Android versions of popular cryptocurrency app Bitcoin Ticker Widget and a seeming clone of Steemit, Steemit Earn Money, included software development kit (SDK) tools that extract extensive data on users in the past and are potentially linked to location tracking code from X-Mode a notorious data tracking company, according to a new report from Express VPN Digital Security Lab. Two other personal finance apps also have been found to contain these data trackers. Â
âWe wanted to say to consumers: âThis is a huge problem; you may not be aware of it,ââ said Sean OâBrien, principal researcher at ExpressVPN Digital Security Lab. âEven though these apps arenât all huge brands, these apps have been downloaded 1.7 billion times, collectively, and millions of times for each individual app. Theyâre running on peopleâs phones in their pockets. People are using them for dating and social and finances but theyâre not fully aware of the amount of data thatâs being scooped up.â
While there are many companies that buy and sell access to location data harvested from unsuspecting peopleâs phones, X-Mode has come under scrutiny after its ties to government contractors and the military were revealed.Â
In November 2020, Vice reported X-Mode was getting detailed location data back from multiple Muslim prayer apps, then selling that data âto contractors, and by extension, the military.âÂ
Read more: From SIM-Swaps to Home-Invasion Threats, Ledger Leak Has Cascading Consequences
This new report, a far more extensive inquiry into this issue, found X-Mode code was in 44% of the 450 apps they analyzed, and those apps had been downloaded at least a billion times.Â
âThese apps are global and include health as well as weather apps, games and makeup photo filters,â reads the report.Â
âThey're running on people's phones in their pockets. People are using them for dating and social and finances but they're not fully aware of the amount of data thatâs being scooped up.â
While Steemit Earn Money has only been downloaded about 100 times, Bitcoin Ticker Widget has been downloaded over 1 million times.Â
In December, Apple and Google told developers to remove X-Mode from their apps or be banned from their app stores, but by the end of January, the report found, many apps have not yet complied, which was confirmed by TechCrunch in at least one case.Â
Overall, the study examined 450 Android apps for data trackers.Â
SDKs are foundational tools that make it quicker and easier for developers to make apps. That being said, those tools can contain code that isnât necessary to the core function of an app. This extra code can track location, extract data and generally relay information back to the creator of the SDK. That information can then be shared or sold to be used for a variety of purposes.Â
When users download an app and accepts its terms of service and privacy policy, they may be inadvertently opting into these forms of data collection, even if theyâre not told exactly whose hands the data may end up in. These sorts of practices are common in the world of targeting advertising but, as has been previously documented, data can also end up in the hands of law enforcement (even without a warrant), bounty hunters and others.Â
Read more: How a Lawsuit Against the IRS Is Trying to Expand Privacy for Crypto Users
âInside the X-Mode SDK, are code references to five data providers,â said OâBrien. âThese are other entities that people loosely called âdata brokers.â Sometimes theyâre doing actual selling of data and sometimes theyâre not. While itâs somewhat complex, these five entities are basically well-known brands in this location surveillance space.â
âWhat seems to be occurring because of whatâs in the code is that these data providers have some sort of business relationship with X-mode, either current or prior,â said OâBrien. âAnd if they are enabled in these apps, then those providers are also getting some information from the app that has the X-mode SDK.â
OneAudience, included in both Bitcoin Ticker Widget and Steemit Earn Money, was one âdata brokerâ tracker referenced in X-Modeâs code as part of the SDK. It was the subject of a ban and lawsuit by Facebook over data privacy violations because of data OneAudienceâs SDK was collecting.Â
In February 2020 Twitter and Facebook claimed that âOneAudience had been harvesting private data, such as peopleâs names, genders, emails, usernames and potentially peopleâs last tweetsâ to such an extent that it has been compared to the Cambridge Analytica scandal. The SDK was shut down at the end of 2019.Â
Another data tracker, Opensignal, primarily functions as a WiFi mapper, through which usersâ locations can be determined.Â
In its lawsuit against OneAudience, according to Recode, Facebook argued that âOneAudience also paid apps to harvest usersâ Google and Twitter information when they logged into one of the compromised apps using their Google or Twitter account information.â
Read more: This Elusive Malware Has Been Targeting Crypto Wallets for a Year
OneAudience, when shutting down the SDK that was the subject of the lawsuit, said, âWe were advised that personal information from hundreds of mobile IDs may have been passed to our OneAudience platform. This data was never intended to be collected, never added to our database and never used.â
Opensignalâs business model, on the other hand, is primarily dependent upon its Wi-Fi mapping use case.Â
ââThe question is, how much of the Wi-Fi data are they scooping?ââ asked OâBrien.Â
In its privacy policy, Opensignal states it gathers geolocation data, ânetwork type, network operator, cellular and WiFi signal strength and quality, and the identifiers of connected cell towers and WiFi routers.â
OneAudience did not respond to a request for comment. Opensignal, in response to a request for comment, directed readers to its Data Privacy Charter.Â
Stepping back and looking at the report and network traffic from these apps, OâBrien has two big takeaways when it comes to the impact on your data privacy.Â
âUsually the data is not being handled very well,â he said. âAnd thereâs a rich amount of data that can be used as an identifier for a person thatâs going through the pipe, even if location is the only named reason the data is being scooped up.â
If you choose to keep using the apps like Bitcoin Ticker Widget and Steemit Earn Money, there are ways to limit their data-tracking capabilities. OâBrien said users should go into settings and check permissions for the app, especially location permissions, and revoke them.Â
âThat may mean the app becomes less functional or displays nagging screens asking for permission,â he said. âOtherwise, unfortunately, the only other step is removing the app. If youâre a California or [European Union] resident, there may be some other steps to take regarding requesting information to be deleted or at least requesting a copy of the information they have.â
