsensical statement. Paid applications do this too.

------
eagsalazar2
This is such a non-story.

~~~
ThrowawayR2
How so? Everybody screams bloody murder whenever the topic of telemetry is
brought up and this is telemetry on a massive scale.

~~~
tonymet
You're right, but I guess it seems to be a non-story to developers because the
first thing you do prior to launch is add telemetry for user behavior and app
performance.

~~~
eagsalazar2
Exactly. Every website and every mobile app, android and iOS, where the devs
and/or product management are competent at all, are tracking your behaviors.
That is how they know whether each and every feature is working well or not.
The articles on this recently are just making a stink over nothing.

Imagine trying to run any kind of business without being able to observe how
your customers are interacting with your product? I get that it is surprising
and creepy but people just need to get over it because it isn't going anywhere
and it is actually very valuable and good. If there is anything to be upset
about here it is that that tracked information is frequently sold to 3rd
parties without user consent which I'm all for legal restrictions on.

~~~
rhizome
_That is how they know whether each and every feature is working well or not._

How does this explain the "quality" of Snapchat and Tinder?

------
whoopdedo
"Third party tools." Ads. They're called ads. Don't beat around the bush.
Google won't fix the problem because their business is selling ads.

~~~
eli
Crashlytics isn't ads. It's crash reporting. Mixpanel isn't ads, it's
analytics.

~~~
sjbase
Quote in the article, directly from Crashlytics:

> "and get insight into your users, what they’re doing, and inject live social
> content to delight them."

It's also analytics, and ads.

~~~
eli
I guess that's a feature it offers, but like most people I've used it solely
for crash reporting.

------
paulcole
Am I the only person who doesn't mind being tracked? I don't use an ad-blocker
or VPN and allow all cookies.

I see it as a fair trade for reading articles, watching videos, playing games,
etc. without paying any money out of my own pocket.

EDIT: Why the down votes with no replies on this?

~~~
KozmoNau7
Why do you think it's a fair trade? Your personal information, privacy and
security is worth _so_ much more than a few measly videos or games.

~~~
paulcole
Personally, I disagree.

I don't have a lot of money but I like reading articles and playing games.

I don't place any significant value on my personal information, privacy, and
security, so why not trade it away? I'd much rather do that than have to start
paying for games, news, articles, etc.

~~~
KozmoNau7
Because you're selling it for way _way_ too cheap.

~~~
paulcole
Can you give examples of who's paying the most?

~~~
KozmoNau7
No, because they don't want you to have this information. You are not supposed
to be an informed partner, just a product being sold and traded, like a sack
of grain.

And this doesn't deeply disturb you?

~~~
paulcole
No, not at all. I get what I want (games/articles/videos) and I give up
something I don't value at all.

The idea of telling me, "you're undervaluing it!" and then saying there's no
way to get more value out of it seems ridiculous.

