Skip to main content

The secret way most apps spy on you even when you think they aren’t

The moment you install an app, it begins scavenging and pestering you for your data. It requests permissions to tap into your phone’s internals, asks you to register a handful of personal information — you know the drill.

However, no matter how frugal and vigilant you are at each step, there’s still one way most apps end up covertly mining your data.

Every app comes packaged with a range of what are technically called Software Development Kits (SDK). To understand these better, think of an app as a Lego house — with each block acting as a single key module.

Julian Chokkattu/Digital Trends

Developers program the blocks that are unique to their apps, such as its design and functions. But components like advertising and analytics are not usually built in-house. For that, they turn to third-parties that already offer these services. All developers need to do is plug them in their apps.

SDKs were designed, as you may assume, to accelerate development and eliminate redundant effort. But of late, these little entities have evolved as critical loopholes in our quest for privacy as companies have abused them to siphon up personal user data even when they are not supposed to.

SDKs have evolved as loopholes in our privacy as companies have abused them to siphon up personal user data even when they are not supposed to.

Detriment to privacy

An Oxford University study found that nearly a third of all the apps in Play Store were linked to at least 10 third-party SDKs and one in five were sharing user data with as many as 20 SDKs. That figure goes up exponentially on large-scale free apps. For instance, as per MightySignal, a mobile intelligence firm, Tinder is connected to a staggering 51 SDKs, Airbnb has 41, and ESPN has 40.

The majority of SDKs collect data you wouldn’t normally think is of any significance. They track what you tap inside an app, areas where you spend most of your time, which ads you interact with, and more. But this seemingly harmless practice can be critically detrimental to your privacy when you look at how all that data fits in the broader picture.

The Oxford study also revealed that 88% of the researched apps could beam data to companies that are ultimately owned by Alphabet (Google’s parent) and 43% to Facebook-owned services.

Companies like Facebook and Google already know a fair bit about you, and by tapping into hundreds of thousands of apps through SDKs, they are able to fine-tune your digital profile in their database and serve you targeted ads. For instance, if you are expecting and have installed a pregnancy-related app, Google or Facebook can potentially begin showing you ads for baby products based on this new information.

SDK Visualization Rufana Rahimova/Getty Images

Personal data mined

Developers tend to justify all these SDKs by claiming the data is kept anonymous and personal information like your phone number is never shared.

But in reality, large businesses have the ability to tie in even the tiniest bit of data to your digital profile. The app may not be telling an SDK your name or email address, but tech companies can figure it out on their own by cross-processing it with their existing knowledge.

Apps do not always share only anonymized data with SDKs. Kaspersky Lab researcher Roman Unuchek found 4 million Android apps were sending unencrypted user profile data — including names, incomes, phone numbers, email addresses, and, in one example, GPS coordinates — to the advertisers’ servers.

A few weeks ago, an Electronic Frontier Foundation (EFF) investigation discovered that four analytics and marketing companies were accumulating information such as names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data from the Amazon Ring app.

Two of the SDKs EFF highlighted — Appsflyer and Facebook Graph — can be found in a multitude of apps, and experts say it’s likely that they are gathering a similar set of data from other apps as well.

In a statement, an Appsflyer spokesperson said the company is not a data broker and “does not build targeting profiles, does not sell data, and does not otherwise utilize any app user personal data for its own purposes.”

The app may not be telling an SDK your name or email address but tech companies can figure it out on their own by cross-processing it with their existing knowledge.

“Some analytics companies give the app developers fine control over what information is being delivered, but it seems like a good assumption that other apps will be giving a similar amount of sensitive data if they include these same libraries,” William Budington, author of the EFF investigation, told Digital Trends.

A bunch of SDKs that currently play an indispensable role in app development don’t often clearly state how they handle user data. In some cases, developers overlook and skip checking how an SDK works, putting user security at risk.

“Unfortunately, most developers might not know … how intrusive a given SDK can be when building their own software, while users are completely unaware of the fact that, when running a mobile app, there might be dozens of other organizations potentially collecting sensitive and personal data,” said Narseo Vallina-Rodriguez, a research scientist at the International Computer Science Institute’s Networking and Security division and a member of the team that developed Lumen, an app that monitors which SDKs your phone is transmitting data to.

Key information buried

Another bottleneck that has enabled SDKs to run amok is that their consent is generally buried deep down in an app’s Privacy Policy and a lot of times, developers fail to explicitly underline what users are giving up. Further, the app’s security settings don’t apply to third-party SDKs, leaving people little to no choice.

“As a matter of fact, there is evidence showing that what many apps report on their privacy policies offers an incomplete picture of their actual runtime and data collection behaviors,” added Narseo Vallina-Rodriguez.

Up until Android 10, SDKs could even share permissions between two unrelated apps. Therefore, say app A has the location permission and B doesn’t and both come equipped with the same SDK, there’s a decent chance B can feed off A’s location permission and collect your GPS data.

Unlike browsers, you also can’t simply block app trackers. Your only option is to go through an app’s settings and make sure to uncheck the Collect data for the analytics box if there is one.

Genevieve Poblano/Digital Trends

You can also start using web apps on your phone via your browser, which allows you to block trackers with the browser’s built-in tools. Most leading apps like Instagram and Tinder offer comparable web apps that largely behave as regular mobile apps. In the process, you’ll also save a ton of storage and RAM.

Your privacy is only as strong as the weakest link in the whole app chain, and on phones, that link is an SDK. And unfortunately, you cannot do anything about it other than switch to apps that promise more security for your data. Hopefully, in the future versions of Android and iOS, Google and Apple will introduce better protections against third-party trackers.

Editors' Recommendations