You are here

20 data-stealing apps blocked by Google and Apple—35M downloads later

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

App analytics platform Sensor Tower is accused this week of underhanded data pilfering. Its apps don’t say who’s behind them, nor what data they collect.

Most worryingly, some of the apps force the user to install a man-in-the-middle root certificate. This is fine.

“Free” VPNs and ad blockers: What did they expect to happen? In this week’s Security Blogwatch, we quote Serra and Schoolman yet again.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: puppies.

[ Join this March 26 Webcast: DJ MITRE: Achieving Harmony in your SOC. Plus: See TechBeacon's Guide: Building a Modern Security Operations Center ]

You are the product

What’s the craic, Craig? Mister Silverman reports—Popular VPN And Ad-Blocking Apps Are Secretly Harvesting User Data:

Sensor Tower, a popular analytics platform … has been secretly collecting data from millions of people who have installed popular VPN and ad-blocking apps. … These apps, which don’t disclose … that they feed user data to Sensor Tower’s products, have more than 35 million downloads.

[The] apps prompt users to install a root certificate, [which] lets its issuer access all traffic and data passing through a phone. … Apple and Google restrict root certificate privileges due to the security risk to users. [The] apps bypass the restrictions by prompting users to install a certificate through an external website.

Four of these [apps] — Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus — were recently available in the Google Play store. Adblock Focus and Luna VPN were in Apple's App Store. Apple removed Adblock Focus and Google removed Mobile Data after being contacted by [us].

Randy Nelson, Sensor Tower’s head of mobile insights, said … “Our apps do not track, request, or store any sensitive user data such as passwords, usernames, etc., from users or other apps on a user’s device, including web browsers.”

Oh. Well. That’s all right then. Tom Maxwell quips—They're free for a reason:

At least 20 VPN and ad-blocking apps for iOS and Android have been used to surreptitiously collect internet usage data. … VPNs and ad-blockers are intended to give people back some of their privacy. By siphoning off your internet traffic, the apps from Sensor Tower are effectively doing the opposite.

This should serve as a reminder that if you're not paying for your VPN or ad-blocker with cold hard cash, you're probably paying in some other way. … Unlimited VPN services can't just be offered for free.

This is true. Rachel England adds—A popular analytics platform secretly scraped user data via VPN apps:

Tracking user activity is the cornerstone of the app economy, and it's not unusual for developers to present data-monitoring functions as user safeguards — Facebook's info-leeching Onavo VPN app is a prime example. [This] case serves to highlight how this practice is largely misunderstood by users, and indeed, the loopholes companies are prepared to exploit.

According to Sensor Tower — which owns 20 of these apps — it only collects anonymized usage and analytics data, which is integrated into its products. … Apple and Google removed a number of affected apps from their respective stores, with both saying they are now investigating the issue. … 13 Sensor Tower apps were previously removed from the iOS App Store due to policy violations.

Would you install one? rubyn00bie sure as **** wouldn’t:

This is also why I don't use a VPN I don't run (or certainly not one that hasn't been audited with a good reputation), and I certainly would never ****ing dream of using a free VPN. … On the other hand, this could make for a hilarious experiment using adversarial neural networks to troll the *******s mining data.

So rho waxes pedagogic:

It needs to be beat into everybody's head that VPNs are not for anonymity. It is not their purpose and never has been. If a company is telling you to "protect your privacy online" by using their service, they are lying to you.

If you control both ends of the VPN, it's your private network. If you're using somebody else's software and endpoint, it's their private network.

But enough theorizing. cik has been there. Done that.

I've built more than one VPN network over the years — and I don't use the ones I built. My philosophy has always been that I can't trust the network after I no longer own it.

The hard reality is that you have no way of knowing what's being logged if you don't have full access to the servers. I've always pushed for leaving VPN servers on operating systems running in read-only, on read-only disks, and open to the world (i.e., customers who log in). It's one of the best forms of real transparency that I can think of.

Naturally, Way Smarter Than You is shocked—SHOCKED:

You mean a free phone app is tracking me? One allegedly intended to improve my private and/or security?

And it's a VPN where they have all my unencrypted traffic? You mean they don't do this from the goodness of their hearts?

Next, they'll be telling us they sell the data to Facebook, Google and various governments! (LOL, of course they do.)

Next shoe? AznHisoka alleges a similar perp:

SimilarWeb is another company with millions of funding that is sitting on a shady foundation as well. … They own a bunch of Chrome extensions that track all the websites you visit and queries you enter into Google.

Meanwhile, what sort of a name is “Sensor Tower,” anyway? Be strong, like stronglikedan:

May as well have called it Eye of Sauron.

The moral of the story?

What are your users installing on their phones? And what are those apps doing with your company data?

[ Explore the challenges and opportunities facing Security Operations Centers with TechBeacon's Guide. Plus: Get the State of SecOps Report ]

And finally

In these uncertain times, we all need six puppies in a bucket

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: KC Green (cc:by-sa)

[ GDPR, CCPA and privacy. TechBeacon's new guide rounds up what your team needs to know. Plus: Get the Best Practices for GDPR and CCPA Compliance white paper. ]