Skip to main content

The secret way most apps spy on you even when you think they aren’t

The moment you install an app, it begins scavenging and pestering you for your data. It requests permissions to tap into your phone’s internals, asks you to register a handful of personal information — you know the drill.

However, no matter how frugal and vigilant you are at each step, there’s still one way most apps end up covertly mining your data.

Every app comes packaged with a range of what are technically called Software Development Kits (SDK). To understand these better, think of an app as a Lego house — with each block acting as a single key module.

Julian Chokkattu/Digital Trends

Developers program the blocks that are unique to their apps, such as its design and functions. But components like advertising and analytics are not usually built in-house. For that, they turn to third-parties that already offer these services. All developers need to do is plug them in their apps.

SDKs were designed, as you may assume, to accelerate development and eliminate redundant effort. But of late, these little entities have evolved as critical loopholes in our quest for privacy as companies have abused them to siphon up personal user data even when they are not supposed to.

SDKs have evolved as loopholes in our privacy as companies have abused them to siphon up personal user data even when they are not supposed to.

Detriment to privacy

An Oxford University study found that nearly a third of all the apps in Play Store were linked to at least 10 third-party SDKs and one in five were sharing user data with as many as 20 SDKs. That figure goes up exponentially on large-scale free apps. For instance, as per MightySignal, a mobile intelligence firm, Tinder is connected to a staggering 51 SDKs, Airbnb has 41, and ESPN has 40.

The majority of SDKs collect data you wouldn’t normally think is of any significance. They track what you tap inside an app, areas where you spend most of your time, which ads you interact with, and more. But this seemingly harmless practice can be critically detrimental to your privacy when you look at how all that data fits in the broader picture.

The Oxford study also revealed that 88% of the researched apps could beam data to companies that are ultimately owned by Alphabet (Google’s parent) and 43% to Facebook-owned services.

Companies like Facebook and Google already know a fair bit about you, and by tapping into hundreds of thousands of apps through SDKs, they are able to fine-tune your digital profile in their database and serve you targeted ads. For instance, if you are expecting and have installed a pregnancy-related app, Google or Facebook can potentially begin showing you ads for baby products based on this new information.

SDK Visualization Rufana Rahimova/Getty Images

Personal data mined

Developers tend to justify all these SDKs by claiming the data is kept anonymous and personal information like your phone number is never shared.

But in reality, large businesses have the ability to tie in even the tiniest bit of data to your digital profile. The app may not be telling an SDK your name or email address, but tech companies can figure it out on their own by cross-processing it with their existing knowledge.

Apps do not always share only anonymized data with SDKs. Kaspersky Lab researcher Roman Unuchek found 4 million Android apps were sending unencrypted user profile data — including names, incomes, phone numbers, email addresses, and, in one example, GPS coordinates — to the advertisers’ servers.

A few weeks ago, an Electronic Frontier Foundation (EFF) investigation discovered that four analytics and marketing companies were accumulating information such as names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data from the Amazon Ring app.

Two of the SDKs EFF highlighted — Appsflyer and Facebook Graph — can be found in a multitude of apps, and experts say it’s likely that they are gathering a similar set of data from other apps as well.

In a statement, an Appsflyer spokesperson said the company is not a data broker and “does not build targeting profiles, does not sell data, and does not otherwise utilize any app user personal data for its own purposes.”

The app may not be telling an SDK your name or email address but tech companies can figure it out on their own by cross-processing it with their existing knowledge.

“Some analytics companies give the app developers fine control over what information is being delivered, but it seems like a good assumption that other apps will be giving a similar amount of sensitive data if they include these same libraries,” William Budington, author of the EFF investigation, told Digital Trends.

A bunch of SDKs that currently play an indispensable role in app development don’t often clearly state how they handle user data. In some cases, developers overlook and skip checking how an SDK works, putting user security at risk.

“Unfortunately, most developers might not know … how intrusive a given SDK can be when building their own software, while users are completely unaware of the fact that, when running a mobile app, there might be dozens of other organizations potentially collecting sensitive and personal data,” said Narseo Vallina-Rodriguez, a research scientist at the International Computer Science Institute’s Networking and Security division and a member of the team that developed Lumen, an app that monitors which SDKs your phone is transmitting data to.

Key information buried

Another bottleneck that has enabled SDKs to run amok is that their consent is generally buried deep down in an app’s Privacy Policy and a lot of times, developers fail to explicitly underline what users are giving up. Further, the app’s security settings don’t apply to third-party SDKs, leaving people little to no choice.

“As a matter of fact, there is evidence showing that what many apps report on their privacy policies offers an incomplete picture of their actual runtime and data collection behaviors,” added Narseo Vallina-Rodriguez.

Up until Android 10, SDKs could even share permissions between two unrelated apps. Therefore, say app A has the location permission and B doesn’t and both come equipped with the same SDK, there’s a decent chance B can feed off A’s location permission and collect your GPS data.

Unlike browsers, you also can’t simply block app trackers. Your only option is to go through an app’s settings and make sure to uncheck the Collect data for the analytics box if there is one.

Genevieve Poblano/Digital Trends

You can also start using web apps on your phone via your browser, which allows you to block trackers with the browser’s built-in tools. Most leading apps like Instagram and Tinder offer comparable web apps that largely behave as regular mobile apps. In the process, you’ll also save a ton of storage and RAM.

Your privacy is only as strong as the weakest link in the whole app chain, and on phones, that link is an SDK. And unfortunately, you cannot do anything about it other than switch to apps that promise more security for your data. Hopefully, in the future versions of Android and iOS, Google and Apple will introduce better protections against third-party trackers.

Editors' Recommendations

Shubham Agarwal
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
Google is shutting down your Chromebook apps, but here’s why you shouldn’t worry
pixelbook go hands on features price photos video release date google hero

The focus of Chromebooks has always been the Chrome web browser. Apps were always an afterthought, and ever since Google introduced the Android Play Store to Chrome OS, users have had three different ways to experience apps on their Chromebooks.

First, there are Chrome Apps, which are specially packaged and run inside the Chrome web browser. These are the ones Google is shutting down, with a final shutdown date set for 2022.

Read more
No, Apple isn’t moving toward a Mac App Store-only future. At least, not yet
macos mojave hands on review app store

Nothing quite provokes the ire of conspiracy-minded folks than a juicy Apple news story.

Remember when Apple started slowing its iPhones as they aged so that they wouldn’t explode like a certain rival’s handsets? No, you probably remember it as “Apple is bricking older phones in a nefarious plot to force you to upgrade,” splashed in all-caps across every masthead. Or how about the time Apple decided to stop reporting individual unit sales of its products because it felt there were better ways to judge its success -- you know, like every other tech company does?

Read more
The XPS 16 is fighting an uphill battle against the MacBook Pro
Dell XPS 16 sitting on desktop with flowers.

It took a few years, but Dell finally updated the design of its two largest XPS laptops. The XPS 15 gave way to the XPS 14, while the XPS 17 was replaced by the XPS 16. The latter gained the ultramodern look of the XPS 13 Plus, complete with a glass palm rest, a hidden haptic touchpad, and a row of LED function keys.

It's a significant update but places the XPS 16 in direct competition with the Apple MacBook Pro 16. That's an excellent matchup with proven performance and battery life and an elegant design that's solid, if a lot more conservative.
Specs and configurations

Read more