Although the systematic recording of movements from smartphones is a multi-billion dollar industry, little information is available about how this data is collected and used. AppCensus’s new research shows that even seemingly innocent apps like barcode scanners and GPS speedometers collect detailed data about users without their consent.
AppCensus explained in a blog post that the SDK of the British provider Huq creates wide ranging user profiles and also uploads them if users object to share their data. This was not detected during regular tests, since the SDK doesn’t permanently upload user data in real-time. Instead it stores data locally in an archive. This data collection includes GPS data as well as information about nearby WLAN networks.
This data can be used for many purposes. Municipalities can use the data to plan traffic, while investors can locate good locations for shops. They are also useful for individual advertising because the data allows one to draw conclusions about which stores customers shop in.
Huq’s practise goes against Apple’s and Google’s platform privacy rules. In the latest versions of iOS and Android, GPS and other location data access must be confirmed explicitly. However, Apps that use location to perform their normal functions often contain the SDKs of respective providers. AppCensus, for example, found Huq’s SDK within an app that displays speed cameras. It has been downloaded over 10,000,000 times.
Huq claims that it analyzes 1 billion data points every day from 161 countries, but does not disclose where these data came from. Vice reports that the analysis of data communication of two apps revealed that they also transferred data if there was an express objection to the collection. Huq blames app developers for this behavior: they should only initialize SDKs if consent is obtained.
This highlights the complexity of privacy when there are dependencies on third party SDKs and shady tactics are at work. Apple’s new App Privacy Report is one of the iOS 15 additions that Apple introduced at WWDC, but it was not available in the initial iOS 15 rollout. It is designed to allow users to see how often apps have accessed their sensitive info like location, photos, camera, microphone, and contacts across the last seven days. With iOS 15.2 this feature will be available for all users.