Security news that informs and inspires
Face with eyes, ears, and mouth all covered.

Privacy Rules Not Strictly Enforced for iOS, Android

Privacy-fueled policies and bans are ineffective if they aren't paired with regular audits and consistent enforcement.

New research from ExpressVPN Digital Security Lab and Defensive Lab Agency identified 450 Android apps on Google Play (as of end of January) with location tracking libraries, and noted the “ubiquity of location tracking SDKs in a wide range of consumer apps.” In December, Google and Apple banned X-Mode Social, the software development kit from data broker X-Mode, from iOS and Android apps. Developers were told they had a week (Google) to two weeks (Apple) to remove X-Mode’s tracking software from their apps or risk having their apps removed from Apple's App Store and Google's Play Store. A little over a month after the deadline, and just 10 percent of the apps which had used X-Mode libraries at some point over the past year has removed the tracking code as required, ExpressVPN Digital Security Lab researchers said.

“Though trackers may be nominally banned from app stores, further investigation reveals these measures are not being consistently enforced,” the researchers wrote.

Also in December, Apple announced that “privacy labels”—a list describing what kind of data is being collected—would be required for all iOS device owners running the latest version of iOS 14. The policy for other platforms—iPadOS, macOS, watchOS, and tvOS—is expected to be in effect at a late date. While the privacy labels are now visible on the website as well as on mobile, an informal Washington Post analysis found that those labels were not accurate. some apps claiming the highest-level of privacy, “Data not collected,” were still sending information such as the phone’s identifier and general location to multiple entities.

Lingering X-Mode

These privacy-friendly announcements suggested a shift away from ubiquitous tracking by mobile apps, but those hopes appear to have been a little premature. X-Mode's SDK allows developers to monetize apps by collecting and sending the device's location data to X-Mode’s platform. While the data doesn't have the individual person's identifying information such as name or email address, the location of the device is just as effective in tracking individual movements.

ExpressVPN Digital Security Lab found that 44 percent of the Android apps with location tracking, or about 200, had used X-Mode libraries at some point over the past year. And just 10 percent—20 or so—have either been removed from Google Play entirely, or updated with a new version that didn't use X-Mode's code. For example, an app used to navigate the New York City subway map system which had been installed more than 200,000 times still had X-Mode SDK as of Jan. 20. A new version without X-Mode has been uploaded Jan. 27, presumably after Tech Crunch contacted the developer. A travel app (with maps for 42 cities around the world) is still using X-Mode, according to the privacy audit search tool from non-profit Exodus Privacy.

Media reports have found that X-Mode's data has been used by various government entities, such as the U.S. military, law enforcement, and intelligence agencies, as well as private threat intelligence firms for surveillance purposes. X-Mode has claimed data covering more than 25 percent of the United States adult population and up to 10 percent in 11 other countries (the list includes Australia, Canada, France, Italy, the United Kingdom, and Spain). Banning the SDK would have removed this level of location tracking—especially since users typically have no idea that X-Mode has this information and can sell it to anyone.

The researchers also published endpoints that apps using X-Mode’s SDK are known to communicate with, which would help identify which apps are sending—or have historically sent—location data to X-Mode. Some of the trackers aren't obviously from X-Mode, as there are relationships between various trackers, so the endpoints are useful for finding the intermediate trackers that eventually end up with X-Mode. While the nature of the relationship between X-Mode and other players such as Sense360, BeaconsInSpace (aka Fysical), Placed (a subsidiary of Foursquare), SignalFrame, and OneAudience is unclear, the researchers found that some of them are listed as “enabled” by default in X-Mode SDK configuration files.

Inaccurate Labels

In the case of the privacy labels, consumers were supposed to be able to see the extent of the app’s data collection—“data used to track you,” “data linked to you,” and “data not linked to you”—so that they could make an informed decision before installing the app. Consumers could use the labels to compare apps within a category and decide whether they preferred an app claiming to collect no data over one claiming to collect limited data. There was a catch with these labels: the information in the labels were provided by the app developers themselves, and the small print on the label says, “This information has not been verified by Apple.”

Geoffrey Fowler, Washington Post’s technology columnist who spot-checked some apps, found that a mobile game claiming to take only “data not linked to you” was sending a phone identifier to more than a different companies. The developer changed the app's label to “data used to track you” after Fowler followed up to ask what was happening. Fowler said 1 in 3 apps claiming they took no data that he checked were inaccurate. Apple “conducts routine and ongoing audits of the information provided” and would reject future updates (or remove) if the developer continued to display inaccurate information, the company told the Washington Post, but declined to elaborate on how many apps the company had already flagged as part of its review. Apple also did not address why the apps Fowler had found were still displaying inaccurate labels.

“[If] a journalist and a talented geek could find so many problems just by kicking over a few stones, why isn’t Apple?” wrote Fowler.

Fowler noted that Apple had very narrow definitions of privacy, such as limiting the definition of tracking to just targeted advertising, ad measurement, and data brokers. The privacy labels also do not indicate where the apps are sending the data.

The privacy labels are not as helpful as they could have been, and the app stores aren't enforcing the banned trackers as well they should be. This raises the question of whether there needs to be a third-party entity or regulator enforcing the privacy, in a manner similar to how the Food and Drug Administration regulates what is listed on the nutrition labels on food products.

“Serious auditing of apps before publishing is the only way to keep trackers out of app stores and, even then, detection requires care and dedication,” ExpressVPN researchers wrote.

Image Credit: Clare Back (@southpaw2305)