While, what one might initially assume, the tracking may not be evil but for advertising, behavior analytics, location tracking, etc.
Exodus Privacy checked more than 300 Google Play apps for the signatures of the 25 trackers currently known to them; 75% of the apps had one or more.
The list of Android apps includes popular names like Uber, Tinder, Spotify, and OKCupid which have a Google-made tracker called Crashlytics. It helps the developers gather details about app crashes, but the tracker can also know about user activity among other features.
Another tracker found is called Fidzup, which is capable of tracking phones and their users through the use of sound inaudible to humans. However, the French company behind the tracker claims that the technology is not used anymore. The tracker profiles created during the study have been uploaded to GitHub (find it here).
“There is an entire industry based on these trackers, and apps identified as “clean” today may contain trackers that have not yet been identified.” Privacy Lab said in a press release that developer may add app trackers in future versions of their apps.
Everyday users are unknown to most of the trackers used by the apps. Also, the lack of transparency regarding the data collection, transmission, and processing raises privacy and security concerns. Privacy Lab says that network traffic associated with such apps generally hops over multiple countries and legal jurisdictions.
Apps made for iOS weren’t a part of the study, but according to Privacy Lab, the story might not be much different for Apple’s App Store. Many app developers distribute apps for both Android and iOS.
“Android users, and users of all app stores, deserve a trusted chain of software development, distribution, and installation that does not include unknown or masked third-party code.”
The Lab has called app developers and Google itself to introduce more transparency in security and privacy with respect to the app trackers.
The tool used by Exodus Privacy to verify tracker signatures has also been open sourced and uploaded to their GitHub repo.