The ExpressVPN Digital Security Lab found that trackers released by X-Mode, a data broker involved in multiple privacy scandals, are in many more apps than previously reported. X-Mode trackers appeared in apps that have been downloaded at least 1 billion times. The trackers, which can reveal your location, are raising privacy concerns. “A person’s location information reveals a lot of them,” Sean O’Brien, a principal researcher at cybersecurity firm ExpressVPN, said in an email interview. “For example, it can reveal where your home is, who you spend time with, your hobbies, political affiliation, or sexual orientation and dating preferences just based upon your location trail.”
Banned but Not Beaten
The affected apps include health and weather apps, games, and photo filters, according to ExpressVPN’s research. Google and Apple have banned the X-Mode trackers because of alleged sales of tracking information to the military. Despite the ban, ExpressVPN found that only 10% of these apps have been removed from Google Play. The findings are part of a broader study on location trackers by the ExpressVPN Digital Security Lab. All 450 apps ExpressVPN analyzed contained questionable trackers. These apps collectively have been downloaded at least 1.7 billion times by consumers worldwide, the company said. The danger is that the information siphoned from users via these trackers ends up in the wrong hands, Caleb Chen, the head of the cybersecurity company Private Internet Access, said in an email interview. An example of the possible privacy implications in tracking software is the recent cases of Muslim prayer apps that were found to include trackers from companies that went on to sell said information to the US government. “A dedicated attacker could buy supposedly anonymized data from the third parties that aggregate the information from different trackers and then deanonymize the data by correlating with outside information or searching for patterns,” Chen said. Trackers are big business for those who make them. Location and proximity data is valuable to build profiles on consumers, their behavior, and their relationships with people and places, O’Brien said. “Insights from the data are highly prized by the brick-and-mortar retail industry and are useful across sectors such as entertainment, insurance, and finance,” he added. “The location surveillance industry is far-reaching, with many players who aggregate and share trillions of data points on billions of users.” Tracker makers evade restrictions by burying the code deep within an app. “In some cases, developers may not even be aware of what software development kits (SDKs) are bundled in their app,” O’Brien said. “If Google and Apple are not providing enough granularity and auditing of apps during the publishing process, it’s completely reliant upon the developers to divulge the usage of location tracker SDKs.”
Fighting the Trackers
An essential step to fight tracking is to do your due diligence before downloading any apps, O’Brien said. And look out for other signs that your apps might be spying on you, such as excessive battery drainage, network congestion, or high memory usage. Regularly look through and audit permissions that you give to your apps. “For example, does your expense tracker app really need to track location to function?” he added. “We also encourage users to follow our comprehensive guide to iPhone and Android security for more tips on protecting themselves.” To protect yourself from trackers, you can use software tools that act as tracker blockers. The apps can be added to a browser, allowing you to search and browse privately across all of your devices, Nat Maple, chief marketing officer of cybersecurity company BullGuard, said in an email interview. “Some of these tools alert users if they are being tracked and also erase browsing history,” he added. Maple said it’s equally important to use a virtual private network (VPN), which actually hides your true internet location, essentially making you anonymous online. “Your movements can still be tracked,” he added. “But the tracker doesn’t know your identity or true location.”