
Smartphone Apps Are Filled With Trackers - tumblen
https://onezero.medium.com/the-app-privacy-crisis-apple-and-google-need-to-fix-now-4e3590f2fc52?sk=12d73f8b09e058d3ab8f5a4b02cf8619
======
vlozko
As an app developer, what worries me if the third party tools we use do
unintended tracking. For example, we use Firebase for tracking crashes and
knowing which versions of our apps are being used. We’ve also recently started
using them for push notification handling for Android streamlining reasons. In
one of the apps I’ve worked on we need location permissions to do geofencing
but it’s all local, on device stuff. On the same app we’ve also recently added
support for adding/removing calendar events. Again, it’s feature we added
that’s local-only and theres’s no data transmission associated with that
feature. The only tracking we do is our own home-grown solution that we don’t
share externally.

With all that in mind, I’m curious how much of that data does Firebase, aka
Google, share with all the rest of its services. Does enabling location
tracking suddenly causes Firebase to report location data without our
knowledge? Does enabling calendar access suddenly cause Firebase to read the
calendar data on its own and report that, too? I’m not at all accusing
Firebase of doing anything without knowledge and maybe it may be a “good
citizen” with regards to how it manages and accesses (or doesn’t, even if it
can) private data but I’m confident that that’s not the case with every third
party tracker.

~~~
willstrafach
> Does enabling location tracking suddenly causes Firebase to report location
> data without our knowledge?

> Does enabling calendar access suddenly cause Firebase to read the calendar
> data on its own and report that, too?

These are good questions to be thinking about. As for Firebase specifically, I
have never seen it automatically collect additional data based on user-granted
permissions (at least in iOS apps).

However, there may be a few other SDKs with this sort of issue. It is
important for app developers to be careful of this.

For example, when working on similar location tracking research (see:
[https://guardianapp.com/research/ios-app-location-report-
sep...](https://guardianapp.com/research/ios-app-location-report-sep2018/)), I
noticed that quite a few prominent apps use an SDK from “Braze”
([https://www.braze.com/](https://www.braze.com/)), and if location permission
was granted to the “host” app, the SDK automatically sends back the user’s GPS
coordinates when communicating with the Braze API. I remember at least one
such app developer had no idea Braze was doing that and rushed a fix out
soonafter to make it stop sending the GPS information to Braze.

I hope we see more pressure on analytics companies to offer more open source
SDKs instead of compiled binaries and headers. This sort of issue would be
easier to spot and deal with, instead of being unsure what exactly the SDK was
doing.

~~~
ChuckMcM
A hundred times this. One big red flag is if you have a 'free' stack which
does something useful for you. It is important to ask if it does something
'useful' for the stack developer who gave it to you to use. Perhaps the most
canonical example of this was Facebook giving away "free" internet to under
served groups in India. At what point will we have an organization giving away
'free phones' to people as a way of developing demographic data?

On the plus side I think more and more developers and users are becoming aware
of the dangers and the actual cost to their privacy and/or brand that these
'free' things expose and so it will perhaps get better.

------
novaRom
When someone asks me about what is the most important challenge of this
century, I reply: PRIVACY. The way it goes right now shows us very clear sign
there will be no privacy anymore. Anything you say or watch is preserved and
can be used one day against you. My apologies to all future politicians. It is
serious. Porn habits? No problem. Drunk jokes? Will reflect. The way to solve
this conundrum is a change of social norms, but it's a long way.

~~~
ndnxhs
Privacy is very important but its just a drop in the ocean compared to
environmental disaster. Google tracking you browse the internet seems
unimportant compared extinction.

~~~
tspike
Advertising is fueling that extinction; why else would we consume so much, in
such a wasteful way?

~~~
schwurb
This is where these two issues beautifully tie together: Saving the
environment is important - consuming less is a way to do say - with less
paying consumers, adds become less valuable - less incentive to violate
privacy.

------
Pmop
One of these days, I took some time to analyze network traffic going out of my
phone. I wanted to know what was happening behind. I learned that some apps
that I wouldn't think of, such as banking, ISP and credit card, were tracking
me and sending information to advertising companies!

I got angry at some things. For instance, ISP app should provide me
information about data consumption and means to buy more. However, it decided
to do more things behind the scenes, in addition to doing the tasks it was
supposed to in a overly complicated manner—requests travelled back and forth
over multiple servers over multiple companies before it did anything.

After this exercise, I realized how great it would be if these companies had
to provide a clean and well documented API. Users could implement their own
apps, liberating themselves from having to trust their private data and
resources to companies that would care less if, if allowed.

~~~
TeMPOraL
> _After this exercise, I realized how great it would be if these companies
> had to provide a clean and well documented API. Users could implement their
> own apps, liberating themselves from having to trust their private data and
> resources to companies that would care less if, if allowed._

That's why we don't have those APIs. It's not in the interest of any company
to make itself more interoperable. This would allow users to develop ways at
getting directly what they want and paying the sticker price, without being
exposed to all kinds of garbage. Problem is, this very garbage is an
important, and sometimes primary way companies make money.

Put another way: most companies aren't your friends, they're here to abuse
you. Hold on tightly to the rare ones that are friendly.

------
tomrod
And I for one am tired of it!

How much would it cost me to have a phone with all trackers turned off? (Or,
perhaps, routed through a core application that requires whitelisting?)

~~~
ignoramous
Are you on Android? Use Firefox with NoScript or uMatrix (also as your default
webview) and setup AdGuard DNS [0] or a pi-hole. You could consider using a
VPN like Orbot (free Tor-as-a-proxy) [1], PerfectPrivacyVPN (supports multiple
exit IPs, multiple-hops, and server side firewall) or set one up using
Algo/Streisand [2].

If you do not want to root your device:

1\. Install NetGuard or No Root Firewall to view what's going on from network
perspective.

2\. Install ExodusPrivacy to generate a report on apps wrt sdks in use by
them.

\---

If you are okay to root the device:

1\. Install XposedMod, and then XPrivacyLua module, and work through the
options.

\---

If you're okay with flashing a ROM:

1\. Consider LineageOS + microG

2\. If you are using Pixel, consider ChromeheadOS (edit: CopperheadOS) [3].

\---

If you're okay with a new device:

1\. Consider purchasing puri.sm Librem 5.

\---

[0]
[https://news.ycombinator.com/item?id=18788410](https://news.ycombinator.com/item?id=18788410)

[1]
[https://guardianproject.info/apps/orbot/](https://guardianproject.info/apps/orbot/)

[2] [https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

[3] [https://copperhead.co/android/](https://copperhead.co/android/)

~~~
Skunkleton
For anyone considering the above, this is a failing battle. The only way to
stop this sort of tracking is if we have a cultural shift, start putting laws
in place, and actually enforce them.

For example, did you know that many shopping malls track you with license
plate readers? Did you know that your credit card transactions are up for
sale? Or that your cell phone provider will give up your location to a third
party with a flimsy consent?

~~~
ignoramous
You are absolutely right that we need laws and regulations to govern all the
tracking that's going on, much like how call-tapping is illegal.

Bruce Schneier has written a book on the topic, and you can view him speak on
it here:
[https://youtube.com/watch?v=GkJCI3_jbtg](https://youtube.com/watch?v=GkJCI3_jbtg)
Highly recommend it.

I'm no expert but I do not agree with the 'failing battle' part... still quite
a way to go in that regard, I think, specifically because the Math behind
crypto hasn't failed us yet (ocassionally, the implementation has) and because
the government agencies themselves need tech that helps them stay underground
(Tor, for instance, continues to get funding from the US Government).

Is it getting difficult? Yes, absolutely. People still hold the 'nothing to
hide' stance and most are okay giving up privacy esp if it means their life
becomes a little more secure and things get more convenient (most would
support AI powered street surveillance that helps keep tabs on criminals, for
instance).

~~~
DavideNL
In the end unfortunately none of the ad/tracker blocking solutions are solid;
All an app developer has to do is use an IP address to fetch ads (avoiding dns
resolution and thus dns based blocking won't work.)

Or, fetching the ads from the same hostname as also used by the app itself to
provide whichever service the app provides, which means that hostname can't be
blocked even by a firewall because the app itself will stop working.

So i agree, the only proper solution is laws to stop the privacy abuse.

~~~
crankylinuxuser
The laws won't work.

The internet isn't a "US" thing. It's not a "EU" thing. It's not even a
"China" thing (GFoC aside).

The internet's a worldwide thing. And that means, sure your puny law may say
you can't do X (ad tracking). Ok. I'll just make a shell company in shithole
country, pay some protection money, and run tracking or whatever. And that
data I generate will be sold to anyone who wants to buy. I'll make it so
_everybody_ has to buy to compete - even if against the law.

And it too is a failing battle in the US. Experian, Equifax, and Transunion...
If what happened regarding Equifax didn't bring the corporate death penalty
either by fines or dissolution of their corporate charter, nothing will.

~~~
your-nanny
Actually, in that case the centrality or Monopoly of the Apple store and the
Google play store makes regulation easier. Censure Apple or Google for the
apps sold in their marketplaces that violate the law and they will be taken
down.

~~~
crankylinuxuser
I'm not seeing that case for:

    
    
         1. spying apps
         2. the saudi arabian woman-tracking/permission app
         3. chinese social credit app
    

In the end, it makes them a pile of money, allows them to function in that
country and access to that market, and nobody with power cares.

~~~
your-nanny
I'm not sure I see the objection? Are you saying that the US government
doesn't have sufficient carrots and sticks to get app stores like the Apple
Store or Google Play to remove apps from US markets that violate US law?

------
Jemm
I have raised the issue of trackers in analytics SDKs on developer forums and
the result has invariably been negative towards me.

When speaking to friends and coworkers about these issues, the result is
mostly people calling me paranoid.

Developers mostly don't care as long as they get money.

Users mostly don't care as long as they get cheap apps.

As a developer who does not use third party SDKs that track users (other than
the OS) because I value my user's privacy and realize that many of my users
are in places where data is expensive and scarce, I sometimes feel like I an
engaging in a futile and unwanted effort.

------
nrjames
There’s a lot of scaremongering in here. I fully support giving users full
privacy controls. However, both Android and iOS allow you to toggle off
availability of your Advertising ID. That’s been in there for years. Turn it
off and apps can’t grab it (they get 000000000). Each vendor gets a vendor-
specific ID on iOS, shared between that vendor’s apps. Delete all vendor apps
and it resets.

I’m not saying this is an ideal situation by any means. However, it’s just two
small examples that are ignored by this article.

~~~
everdrive
There's much more to tracking than your phone's tracking/Advertising ID. A
modern smartphone app can identify you and commit pervasive tracking whether
or not this ID is set. Disallowing permissions partially solves this problem,
except that an app can get quite far just by setting its own UUIDs and sharing
them with other vendors.

Further, an Android phone with no 3rd party apps is already sending an
enormous amount of tracking data to Google, where it can be purchased by 3rd
parties. None of this requires an Advertising ID.

~~~
tokyodude
Can you point me to where I can by this data Google is collecting? I'd like to
see what data is available.

~~~
everdrive
Here's a good resource:

[https://digitalcontentnext.org/wp-
content/uploads/2018/08/DC...](https://digitalcontentnext.org/wp-
content/uploads/2018/08/DCN-Google-Data-Collection-Paper.pdf)

If you read through here, you'll get a sense for the various different IDs and
tracking methods that Google is using. It's more than just the Advertising ID.

You'll also get a sense for the collection Google does about your environment.
(nearby wifi, GPS position, etc.) And more troublingly, the fact that these
services still collect data even when the user sets them to "off." A couple
excerpts:

\-----

"It’s hard for an Android mobile user to “opt out” of location tracking. For
example, on an Android device, even if a user turns off the Wi-Fi, the
device’s location is still tracked via its Wi-Fi signal. To prevent such
tracking,Wi-Fi scanning must be explicitly disabled in a separate user action,
as shown in Figure 4."

"Google can ascertain with a high degree of confidence whether a user is
still, walking, running, bicycling, or riding on a train or a car. It achieves
this by tracking an Android mobile user’s location coordinates at frequent
time intervals in combination with the data from onboard sensors (such as an
accelerometer)on mobile phones.Figure 5 shows an example of such data
communicated with the Google servers while the user was walking."

"Google records the time and GPS coordinates for every photo taken."

\-----

Anyhow, the fact is that much of this data is collected whether the user is
accessing the phone, or not.

It's a bit complicated, and disabling the Advertising ID may limit some
tracking in a few cases, but despite this extraordinarily prolific tracking is
still occurring. There's a lot more detail in the document and frankly, it
feels a lot like Facebook's privacy invasion in that:

\- It's possible to mitigate some of the tracking, although this is
intentionally made unintuitive the user.

\- Conversely, the user will never be able to prevent a large portion of the
tracking, and will have no intuitive sense of what is being collected by
google at any different time, and;

\- The default values and the data tracked will change over time, and the user
will have to try to stay educated with every update about what has changed.

[edit]

Another decent resource:

[https://www.apnews.com/828aefab64d4411bac257a07c1af0ecb](https://www.apnews.com/828aefab64d4411bac257a07c1af0ecb)

"An AP investigation found that Google saves your location history even if
you’ve paused “Location History” on mobile devices. This map shows where
Princeton privacy researcher Gunes Acar travelled over several days, from data
saved to his Google account despite “Location History” being off."

~~~
tokyodude
my question is not "what data does Google collect". My question is "what data
can I buy from Google" as op said that data is for sale

~~~
everdrive
Sorry -- I missed the point of your question. I don't think individuals can
just buy the data the same way a bounty hunter can simply buy cell tower
tracker information on an individual basis.

I'm not very informed here, but I suspect those purchase arrangements are made
by very large companies, and that by the time small companies or individuals
are purchasing data it's been resold and transformed.

------
Jerry2
Is there a way to check what trackers/libraries/"kits" an iOS app uses? I
don't use many apps on my iPhone and most of them don't have background &
location rights so I'm not that worried but would still like to know what they
send back...

~~~
lucb1e
Exodus can detect a number of them: [https://exodus-
privacy.eu.org/en/](https://exodus-privacy.eu.org/en/)

By installing their app, you can see the trackers for each app that you have
installed. If you use Yalp store (an open source front-end for the Play
Store), there is also a button to view trackers for each app.

Edit: just saw that you're on iOS. This is probably not allowed by Apple, so I
guess there will be no alternative.

~~~
willstrafach
Working on this. It is very tricky to do for iOS in an App Store compliant
manner, but doable. Apple has already approved it.

~~~
tombrossman
> Working on this. It is very tricky to do for iOS in an App Store compliant
> manner, but doable. Apple has already approved it.

This is very welcome news, please do a "Show HN" or post a link to the
announcement when it's ready.

For now, before I install an iOS app I run the Exodus Privacy tool on the
Android version and must assume the same trackers are present on both
platforms. What is worse, Apple fail to label which apps contain ads in the
store so I can't even tell which ones are adware before installing (apps with
ads are clearly disclosed in Google Play).

------
mindslight
I'm moving towards simply having more devices, partitioning their uses. A
decent tablet is a mere $50 (eg flo) and a good phone is a mere $100 (eg
herolte).

It's easy enough to have eg two phones - a main one with FDroid only, and a
secondary off-most-of-the-time one with YALP store convenience apps. Tablets
you can diversify even harder because you don't have to carry them in your
pocket.

~~~
cptwunderlich
So what? They can still track you across devices. Especially if they use some
3rd party ad SDK, which might use the Google advertising ID, or some other
identifiers.

~~~
mindslight
Modern tracking is fundamentally a product of executing hostile code on your
own device. The idea is to _never_ put apps that have built in or will
otherwise facilitate surveillance on the more secure devices. This includes a
javascript browser, due to its unwieldy attack surface.

Separate devices draw a line in the sand, rather than just accepting amorphous
insecurity as inevitable. And then you can work on slowly moving your usage
patterns away from the surveillance-foregone devices.

------
Buetol
Since it's not yet mentionned, here's an alternative:

 _> The Librem 5 represents the opportunity for you to take back control and
protect your private information, your digital life through free and open
source software, open governance, and transparency_

 _> As a social purpose company, Purism believes building the Librem 5 is just
one step on the road to launching a digital rights movement, where we—the
people—stand up for our digital rights, where you place the control of your
data and your family’s data back where it belongs: in your own hands. Let’s
declare, “We will no longer allow unfettered access to our photos, videos,
email, text messages and application and usage data without our permission.”_

[https://puri.sm/products/librem-5/](https://puri.sm/products/librem-5/)

------
nyolfen
on ios, if you have a pihole set up, you can use dnscloak[1] to block
advertising and tracking servers. (alternatively you can use one of the
servers listed in the app by default if you care to trust someone else's dns
server.)

you can set it to 'connect on demand', ie always on mode, at the cost of a bit
of battery (not enough for me to be bothered). it acts as a vpn but only for
your dns queries. afaik this is the best single step privacy option on ios at
the moment.

[1] [https://itunes.apple.com/us/app/dnscloak-secure-dns-
client/i...](https://itunes.apple.com/us/app/dnscloak-secure-dns-
client/id1452162351?mt=8)

~~~
kmlx
pihole? you have got to be kidding. i’d trust basically anything else than a
dns box.

~~~
revvx
Why?

~~~
kmlx
All of your traffic, every single DNS query going thru a single unverified
codebase off of github? i mean i know regular folk are quite naive with tech.
but i hoped us tech people are less so.

------
saagarjha
> Most people use the Google Chrome browser anyway

Nope. Safari is by far the most popular browser on iOS.

------
dontbenebby
I know Algo vpn[1] can be configured to block ads with a DNS resolver, but
does anyone know it also block trackers?

On desktop I use extensions to limit tracking, but it's harder on iOS.

[1] [https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

------
hendrikh
You are Right, but XML should also Not be used, and what to consider as
Configuration? Maven: Pom.xml as well? JSON is neat, like to use it. Write
your own parser to fix Tage issues you see. But in the end: what Format do you
propose for config files?

------
xfitm3
Smartphone baseband blobs are also something we know nothing (or very little)
about.

------
AngryData
And yet IM the crazy one for still using a flip phone!

~~~
chillacy
Do you also not use a “rewards membership” card at grocery stores where you
get charged extra to not be tracked?

~~~
RandomBacon
Correct. I opt out of membership savings and credit card rewards by using cash
and not using membership cards or giving out phone numbers.

(not the grandparent, but that user is not alone)

------
h1rschnas3
That's one of the reasons I use AdGuard on my android phone. No problems with
ads and trackers anymore.

------
bobbydreamer
May be that's why politicians use Nokia 3300

------
jimjimjim
hey everybody. buy stuff. with money.

------
askafriend
Ok...let me try.

“Physical retail stores and loyalty programs have trackers you know nothing
about.”

Am I doing this right?

I feel like a deeper point needs to be made to justify these headlines. The
conversation needs to evolve and get more nuanced.

~~~
smudgymcscmudge
Walmart greeters have built-in facial recognition abilities. I didn’t believe
this until one started greeting me by name after a few interactions.

~~~
Doubl
That's one way to get rid of your introvert customers

~~~
lkramer
Holy crap yes! The number of coffee shops, etc I have stopped going to because
the person behind the counter suddenly acted as if we were old friends...

