Skip to main content

The secret way most apps spy on you even when you think they aren’t

The moment you install an app, it begins scavenging and pestering you for your data. It requests permissions to tap into your phone’s internals, asks you to register a handful of personal information — you know the drill.

However, no matter how frugal and vigilant you are at each step, there’s still one way most apps end up covertly mining your data.

Every app comes packaged with a range of what are technically called Software Development Kits (SDK). To understand these better, think of an app as a Lego house — with each block acting as a single key module.

Julian Chokkattu/Digital Trends

Developers program the blocks that are unique to their apps, such as its design and functions. But components like advertising and analytics are not usually built in-house. For that, they turn to third-parties that already offer these services. All developers need to do is plug them in their apps.

SDKs were designed, as you may assume, to accelerate development and eliminate redundant effort. But of late, these little entities have evolved as critical loopholes in our quest for privacy as companies have abused them to siphon up personal user data even when they are not supposed to.

SDKs have evolved as loopholes in our privacy as companies have abused them to siphon up personal user data even when they are not supposed to.

Detriment to privacy

An Oxford University study found that nearly a third of all the apps in Play Store were linked to at least 10 third-party SDKs and one in five were sharing user data with as many as 20 SDKs. That figure goes up exponentially on large-scale free apps. For instance, as per MightySignal, a mobile intelligence firm, Tinder is connected to a staggering 51 SDKs, Airbnb has 41, and ESPN has 40.

The majority of SDKs collect data you wouldn’t normally think is of any significance. They track what you tap inside an app, areas where you spend most of your time, which ads you interact with, and more. But this seemingly harmless practice can be critically detrimental to your privacy when you look at how all that data fits in the broader picture.

The Oxford study also revealed that 88% of the researched apps could beam data to companies that are ultimately owned by Alphabet (Google’s parent) and 43% to Facebook-owned services.

Companies like Facebook and Google already know a fair bit about you, and by tapping into hundreds of thousands of apps through SDKs, they are able to fine-tune your digital profile in their database and serve you targeted ads. For instance, if you are expecting and have installed a pregnancy-related app, Google or Facebook can potentially begin showing you ads for baby products based on this new information.

SDK Visualization Rufana Rahimova/Getty Images

Personal data mined

Developers tend to justify all these SDKs by claiming the data is kept anonymous and personal information like your phone number is never shared.

But in reality, large businesses have the ability to tie in even the tiniest bit of data to your digital profile. The app may not be telling an SDK your name or email address, but tech companies can figure it out on their own by cross-processing it with their existing knowledge.

Apps do not always share only anonymized data with SDKs. Kaspersky Lab researcher Roman Unuchek found 4 million Android apps were sending unencrypted user profile data — including names, incomes, phone numbers, email addresses, and, in one example, GPS coordinates — to the advertisers’ servers.

A few weeks ago, an Electronic Frontier Foundation (EFF) investigation discovered that four analytics and marketing companies were accumulating information such as names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data from the Amazon Ring app.

Two of the SDKs EFF highlighted — Appsflyer and Facebook Graph — can be found in a multitude of apps, and experts say it’s likely that they are gathering a similar set of data from other apps as well.

In a statement, an Appsflyer spokesperson said the company is not a data broker and “does not build targeting profiles, does not sell data, and does not otherwise utilize any app user personal data for its own purposes.”

The app may not be telling an SDK your name or email address but tech companies can figure it out on their own by cross-processing it with their existing knowledge.

“Some analytics companies give the app developers fine control over what information is being delivered, but it seems like a good assumption that other apps will be giving a similar amount of sensitive data if they include these same libraries,” William Budington, author of the EFF investigation, told Digital Trends.

A bunch of SDKs that currently play an indispensable role in app development don’t often clearly state how they handle user data. In some cases, developers overlook and skip checking how an SDK works, putting user security at risk.

“Unfortunately, most developers might not know … how intrusive a given SDK can be when building their own software, while users are completely unaware of the fact that, when running a mobile app, there might be dozens of other organizations potentially collecting sensitive and personal data,” said Narseo Vallina-Rodriguez, a research scientist at the International Computer Science Institute’s Networking and Security division and a member of the team that developed Lumen, an app that monitors which SDKs your phone is transmitting data to.

Key information buried

Another bottleneck that has enabled SDKs to run amok is that their consent is generally buried deep down in an app’s Privacy Policy and a lot of times, developers fail to explicitly underline what users are giving up. Further, the app’s security settings don’t apply to third-party SDKs, leaving people little to no choice.

“As a matter of fact, there is evidence showing that what many apps report on their privacy policies offers an incomplete picture of their actual runtime and data collection behaviors,” added Narseo Vallina-Rodriguez.

Up until Android 10, SDKs could even share permissions between two unrelated apps. Therefore, say app A has the location permission and B doesn’t and both come equipped with the same SDK, there’s a decent chance B can feed off A’s location permission and collect your GPS data.

Unlike browsers, you also can’t simply block app trackers. Your only option is to go through an app’s settings and make sure to uncheck the Collect data for the analytics box if there is one.

Genevieve Poblano/Digital Trends

You can also start using web apps on your phone via your browser, which allows you to block trackers with the browser’s built-in tools. Most leading apps like Instagram and Tinder offer comparable web apps that largely behave as regular mobile apps. In the process, you’ll also save a ton of storage and RAM.

Your privacy is only as strong as the weakest link in the whole app chain, and on phones, that link is an SDK. And unfortunately, you cannot do anything about it other than switch to apps that promise more security for your data. Hopefully, in the future versions of Android and iOS, Google and Apple will introduce better protections against third-party trackers.

Editors' Recommendations

Shubham Agarwal
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
Google is shutting down your Chromebook apps, but here’s why you shouldn’t worry
pixelbook go hands on features price photos video release date google hero

The focus of Chromebooks has always been the Chrome web browser. Apps were always an afterthought, and ever since Google introduced the Android Play Store to Chrome OS, users have had three different ways to experience apps on their Chromebooks.

First, there are Chrome Apps, which are specially packaged and run inside the Chrome web browser. These are the ones Google is shutting down, with a final shutdown date set for 2022.

Read more
No, Apple isn’t moving toward a Mac App Store-only future. At least, not yet
macos mojave hands on review app store

Nothing quite provokes the ire of conspiracy-minded folks than a juicy Apple news story.

Remember when Apple started slowing its iPhones as they aged so that they wouldn’t explode like a certain rival’s handsets? No, you probably remember it as “Apple is bricking older phones in a nefarious plot to force you to upgrade,” splashed in all-caps across every masthead. Or how about the time Apple decided to stop reporting individual unit sales of its products because it felt there were better ways to judge its success -- you know, like every other tech company does?

Read more
These fake Android apps steal your money when you aren’t looking
google play may be back in china soon

If you thought you were immune from hackers when downloading "legit" Android apps from Google Play, then think again. The McAfee Mobile Research team recently discovered a new campaign where at least 15 apps were "re-packaged" to secretly sign up for premium paid services in the background. The list includes Qrcode Scanner, Cut Ringtones 2018, and Despacito Ringtone.
The campaign is run by the AsiaHitGroup Gang who first appeared in late 2016 to target victims primarily in Thailand and Malaysia. The group used a fake app installer called "Sonvpay.A" that, for a price, pretended to install popular apps delivered outside Google Play. But it secretly subscribed at least 20,000 victims to paid services in the background by sending SMS messages to premium-rate numbers.
But that was only the beginning.
The group then moved on to bigger bucks through Google Play during November 2017 in its second campaign targeting Thailand, Malaysia and Russia. They modified the fake installer, now called "Sonvpay.B," to serve as full-fledged familiar-but-fake apps listed on Google's storefront. For this campaign, Sonvpay relied on IP address geolocation to identify the victims' country of origin. The campaign also used the same SMS method while adding WAP billing -- aka direct billing to a mobile carrier -- to secretly subscribe victims to premium services. 
The group's third campaign began in January 2018 targeting devices accessing Google Play in Malaysia and Kazakhstan. Instead of creating fake apps, the group bundled legitimate Android apps with "Sonvpay.C," which uses silent background push notifications to secretly subscribe victims to premium paid services. The apps themselves don't pose any kind of threat outside wanting permission to access SMS messages. In fact, they act completely normal. 
"The subscription operates primarily via WAP billing, which does not require sending SMS messages to premium-rate numbers," McAfee's Carlos Castillo reports. "Instead it requires only that users employ the mobile network to access a specific website and automatically click on a button to initiate the subscription process." 
After you install one of these apps, the Sonvpay component receives commands to sign onto premium paid services through push notifications that the device owner never sees. These services are billed directly to the mobile carrier. Even more, there's a fake "update" component where if the device owner agrees to the update, Sonvpay.C will subscribe to premium services. Even if the user doesn't agree, the services may show up on the mobile carrier's bill anyway depending on the command sent through the push notification. 
The problem with carrier billing and this type of fraudulent charge is that it's typically not discovered until the victim receives a monthly statement. These charges are typically subscription-based as well, so victims must figure out how to unsubscribe from the premium service.
When McAfee's team discovered Qrcode Scanner, Cut Ringtone 2018 and Despacito Ringtone loaded with the Sonvpay.C component, they promptly alerted Google and saw the apps disappear from Google Play. Despacito for Ringtone appeared several days later, once again laced with Sonvpay.C, but was quickly nuked by Google.
Unfortunately, the AsiaHitGroup Gang will likely return for a fourth campaign. 

Read more