
How Facebook tracks you on Android [video] - gala8y
https://media.ccc.de/v/35c3-9941-how_facebook_tracks_you_on_android/
======
nly
We're spoiled in the desktop browser by being able to clear history, cookies,
local storage etc, or use a private browser session. There's also the
importance of the "same origin policy".

The Android platform API should simply never allow apps to obtain global
system identifiers (serial numbers, "advertising IDs", MACs, Wifi network
info, EMEIs etc) in the first place. Perhaps even going as far as not
providing a shared filesystem.

Mobile apps, despite platform API permission, and having some ability to
protect their own data, are a lot closer to desktop programs than web apps in
many regards.

~~~
blfr
While you make good points about mobile apps, don't be too spoiled by the
privacy offered by destop browsers. Because of their configuration and various
APIs, they're almost as easy to fingerprint as mobile devices with advertising
IDs.

EFF has had a proof of concept online for quite a while
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

And HN users are probably even more vulnerable since we will have customized
our software making it stand out.

~~~
nly
I know you're not disagreeing with me, but the issue you raise only distracts
and lends ammo to the defenders of these prolific tracking mechanisms. It's
the Nirvana fallacy.

I'm sure there's a Google rep somewhere that will tell you that their
"advertising ID" is better than the status quo on the web because the user can
rotate it and, because it's reliable and easy for app devs to use, they are
discouraged from being more nefarious and sneaky in tracking users.

This is all a bloody distraction from the point: _it should not be an
acceptable norm for this tracking to happen and it should be as hard as
possible to pull off without informed user consent_.

The degree to which platforms are defensive against it is a different issue to
whether or not they actively encourage it by design... which shouldn't even be
open to debate.

~~~
Despegar
Anybody suggesting technical solutions to this problem is completely
misunderstanding the scale of it.

The only acceptable answer is a legal/regulatory solution.

~~~
danShumway
So honest question, how does a legal/regulatory solution protect users against
illegal bad actors, foreign actors, or malicious projects and frameworks that
are either Open Source or that aren't backed by a company?

I hear this argument brought up a lot, that the only thing that can fix this
is regulations. I've always come at this from the opposite direction --
regulatory solutions are nice, and I'm not _against_ them, but they're less
useful than technological solutions because my gut instinct is regulations
only cover a) law-abiding entities (and usually only corporations at that),
who are b) competent enough not to mess up compliance in the first place.

The perspective I lean on by default is that even if you have good regulations
in place, the problem isn't _really_ solved until there's a widespread
technical solution. So for example, it might be nice to have a law banning
MITM attacks, but HTTPS is the superior solution that we really want. When we
pass laws criminalizing stuff like hacking or tracking children, my
perspective is we're just trying to buy time and localize the damage to the
slightly less frequented parts of the Android app store while we fix the
crappy permissions models and sandboxing on our core platforms.

Is there a secondary aspect to the regulatory solutions that I'm missing?
Something that would go much, much farther and be much stricter than laws like
GDPR? I don't mean it as an argument, I'd just be curious to hear someone with
the regulation>infrastructure perspective elaborate more on what they're
thinking about when they say that, because it's a perspective I don't have
much experience with.

------
expertentipp
I seriously loathe the people hating on the web. On the web one can preview,
debug, and block stuff at each application and network layer. Use Lynx,
disable JS, install ad and tracking blockers, edit hosts file - you are the
king. Want to see the true evil? Native Android and iOS applications, there
doesn’t exist an alternative platform anymore. You think that app is free? Not
even web-style in-app advertisements give you a second thought?

~~~
robertAngst
Anyone else feeling like there is a resurgence in web?

Apps were the hot thing for a while, but now that major players have an app,
they have figured out it matters little.

I dont do my shopping on the Target App. I'm sure they are getting economic
indicators that web on mobile is just as effective.

~~~
muthdra
Yes, it's been happening for a while. Google and Mozilla have been pushing
(sometimes rushing) for more capable web browsers while Apple actively
protects the exclusivity of some functionalities of it's app store, to the
detriment of Safari users, making them feel an even greater gap between
websites and native apps.

Originally, smartphones were to be the new way of browsing the web but it
turned out to be a new way for OS manufacturers to profit over third-party
software because developers had to handcraft a way of accessing their data
over the internet from the device given that web browsers were not up to the
task of delivering fast, snappy experiences. Developers had to create native
apps for the simplest services even if they didn't need the extra
functionality and APIs like notifications, background updates or movement
sensors.

Today, mostly because of the increase in mobile processing power, the
difference between a website and an app for trivial tasks (notekeeping,
calendar, ordering a product, whatevs) is innofensive and overall
imperceptible, making websites a reliable way of providing functionality once
again.

Browser updates and new APIs will increase the amount of possible trivial
services you will be able to access from anything with a browser and up-to-
date processing power.

------
appleflaxen
Is there a blog post or outline that summarizes this talk? I care about
privacy, but don't have an hour to watch the whole video.

The conference does provide a useful link to a privacy-centric page which
catalogs some known facebook abuses:

[https://privacyinternational.org/types-
abuse/facebook](https://privacyinternational.org/types-abuse/facebook)

but there is no outline of this talk which summarizes the methods that
facebook uses to spy on their users and the public.

~~~
IshKebab
TL;DR seems to be that lots of apps include the Facebook SDK and when you
initialise the SDK it always sends your device ID back to Facebook.

Most negative news about Facebook is nonsense but this does seem to be pretty
shady on Facebook's part.

~~~
rock_hard
Just speculating, but they might just need this information to combat bots
actually.

Think about it, they already know who you are because you are logged in with
your account.

They don’t need more info than that to run targeted ads.

~~~
mic47
> Just speculating, but they might just need this information to combat bots
> actually.

That would be actually quite useful for fighting bots, but I doubt that is the
reason.

My guess would be just gathering telemetry to how how API is used, and what
type of android devices are there (you know, like to know what you should
support and test on).

~~~
reaperducer
_My guess would be just gathering telemetry to how how API is used, and what
type of android devices are there (you know, like to know what you should
support and test on)._

In the video it is shown that the information sent to Facebook is far more
intrusive than that.

------
product50
This is not unique to Facebook and is true for almost all SDKs, which can
track the same events (which this talks mentions), that the app has. Google
tracks exactly the same events which FB does as well. Also, the same thing
happens on iOS too - not sure why the talk avoided it. Once the app has the
SDK for a third party (regardless of OS), tracking all events within the app
is fair game.

~~~
javajosh
What is your motivation posting this? Because it sounds like a great example
of "whataboutism". Just because an evil is done a lot, and in different
contexts doesn't make it not evil.

~~~
SmellyGeekBoy
Every other comment here boils down to "get an iPhone". If the claim that this
is also happening on iOS is true then it's highly relevant to the discussion.

~~~
robertAngst
Apple users have the need to defend Apple at every turn.

Android users enjoy bashing Google at every turn.

Just like I bash M$ despite loving windows 10 and Excel... (actually I've
gotten better about this)

~~~
zozbot123
Don't worry, I bash Windows 10 and Office too (yes, including Excel), and I'm
someone who actively dislikes them. OTOH, the best thing I could say about
Apple these days is that iOS is genuinely better built than it's obvious
alternatives (Android and ChromeOS) and that they do a tolerable job of
supporting their mobile hardware, but that's kinda damning with faint praise.

------
pointillistic
I don't have a FB app on my phone, I have a FB account that has no posts. I
look at it occasionally to track my "likes". Last week I was a conference in
downtown Boston. I have no connection to the conference, I was there to meet
my friend's daughter who lives oversees. While standing in line, people
watching, I couldn't help but notice an extravagant fellow, I later discovered
he was a an out of town PHD student there for the conference. Imagine my shock
when my next web login to FB offered me this very man as a suggested friend!

~~~
ronyfadel
Is there a definitive answer on how these suggestions happen? (Other example:
talk about X with someone; start seeing internet ads for X afterwards). Is it
coincidence?

~~~
guntars
For every ad or suggestion that elicits that kind of response, how many are
completely unremarkable and immediately forgotten? It’s largely explained by
the survivorship bias.

------
blfr
Where are the torrent links?

Anyway, There are more paid tracking SDKs in the wild and probably more
invasive than Facebook's.

For example, in Poland there is a service called Cluify which supposedly
tracks millions of phones to then target ads at them. Although they're Google
ads. In fact, they're a "proud partner of Google."

On the website [https://cluify.com/](https://cluify.com/) they mention using
wifi but in sales pitches they boast inclusion in many popular apps. As their
client you can geofence an area and buy ads directed at devices which frequent
them.

I purged and fumigated most of these parasites from my phone. Going even as
far as replacing the OS because LG thought the Facebook app should be an
integral part of their distribution and not removable. Hopefully they at least
charged Facebook dearly for it.

~~~
zozbot123
You can use adb commands to "disable" system apps FWIW, all you need is the
"developer options" menu, to temporarily enable adb access from USB. This lets
you use all the features of a "locked", stock "ROM" (payment services, DRM
apps, better camera), and also works on "locked down" devices where you can't
unlock the bootloader and install a different OS. Of course, it's only
worthwhile if you trust the "ROM" vendor (LG in your case) and can isolate the
problem to some specific app(s).

~~~
jake_the_third
This type of control is still possible on android devices?!

I had given up on buying new devices because of how restrictive and abusive
phone manufacturers have become towards their customers. If adb can really do
what you say it can, maybe I can finally upgrade my phone after all these
years. Can you recommend an online article that goes over using `adb` like
this? (especially for disabling locked apps)

~~~
zozbot123
See e.g. [https://github.com/jaredsburrows/android-
bloatware/blob/mast...](https://github.com/jaredsburrows/android-
bloatware/blob/master/README.md) the "non-root" section. Some tutorials
suggest slightly different commands, viz. `pm hide` rather than `pm disable`,
and that in order to 'uninstall' apps without root the command `pm uninstall
-k --user 0 com.bloatware.app` should be used. Either way, _do_ backup your
data before doing any of this stuff (if stuff gets screwed up, you might need
to perform a factory reset from recovery mode in order to revert to a sensible
state), and _do not_ expect this to always work; it might not, depending on
the specific "rom" you're running.

------
msravi
I use Netguard
([https://github.com/M66B/NetGuard](https://github.com/M66B/NetGuard)) and
block out access to Facebook's Graph API by every app on my phone. Works very
well.

~~~
dheerajvs
I did exactly the same thing using NetGuard. It opens your eyes to how much
tracking happens with almost every app.

I also block Wi-Fi and mobile data access wholesale for apps like virtual
keyboards and most pre-loaded crapware that can't be uninstalled.

------
codedokode
Android also had an issue where an app could deceive a user by requesting the
permission to manage WiFi (CHANGE_WIFI_STATE) which is considered non-
dangerous ("normal") [1] and is granted automatically without any prompts [2]:

> If your app lists normal permissions in its manifest (that is, permissions
> that don't pose much risk to the user's privacy or the device's operation),
> the system automatically grants those permissions to your app.

But the app could use it to determine user's location (by scanning for WiFI
access points identifiers) without any notification. So the user wouldn't
realise that the app now knows their location.

You can see it in the docs [3]:

> Android 8.0 and Android 8.1:

> A successful call to WifiManager.getScanResults() requires any one of the
> following permissions:

> CHANGE_WIFI_STATE

So this issue was fixed only on Android 9, and had been working for years. Any
application could secretly determine your location. That's the state of
privacy protection on Android. It is difficult to believe that Google
developers who are very smart people couldn't foresee it for years.

I googled a little and found a confirmation that this method was working: [4]

[1]
[https://developer.android.com/reference/android/Manifest.per...](https://developer.android.com/reference/android/Manifest.permission#CHANGE_WIFI_STATE)

[2]
[https://developer.android.com/guide/topics/permissions/overv...](https://developer.android.com/guide/topics/permissions/overview)

[3]
[https://developer.android.com/guide/topics/connectivity/wifi...](https://developer.android.com/guide/topics/connectivity/wifi-
scan)

[4] [https://blog.trustlook.com/2015/06/02/how-apps-tracking-
your...](https://blog.trustlook.com/2015/06/02/how-apps-tracking-your-
location-without-asking-for-permission/)

~~~
scarface74
_That 's the state of privacy protection on Android. It is difficult to
believe that Google developers who are very smart people couldn't foresee it
for years._

“It’s difficult to get a man to understand something when his salary depends
on him not understanding it”.

------
jradd
Wrangling 3rd party application access to platform providers' suite (ios,
android, browser extensions).

Cookies seem to be the majority of the aggregate identity/behavior data, which
you can use various rules in the protocol to limit tracking to some extent.

I've found that opting out on a regular basis of the large adverts for a
little extra peace of mind.

uBlock/uMatrix Origin, ghostery, duck.com, dns encryption, vpn, ip6.

removing old wireless access points from history/cache and disabling nfc,
blutooth advertisement.

removing duplicate/shared passwords from your various authentication providers
and using keypass or a secure password scheme that is easy to remember.

Log out manually of various applications such as facebook, google, microsoft,
etc.

Contacts list. Clean em' up.

Keep your phone and hands sanitary at all times :)

~~~
ziont
one thing that irks me is ppl blindly suggesting duckduckgo over google

DDG is _fucking horrible_

It doesn't work. I'm almost always going back to Google.

There should be a service that searches Google for you behind 7 proxies.

~~~
DrPhish
That is searx. Self hosted and fully randomizing. I use it, and it works very
well for general web searches

Image search is subtly broken in the packaged releases tho, so you'll either
have to hit up google image search or use the git version

~~~
ziont
nice find. that is exactly what I was looking for.

DDG at the end of the day are no more disposed to exposing their users at the
behest of the gov than FAANG

------
baxtr
What are the names of these companies? I would love to send them all a GDPR
request asking for my data.

~~~
icegreentea2
With regards to the the findings, I think that'd be the wrong part of the
GDPR. The issue is that applications are immediately sending user data to FB
without authorization through the FB SDK - it's possible that many of the
application developers don't actually have anymore information on you than
indicated in the application and/or agreements.

You'll need to ask about their data processors I think.

------
ginko
Time for some hefty GDPR fines.

~~~
javajosh
Word. And it looks to me like both Facebook and every app dev that includes
their SDK is liable.

------
aymenim
I have a more technical question, It was my understanding that Android apps no
longer trusted user added certificates by default starting Android 7
([https://android-developers.googleblog.com/2016/07/changes-
to...](https://android-developers.googleblog.com/2016/07/changes-to-trusted-
certificate.html)), but on the talk, they were able MITM Android 8.1, are they
modifying the apps to trust their CA certs or is there something I am missing?

------
enimodas
To block this on android without root, install dns66 from f-droid (an
adblocker that emulates a VPN and works with hosts files) and add
[https://a.uchi.moe/jwmkqn.txt](https://a.uchi.moe/jwmkqn.txt) as a host file.
I think when first installing there still is a 'bug' where you have to edit
the url of included Peter Lowe's list from http to https before you can update
the lists.

------
pavanred
I am surprised that on opting out of ad tracking in Android, they found that
the opt-out flag was set to true, but the size of the tracking payload shot up
i.e. more attributes being tracked. Not sure what to make of it? Is it
possible its a legal thing that once you opt-out of ads, it enables less risk
for the company and therefore more tracking, perhaps?

~~~
ephesee
That would need to be reproduced. I suppose the app itself could also have
been put in a different state / with different settings between the two
events.

------
Jonanin
The article focuses on FB, but identifies Google as a bigger tracker:

> “Previous research has shown how 42.55 percent of free apps on the Google
> Play store could share data with Facebook, making Facebook the second most
> prevalent third-party tracker after Google’s parent company Alphabet."

------
amelius
I wonder how these researchers would have been able to find this out if the
servers were not clearly identifiable as being Facebook's.

Also, what happens if Facebook starts to introduce strong(er) incentives for
app developers to share user data?

------
itg
Does this also affect iOS? I imagine if the app is transmitting data to
Facebook, then there's nothing stopping it on other platforms either.

~~~
GraemeL
The Kindle app on iOS gets blocked attempting to connect to Facebook every
time I open it.

~~~
turdnagel
Blocked by what?

~~~
GraemeL
AdGuard Pro with facebook.com and facebook.net added to its DNS blacklist.

When the app attempts to connect to graph.facebook.com it gets NXDOMAIN.

------
awinter-py
Is anyone grounded enough in the tech/law here to explain why the app vendor
doesn't funnel user data to FB from their backend? Connecting directly to FB
seems like an unnecessary giveaway.

Is it just about ease of implementation or are there legal implications?
People have quoted the wiretap act to me but the argument doesn't make sense.

~~~
ejcx
It has nothing to do with law. That's just the easiest way to send them data,
especially when some apps might not have back ends

------
beefield
I'd like to have an app that creates virtual android environments that I can
run my apps in. And the possibility to spoof the sensor data for the
environment with configurable profiles. Like "rich geek in Silicon Valley
traveling occasionally to Caribbean" or maybe "suburban middleclass housewife
in Florida".

~~~
HillaryBriss
perhaps you can get close to this goal by

1\. installing the Android dev SDK (complete with emulator images) on to your
laptop

2\. having a distinct emulator instance for each of your chosen profiles

------
j1elo
It's been years since I banned Facebook apps from my phone.

m.facebook.com for the casual check, and mbasic.facebook.com for an admittely
crippled but functional access to read the seldom chat message.

I'm happy that Fb Messenger is the tool of choice for 0,0% of people around
here...

~~~
javajosh
If you watch the talk, that's not good enough. Any app you've installed that
includes the FB SDK is leaking your data back to FB. And, according to the
talk, that's a majority of popular apps.

~~~
zozbot123
F-Droid apps aren't going to include proprietary SDKs. Yet another reason to
use F-Droid (on Android/AOSP).

~~~
jklinger410
Tracking may be reduced, but being in F-Droid doesn't really mean anything.
Take this on a per-case basis. You would need to check the traffic of each app
that you use.

~~~
bubblethink
Being on official f-droid categorically means no proprietary sdks. The app
could still make calls to random servers, but that would be in the open since
the app needs to be open source.

~~~
vageli
Is that true? F-Droid usually lists apps that I "won't like" because they
include non-free software.

~~~
bubblethink
F-droid doesn't have non-free software. F-droid flags some apps with anti-
features for various reasons like non-free network services
([https://f-droid.org/wiki/page/Category:Apps_with_NonFreeNet_...](https://f-droid.org/wiki/page/Category:Apps_with_NonFreeNet_antifeature)),
which is quite useless honestly since it makes no difference even if a remote
service is free since you don't control that end. Perhaps historically f-droid
allowed non-free dependencies
([https://f-droid.org/wiki/page/AntiFeatures](https://f-droid.org/wiki/page/AntiFeatures)),
but I don't think that's a thing any more. I don't see any major apps in that
category.

~~~
vageli
Ah, admittedly it has been some time since I've tried to run a completely free
Android device so I may have been mistaken.

------
lota-putty
Using [https://zenz-solutions.de/personaldnsfilter/](https://zenz-
solutions.de/personaldnsfilter/) without rooting doesn't help? Hard-Coded IPs
can't be blocked presumably without rooting(iptables) ;-)

I get "0" Ads on my Android, also I'm a bit paranoid, I block every suspicious
domain, only allowing Mobile/WiFi access to trusted apps.

Sadly this behaviour is easy to fingerprint.

------
aportnoy
I decided to try to replicate this on my iPhone and looks like Acrobat Reader
and the Readdle PDF viewer both use Facebook SDK and send data automatically.

------
baxtr
Side note: I noticed that these days articles from Chaos Computer Club get
into the top quite often?

~~~
kekub
It is because of 35c3:
[https://events.ccc.de/congress/2018/wiki/index.php/Main_Page](https://events.ccc.de/congress/2018/wiki/index.php/Main_Page)

------
Tepix
Whats a good, slim solution for a VPN I can setup on my host to filter these
tracking sites?

I already have OpenVPN set up, does it have filtering features that could help
block this unwanted traffic?

~~~
graystevens
I have heard people use pihole linked with a VPN to act as a way of minimising
tracking whilst on 3G/4G. It acts as a DNS server, so you could tweak your VPN
config to run all queries through your pihole instance.

------
eyeareque
Facebook + google android = data harvesting dream come true for these
companies.

------
vishnu_ks
YouTube link for folks who are having buffering issues
[https://www.youtube.com/watch?v=vYam1GqtoLY](https://www.youtube.com/watch?v=vYam1GqtoLY)

~~~
stevenicr
I get 'video removed by user' with that url.

~~~
vishnu_ks
They seem to have reuploaded the video in YouTube channel.

[https://www.youtube.com/watch?v=y0vlD7r-kTc](https://www.youtube.com/watch?v=y0vlD7r-kTc)

