You won't believe how these popular apps are tracking you!

You won’t believe how these popular apps are tracking you!

by

Authors: Hansika Saxena and Bablu Kumar

Have you ever noticed how, as you search for a specific product, every social media platform starts suggesting or displaying comparable products from various brands? This is the so-called advertising network, which has been optimized over time to create user-specific accurate profiles. A good advertising campaign involves ideation, content, and creation. But that’s not all; there’s also a hidden ingredient: user research, also known as user data tracking.

Tracking user data by mobile applications is a common occurrence these days, and it is a more serious issue than users realize. The tracked user data (and activity) can be used to not only influence users’ opinions but also to manipulate their actions. The 2016 Facebook-Cambridge Analytica data scandal is a major example of such a campaign, in which data from 87 million Facebook profiles were collected to provide analytical assistance to Ted Cruz and Donald Trump’s presidential campaigns in the United States.

While the data collected by these apps are primarily used for targeted advertisements, they have other purposes as well. Threat actors and adversaries can utilize the recorded data against users in a variety of nefarious ways, including social engineering campaigns and identity thefts.

In this blog, we show you how to use BeVigil, the world’s first security search engine for mobile apps, to identify the tracker(s) present in the Android apps that record user data along with steps that can be taken to minimize such activity.

Using BeVigil to Identify the Trackers used by an Application

BeVigil’s app scanning service provides a variety of information about the app, ranging from a security rating (based on the number of security flaws discovered) to the mobile permissions required for the app to function smoothly. It can also be used to identify the various app trackers used by a particular application. To do so, simply search for an application on BeVigil using some keywords.

Searching for an application on BeVigil by using the keyword “Youtube”
Searching for an application on BeVigil by using the keyword “Youtube”

From the search results select the app you want to find the trackers for and click on “VIEW REPORT”.

Application search results for the keyword “Youtube” on BeVigil
Application search results for the keyword “Youtube” on BeVigil

On the App report page, scroll down and select the “TRACKERS” option (in the left) under the “About the app” menu. A list of trackers used by that app along with the tracker category appears on the screen.

BeVigil identifies the trackers used by the apps
BeVigil identifies the trackers used by the apps

Trackers by Google

Many users link their Google accounts to multiple accounts on other platforms such as YouTube, Pinterest, Spotify, etc, for ease of access (login, sign up, etc). By doing so, users agree to Google’s data privacy policy whereby it gets the liberty to record user information, such as search/viewing history, that can be used to identify a person’s interests, hobbies, likes, dislikes, etc. According to Google’s My Activity page, “The activity you keep helps Google make services more useful for you, like helping you rediscover the things you’ve searched for, read, and watched.”

Here is a subset of the type of information collected by Google:

  • User PII
  • Web and app activity
  • Location information
  • Call and message information
  • Payment details

The application trackers developed by Google are primarily concerned with advertisements and analytics. They help app developers understand user behavior and interests. Many prominent firms across the world (including Bank of America Mobile Banking, PayTM, Twitter, etc) use these trackers to “improve user experience” by providing “personalized recommendations”.

The most popular app trackers provided by Google are:

  1. Google AdMob: AdMob is a Google mobile advertising subsidiary that enables game or application developers to place various types of ads within their mobile apps. Thus, application developers can monetize their mobile apps using mobile advertising and actionable analytics derived from data collected about ads of interest to users.
  2. Google Firebase Analytics: Google’s analytical service for Firebase integrates across Firebase features and offers unlimited reporting for up to 500 distinct events defined using the Firebase SDK. It majorly focuses on the users’ interactions within an app. Analytics reports allow the developers to clearly understand how your users behave, allowing them to make better and more informed decisions about app marketing and performance optimizations.
  3. Google Analytics: Google Analytics is a web analytics service provided by Google that tracks users to improve the performance of marketing, content, products, etc. The collected data is analyzed using Google’s unique insights and machine learning capabilities. It is currently available as a platform within the Google Marketing Platform brand.
Screenshot from Google’s Data & Privacy page describing how the collected data is used for advertising purposes
Screenshot from Google’s Data & Privacy page describing how the collected data is used for advertising purposes

Limiting Activity Tracking

Google allows you to review your activity and optionally lets you limit the data gets saved in your Google account. On this website, you can limit your web & app search activity, location history, and YouTube history by turning off these options.

Trackers by Facebook

The American international technological company Meta Platforms, Inc., doing business as Meta and formerly known as Facebook Inc., is the owner of popular social media platforms such as Facebook, Instagram, WhatsApp, etc. It is one of the most valuable firms in the world and is a part of America’s Big Five. Over the years, it has monetized its platforms and products in multiple ways with advertisements being a major method. The firm has developed its own application trackers, which are now used by a wide range of applications, from banking to e-commerce to the music, entertainment, and food industries. As a result, it obtains data not only from its own products but also from a large number of other businesses that use its app-tracking services. A few prominent firms using their tracker services include HDFC Bank MobileBanking, Spotify, Zomato, etc.

While using any of their products, a user is agreeing to Meta’s Privacy Policy which states that they collect, use, share, retain and transfer information so as to “help the user use Meta Products in the way that’s right for them”. The user data is gathered regardless of whether a person has an account with Meta or any of its products. Most of the data gathered is usually from the information provided by the users themselves or from their interactions with other users and features of the platform. However, a large chunk of this data also comes from third parties and partners which use the Business Tools, integrations, and Audience Network technologies offered by Meta. The collected information includes:

  • Device details such as software and hardware
  • Network information such as IP address
  • Contact and payment information
  • Information about the apps running in the foreground
  • Information shared through device settings, like GPS location, camera access, photos, etc
  • Information from cookies and similar technologies

The four most widely used trackers developed by Facebook are:

  1. Facebook Flipper – A debugging platform for iOS, Android and React Native apps.
  2. Facebook Login – Used to log in on other sites by using/linking Facebook accounts.
  3. Facebook Share – Tracks the activity of content shared by the user.
  4. Facebook Ads – Records and analyzes the performance of advertisements.

Limiting Activity Tracking

Facebook’s new service lets you check whether the firm has your contact information, such as your phone number or email address, and delete and block it. You can visit this website and remove your sensitive information.

Facebook taking permission from the user to track their browser’s cookies
Facebook taking permission from the user to track their browser’s cookies

Trackers by Amazon

Amazon’s ecosystem is built on a complex web of infrastructure. The rich trove of data has fueled Amazon to become the third-largest digital ad platform in the U.S. While using an Amazon service (such as the Amazon shopping app, Alexa, or Amazon Prime) the user is consenting to Amazon’s practices, as described in their Privacy Notice. This includes allowing Amazon to collect, use and share the user data to “operate, provide, develop, and improve the products and services that are offered to the customers.”

A user’s information is collected in the following three ways:

  • Information Collected Directly from the User – Users are required to provide certain personal information such as names, addresses, phone numbers, etc, in order to avail of the services provided by Amazon. This type of information is usually collected by asking the user to fill out a form. A user may choose not to provide certain information, but that restricts the benefits that can be availed from Amazon.
  • Automatically Collected Information – Information about a user’s IP, location, and interaction with particular pages, products, and services offered by Amazon is automatically collected. Amazon uses cookies and other unique identifiers to track user access to Amazon or any of its services. This is not only limited to the web but also extends to the real world where Amazon’s physical stores use computer vision, sensors, and other technology to gather information on user interaction.
  • Information from Other Sources – Amazon collects information such as updated delivery addresses from its carriers, in their attempt to “correct their records and deliver the next purchase more easily”.

This information is utilized by Amazon’s top app trackers Amazon Advertisements and Amazon Analytics for various purposes, including but not only limited to purchase/delivery of products/services, troubleshooting, personalized recommendations for products/services, optimizing ad campaigns, etc. In certain cases, a portion of collected information is also shared with third parties, other businesses, and the law. However, the privacy of users’ information “remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the customer consents otherwise).”

Limiting Activity Tracking

For Amazon, you can manage browser cookies through your browser settings which will prevent your browser from accepting new cookies. This will prohibit Amazon to collect browser-related information. Just be aware that blocking all cookies on your browser will disallow certain app features and the services may not work properly.

Other Trackers

There are also other trackers such as Branch, CleverTap, and Bugsnag that provide specialized tracking services. These trackers also gather personal, technical, and app usage information to provide a better user experience and improve their products and services. Let’s learn more about them.

Branch

Branch provides cross-platform linking and attribution solutions with the aim to unify user experience and measurement across different devices, platforms, and channels. The company claims that Branch has been selected by over 100,000 apps since 2014, including Adobe, BuzzFeed, Yelp, Ola Cabs, and many more.

The following is a subset of information collected by Branch Links, Branch SDKs, and Pixels:

  • IP address to understand general location
  • Web cookies for device identification and attribution
  • Phone number
  • Device model
  • Mobile network status (Wi-Fi, etc.)
  • Local IP address
  • Carrier ID
  • MAC address

CleverTap

CleverTap puts itself in the category of a customer engagement and retention platform that provides the functionality to integrate app analytics and marketing. The platform helps customers increase user engagement by tracking user actions and analyzing how people use the product.

The service is used by more than 1,300 customers in 100 countries and across 10,000 apps —including Gojek, SonyLiv, Swiggy, and PharmEasy.

Here is a subset of the information it collects:

  • Name
  • Company name
  • E-mail address
  • Telephone number, or any other identifier by which you may be contacted online or offline
  • Cookies allow them to track which pages you visited, what links you clicked on, and how you used the CleverTap Service

Bugsnag

Bugsnag is a SmartBear company that provides an error monitoring and reporting service. It can detect crashes in your mobile and web apps in real-time. Over 6000 customers such as Slack, Shopify, Netflix, and Tinder use Bugsnag to identify, prioritize and replicate bugs.

The platform uses tracking tools like cookies, pixels, and web beacons to collect usage and browser information passively.

Here is a subset of information the company collects:

  • Contact and Demographic Information – name, address (including billing and shipping address), telephone number, email address, and fax number.
  • Payment Information
  • Account Information
  • Education and Employment Information

Uber Analytics

Uber is a San Francisco-based transportation company that provides mobility as a service, ride-hailing, food delivery, package delivery, couriers, and freight transportation. Studies reveal that Uber had 122 million monthly active users worldwide in the second quarter of 2022 and generated an average of 21 million trips per day. This analytics is used in Uber, Uber Eats.

Here is a subset of the data collected by the company.

  • Customer Name
  • Credit card information
  • Current location and regularly traveled locations such as home and place of work

How to Protect your Data?

Digital connectivity and account interlinking make it impossible to completely prevent data collection by trackers. Most brands use third-party trackers to understand user behavior and often collect user PII or non-PII, app crash reports, etc. Although trackers have a negative connotation regarding user policy, they are very useful for enhancing app development strategies and providing personalized services, which is admired by many users. While some of the data could be required to comply with legal or regulatory requirements, the concern emerges when the companies collect more data than required. It then becomes subject to scrutiny whether the companies are collecting only the right amount of data and whether the collected data is in the right hand.

The security of our data is first and foremost our duty as users, then that of the applications. By just accepting and agreeing to the strictly necessary policies and cookie conditions, we should take the appropriate precautions and make a conscious effort to limit activity tracking. Therefore, it’s always a good idea to provide as little information as you can and follow good cyber hygiene practices.

References

Leave a Comment