A BuzzFeed News investigation has revealed that at least 20 VPN and ad-blocking apps from Analytics platform Sensor Tower secretly monitored users’ data.
With over 35 million downloads, these 20 Android and iOS apps fed private data to Sensor Tower products, reportedly since 2015. A few popular names include Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus.
Since the investigation, Apple has removed Adblock Focus, and Google has removed Mobile from their respective app stores. Both tech giants are still investigating other apps for leaking data.
Interestingly, all the apps were listed under different company names. However, Buzzfeed managed to link the apps to Sensor Tower after witnessing a “code authored by developers who work for the company.”
How did the Sensor Tower harvest data of millions?
As per the report, the Sensor Tower’s apps asked users to install a root certificate, which enabled them to access internet traffic and the data passing through the phone.
Giving root privileges to third-party apps can be dangerous since developers can misuse it for their benefit. Apple doesn’t allow root certificate privileges to 3rd-party apps. However, SensorTower’s apps bypassed it by installing certificates through Safari.
For example, Luna VPN redirects users to Safari and asks them to install a root certificate, following an in-app notification about installing Adblock Extention to avoid ads on YouTube.
Sensor Tower Denies
The analytics firm’s head of mobile insights, Randy Nelson, has denied the claims about collecting data.
Moreover, when Buzzfeed confronted about the removal of apps from app stores, Nelson said that the majority of listed apps “are now defunct (inactive) and a few are in the process of sunsetting.”
This is not the first time VPN mobile apps have been in question for safeguarding user’s privacy. Last year, a report discovered that out of sample 150 free VPN apps, 90% of Android compromised privacy through different methods.