Ad modules in Android apps are a daily fact. Same can be said for Analytic modules. Only few of all those are really fully harmless. But some are especially bold, and are better avoided:
The following list is far from being complete; these are just modules that have
come to my „special attention“. Some apps contain up to ten or more of those
ad/analytics modules. Which that are in each case can, if the app in question
is listed in the Google Playstore, found out by a click on the Appbrain Icon
next to its name. Also see: Ad-Modules and Privacy
Checker in
the app lists.
Developers: The excuse of „I didn't know“ or „I wasn't aware“ at maximum counts in cases where the permissions have not been that obvious. But as soon as you had to explicitly request things accessing PII it must be assumed you don't care for the privacy of your users – so those concerned for their privacy should be advised not to use any of your apps, as you probably didn't care there either. For those who indeed weren't aware, I can warmly recommend this short article: neutrally written and well explained.
Special Risk: these modules have access to everything the app itself has access to, as they are part of the app. There's no isolation. Moreover these modules are usually „proprietary“ (i.e. their code is not open); so you cannot really verify what they do or don't, what data they access or transmit, etc.
On the surface, AppsFlyer seems to be pretty sensitive. On their blog they encourage developers to find a good balance and don't collect what they don't need – explicitly warning about the dangers involved with collecting PII in detail.
Their privacy policy informs about data they collect:
The data collected by the SDK includes information such as IP address, User agent, platform, SDK version, anonymous User ID, time stamp Developer Key, application version, device identifiers such as: IDFA (Identifier For Advertisers), Android ID (Android device), Google Advertiser ID, device model, manufacture, OS version, in-app events, and network status (WiFi/3G).
If it's really restricted to that, it sounds not that bad. Concerning sharing collected data, this seems to be restricted for internal use and the dev's Dashboard (with the exception of „lawful demand“). Additionally, data is stored encrypted to keep it safe. They however keep the option to share „aggregated data“ with their business-partners.
And now guess who those might be. Exodus Privacy provides a list of them, which is rather long (and even that one is abbreviated). Prominent names include (but are not restricted to) Google, Facebook, Flurry, Tapjoy, Tencent…
Further, the AppsFlyer framework enables apps to work around security measures, which was e.g. used by shady devs to install malware from the Soraka network.
It also fingerprints devices by their IDs, tracks users across datasets to circumvent the fragmentation caused by users with different devices, and tracks which users install which apps (The Intercept).
Permissions required by AppsFlyer:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
READ_PHONE_STATE
The name suggests a combination of two words, and so this library is intended for „crash analytics“ – i.e. analyse why an app crashed. But then, why does it send data even there was no crash – for example right at the start of an app? And what for are identifiers like the device's Android_ID included? At least questionable.
Information gathered includes a.o.: Developer-Token, API-Key, OS version, client version, an Installation-ID, Android_ID and GAID. The Intercept further points out that Crashlytics can also link users across multiple cookies and devices.
Permissions required by Crashlytics:
INTERNET
According to Exodus Privacy:
So this belongs to Analytics as well as Advertisement; a real bummer.
Let me translate what security expert Mike Kuketz wrote:
… I find that almost every app integrates a »Facebook-Bug«. Regardless whether you have a Facebook-Account or not, at each and every start of the app and while it is running, a connection to »graph.facebook.com« is established. Via that, a.o. the following details are transmitted:
Google Advertising ID, whether Ad-Tracking is activated / allowd, package name & version number of the app, Android version number, device model, country code, time zone, display resolution …
Above mentioned details are sufficient for Facebook to determine you are using this specific app. You don't believe this? Look here: Leserfrage: Warum weiß Facebook welche Apps ich nutze?
And that's just the „peak of the iceberg“. For example, just by above mentioned details Facebook cannot only determine that you're using that specific app – but also how often, at what times, and more.
Note that Facebook is one of the biggest data collectors, so I'd definitely count this a „privacy intrusion“.
Luckily I don't need to list all privacy scandals here myself (I couldn't possibly manage to keep that list up-to-date as they happen faster than I can type): Someone already does that. Go here to find out how many days have passed since the last one. Seems to be rarely more than a week.
This is a frequently used module, as it offers convenient „cloud processing“. However, its main tasks seem to be Analytics and Ads: Firebase Analytics is the core component, and Admob is also part of Firebase.
Analytics should help developers understand how their apps are used, so they can make them even better. Flurry offers a really deep analysis – at the cost of your privacy. It doesn't even stick to the app in question, but also sniffs on the outside: what other apps are there? how often do you call them? Usually, the user is not informed on the details of those actions, neither of what data will be shipped off-device.
What's worse: Flurry is also active in the advertising sector (hint: Flurry belongs to Yahoo). So there's more than just a theoretical danger of being observed cross-app (and maybe even cross-device) – and of someone building up a profile on you and sell those data to other parties. For details, please read:
Information collected by Flurry:
These a.o. include all of your screen views and clicks within the app, plus OS version, unique phone identifiers, your location. It further seems to track when you launch and use any app on your device, even those that do not use Flurry. Flurry shares aggregate information about your behavior across all apps with all its customers, not just the ones whose apps you agreed to install.
In order to opt-out it seems you first have to create an account with them (the page asked to log-in), and then provide them with your device ID. Which in other terms means: now they can even connect your device to you, by the details provided at account creation. Not sure what affect that opt-out does, as the introduction did not include those details and I didn't dare to create an account.
Permissions required/used by Flurry:
INTERNET
ACCESS_NETWORK_STATE
WRITE_EXTERNAL_STORAGE
ACCESS_FINE_LOCATION
Many websites carry it, and many Android apps as well. Allows the developers deep insights on how their applications perform, which is a good thing. But it also collects a lot of personal data. Considering who stores them, they make very good profiles – especially of Android users having a Google account in use. LunaMetrics describes how to perform collecting, „advanced tracking“ and targeting with Google Analytics.
Google Analytics e.g. uses „persistent cookies“ to track you around the web (see Google Analytics EU Cookie Law for details). While cookies apply to browsers, on Android there are other means. As the module doesn't request permission to access the device ID, it probably uses the Advertizing ID (see: Android Identifiers: How Android devices and their users are identified), which you could reset from time to time. The abuse of privacy through Google analytics has resulted in litigation in the EU (see: Investigations into Consumers Preferences Concerning Privacy: An Initial Step Towards the Development of Modern and Consistent Privacy Protections Around the Globe, 2014, page 6).
If you think of some „Payback“, take a look at the article How to Sanction Google for their Aggressive Behavior. The suggestions might not be all for you, but give you some ideas nevertheless.
Another group especially interested in Google Analytics are hackers – who can use it
e.g. to jump firewalls. Because thanks to the popularity of this analytics tool, the domain
google-analytics.com
often is whitelisted for data transfers. Details (in German):
Google Analytics als effektives Hilfsmittel für Cybercrime Datenklau.
Permissions required/used by Google Analytics:
INTERNET
ACCESS_NETWORK_STATE
Huq Industries Ltd., based in London, UK, offers so-called footfall data for sale. This refers to data that depicts how people move in a certain area. According to its own information, Huq has location data from cell phones going back several years. The company receives the raw data for this from cooperating app operators who integrate a software module (SDK) from Huq into their app.
(source: Mobilsicher)
The promise (or rather fairy-tale) of „anonymized data“ is hardly kept, as Mobilsicher shows. Translated from the article:
The Danish TV station TV2 wanted to know: Can you just buy the location data of people walking around with a smartphone in their pocket? And can you identify individual people in it? The answer from the impressive report, which appeared in July, is: Yes, you can.
For 36.000 danish Krones (about EUR 4.850) the sender obtained 129 million data sets, covering the second half of 2019 and 2020. Contrary to the assurance that „data shared with Huq does not contain information that can be used to identify users by name, and we do not provide any additional information that could be used to identify you,“ this was quite possible:
Using the Huq data, the journalists were able to precisely track Jensen's activities: When he traveled, where he refueled, which hotels he stayed in, and when he was in the hospital. In the case of Otto Jensen, this was a very unpleasant surprise, but had no dire consequences. This is not always the case. For a long time, commercially available data has also been used specifically against individuals.
Further, Huq simply ignores all privacy settings you might have applied, including Opt-Out, as an in-depth analysis from October 2021 reveals: What the Huq?. Thus apps with this tracker should be strictly avoided.
Mixpanel modules often, next to „anonymous metadata“, also collect a bunch of personal details. This can include your mail address, full name and health details in a diabetes app. Though fixed now, between 3/2017 and 2/2018 data sent could even include passwords (also see here. Of course, this might not all be Mixpanel's fault; app developers also have their share in how they've set it up. Though that certainly does not apply to the password harvesting – which rather implies the SDK actively harvests „some data“ via a feature called „AutoTrack“. That might indeed be a mistake without malicious intent – but who knows what else is slurped up that way?
Mixpanel's privacy policy is even more vague as Google's on what data is collected. It's a rather long text with few details to grasp.
Further see:
Permissions required by MixPanel:
INTERNET
ACCESS_NETWORK_STATE
BLUETOOTH
What would you expect from a company sponsored by Peter Thiel? Maximizing profits, certainly. Protecting privacy, certainly NOT. So Motherboard reports on 2021-08-12:
SafeGraph sells smartphone location data to essentially anyone. Google banned the company in June.
Which is a quite broad summary. More precisely, they continue:
They are willing to sell extremely fine-grained data and anyone with a credit card can start buying it
More details:
SafeGraph collected at least some of its location data by having app developers embed the company's code, or software development kit (SDK), into their own apps. Those apps would then track the physical location of their users, which SafeGraph would repackage and then sell to other parties. […] Beyond its own data, SafeGraph also offers customers the chance to buy related data sets from other providers to enrich the location information […]
Something you should clearly avoid.
… uses the mobile sensors built into smartphones to understand a user’s location and activity. We have trained our algorithms with millions of real-world consumer examples from GPS, accelerometer, gyroscope, barometer, wifi, ambient light, and many other sensors. This provides us with an anonymous, but highly accurate understanding of where, how, and when people interact with physical locations and businesses.
Our sensor-technology is on nearly one hundred apps and millions of mobile devices in the US. Our panel generates more than a terabyte of sensor data every single day and provides a detailed view of more than 100 million anonymous visits a month. We carefully curate our panel to ensure that it is highly reflective of the general population across geography, gender, ethnicity, age, and household income.
(source)
It is claimed the data is „anonym“. But with that grade of details, it's quite unlikely De-anonymization should be very hard, simply by cross-referencing. True, granularity would be needed for research purposes – but then it should be based on the users opting in by an informed decision. Which is often lacking, as companies do not enforce this but leave the decision to developers (who often ignore it). A stashed opt-out (which is available for Sense360) is irresponsible, as most users aren't even aware of being tracked.
With data as sensitive as these, this module must be mentioned here regardless of how the collection is consciously used. It's just too dangerous to collect them without explicit consent.
According to Exodus Privacy, Tealium collects both PII and non-PII from individuals visiting its website or using its services. They „may make use of, or make such Aggregated Data available to, third parties, in any manner in our sole discretion“. Tealium shares data with service providers, affiliates, partners and affiliated businesses not controlled by Tealium, billing, and when compelled by authorities. Data is retained „for as long as needed to provide our Services, comply with our legal obligations, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, and enforce our agreements“ – which could as well mean forever (wicked tongues might ask why „provide our Services“ is mentioned separately from „pursue legitimate business purposes“; my answer would be because, again, users aren't asked for their explicit consent).
Tealium was found collecting Facebook user data (4/2018), though their CMO disputes that.
Truth be told, I found several sites claiming Tealium's „enhanced privacy“ – but how much would you believe such a report on a page owned by the ad and tracking industry itself, or one containing five or more trackers? One even claimed that no data would be collected by Tealium – which not even Tealium itself claims.
Belonging to the Alibaba Group, Umeng is called the Flurry of China, the leading mobile app analytical platform in China, and rival of Tapjoy.
I couldn’t exactly figure out which data it collects, but I guess that updates a remote “application log” via the company’s API at
alog.umeng.co/app_log
.In its headers the request contained a X-Umeng-Sdk field with operating system version, app version and smartphone model.
(Manuel D'Orso: Some MiFit app analysis)
There is also an entry in VirusTotal on this domain as a malicious URL. See: h–ps://www.virustotal.com/en/domain/www.umeng.com/information/ Thus we can confirm that the app posts encrypted personal data to a malicious url.
(Analysis: Android SMS Malware (PhotoViewer))
Besides, Symantec rates this module as „high risk“.
However Umeng, a mobile analytics provider, is becoming more and more complex. It has many tools beyond analysis, like statistics, report, SSO, social network share, notification push, advertisement and many other functionalities. So it rather seems to become the „Facebook of China“.
Permissions required/used by Umeng:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
READ_PHONE_STATE
AdMarvel is owned by Opera. As a Cornelly study found out:
We found that the AdMarvel AdSDK satisfies the WebView-related conditions even on post-4.1 Android, i.e., it allows files loaded by ads to access any file on the device. This enables any ad shown in an AdMarvel-supported app to steal local files from external storage.
Keep in mind that for apps dealing with sensitive content themselves (banking, health etc.), this might include sensitive details (especially from that app itself) you might not wish to be transferred to any third party. Examples can be found in the Cornelly study just quoted (starting at page 9).
So this ad module explicitly exposes users to malicious ads. Note this vulnerability has been patched in recent versions of the AdMarvel and AdMob SDKs (i.e. apps compiled 2017 or later should no longer be affected) – but is possibly still open for Airpush and MoPub.
Permissions required by AdMarvel:
INTERNET
ACCESS_NETWORK_STATE
WRITE_EXTERNAL_STORAGE
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
WRITE_CALENDAR
RECORD_AUDIO
In 2013, a Court Partially Dismisses Google Mobile App Spyware Case, Citing Lack of Damages because „failed to adequately allege that the company's actions damaged them“. Read: not because they weren´t found guilty, but because the court decided it was no material harm done.
The plaintiffs alleged that Google and mobile advertising companies AdMob Inc. and AdWhirl Inc. used code hidden in mobile apps to secretly collect their names, gender, ZIP codes, app activity information, geolocation data, and the universally unique device identifiers of their phones. They also alleged that Google misrepresented that their PII would be anonymized.
Which the court found is as life is today – that is, according to some „social norm“:
The court said the plaintiffs' allegations that the defendants violated their constitutional right to privacy “are not sufficient to allege that the Google Defendants' conduct constitutes an egregious breach of social norms.“
Two years earlier they've also been under fire: Android Faces Lawsuit For Knowing Too Much About The Users (6/2011; Admob):
Google’s Android smartphone has become a Big Brother and knows more about the users, than their family and friends does. A federal class-action lawsuit filed by a Charleston attorney, has alleged Google and Android phone apps of keeping track of user’s personal information and selling them to advertising companies. According to the lawsuit, Android apps keep track of customer’s personal information ranging from his physical location, to his sexual orientation and monthly income.
Also see Characterising User Targeting For In-App Mobile Ads (PDF, 2013) for some insights.
Shares data with several other advertizers, like Mobfox, Smaato and more, see Google Says It Doesn’t 'Sell' Your Data. Here’s How the Company Shares, Monetizes, and Exploits It. (4/2020).
Permissions required by AdMob:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
Like Leadbolt and AirPush, AdsMogo performs package name obfuscation and generate random package names for different developers to avoid detection (see: here. Its presence in malware apps is twice as high as in non-malware apps. McAfee e.g. reports:
We found that adsmogo and leadbolt are two ad libraries that we found seldom appear without malware.
AdsMogo seems to allow certain malware libraries to stealthily hide themselves, as e.g. reported here. Those apps then stealthily record audio and video, monitor and upload device location, exfiltrate data to remote servers, and more.
Airpush was especially nasty – as you could not easily determine the app which suddenly popped up ads in unexpected places, such as your device's notification area (disguised as notification) or on your homescreen. To get rid of the culprit, one had explicitly to opt out; either by installing a specific „opt-out app“, or by entering IDs of the affected devices directly on their website.
Permissions required by this ad module suggest they use your device's identifiers (of course to opt you out), but also track your location (surely just to show you ads relevant to the area you're in, with an accuracy of 5m or so – which is why they want your FINE location, i.e. GPS). According to this paper, Airpush a.o. sends AndroidID, phone number, location and SIM operator to its servers.
Also see Details described for AdMarvel on „enabling malicious ads to steal data“.
Further readings:
Permissions required/used by Airpush:
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
INTERNET
READ_PHONE_STATE
WRITE_EXTERNAL_STORAGE
Avocarrot is a mediator. According to their Privacy Policy, they collect:
Information about your device, such as the type and model, manufacturer, operating system (e.g. iOS or Android), carrier name, IP address, mobile browser, applications using Avocarrot and the version of such applications, and identifiers assigned to your device, such as its iOS Identifier for Advertising (IDFA), Android Advertising ID, or unique device identifier (a number uniquely allocated to your device by your device manufacturer).
Log information, including the app or website visited, session start/stop time, time zone, language, and network connection type. The geolocation of your device (using GPS or other data), when location services have been enabled for the mobile app or website that uses Avocarrot.
Data is shared with advertisers and customers. It is stored and processed on Amazon servers. And looking at their own servers, they only get rated F (8/2018) for lack of security.
Also see: Mobile Applications and Access to Private Data 11/2017
Permissions required by Avocarrot:
INTERNET
[ACCESS_NETWORK_PERMISSIONS]
Additionally, Avocarrot uses location data when accessible by the host app.
The Fireye report security reimagined names Burstly, now a subsidiary of Apple, as one of the most aggressive ad libraries. According to the report Burstly a.o. collects Age, Number of children, Education, Ethnicity, Gender, Height, Income, Users’ interests, Location, Marital status, Sexual orientation, Political affiliation, ZIP code.
Judging by the permissions, that list seems to be far from complete and most likely also includes unique device identifiers and more. Symantec marks it as „potentially unwanted app“, and in its details fills the gap – saying Burstly sends device information such as International Mobile Station Equipment Identity (IMEI), kernel version, phone manufacturer, or phone model details as well as network operator information to a remote location.
Permissions required by Burstly:
ACCESS_WIFI_STATE
ACCESS_NETWORK_STATE
INTERNET
READ_PHONE_STATE
WRITE_EXTERNAL_STORAGE
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
CALL_PHONE
CallDorado supplies CallerID and injects ads there. Mediator for Admob, Facebook, Smaato, inMobi, MoPub, Flurry … According to their „privacy policy“, collect e.g. IP, DeviceID, IMEI, MAC, CallNumbers (in/out) w/ call statistics, location, contact lists, user interactions with ads. Data is shared with „sub-suppliers“ (i.e. the other networks mediated for), and possible other „third parties“ not specified in detail. User implicitly agrees by „using the Services“.
Permissions required by CallDorado:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
READ_PHONE_STATE
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
WRITE_EXTERNAL_STORAGE
RECEIVE_BOOT_COMPLETED
READ_CONTACTS
WRITE_CONTACTS
PROCESS_OUTGOING_CALLS
SYSTEM_ALERT_WINDOW
When an ad is served through our Online Services, we may collect the following from your end users' devices: bundle ID, language ID, operating system version, device model, software developer kit (SDK) version, unique device identifier, IP address, and Media Access Control (MAC) address. In addition, when an end user accesses a video ad, we may collect additional stats about videos and video playback such as: start/boot-up information, amount played/session length information, memory on device used for our video cache, videos cached on a device and complete view event. We identify an end user’s device using Chartboost’s internal device ID, which is linked to an end user’s Apple IDFA, Google Advertising ID (GAID), or Android ID, as applicable.
[…] We also receive information about end users from advertisers or advertising services companies such as mobile device identifiers, IP addresses, website cookie information and usage data. We combine the information we collect about end users with additional demographic, geolocation and interest-based segment data, along with cookie information, from third-party providers.
[…] The information shared with these third parties may be used, among other things, for industry analysis, tracking ad conversions or demographic profiling. […] Finally, we may share aggregate or anonymous information about you or your end users with advertisers, publishers, business partners, sponsors, and other third parties.
(source: Chartboost Privacy Policy)
** Permissions required by Chartboost:**
INTERNET
ACCESS_NETWORK_STATE
WRITE_EXTERNAL_STORAGE
ACCESS_WIFI_STATE
READ_PHONE_STATE
Quoting from Wikipedia:
DoubleClick is often linked with the controversy over spyware because browser HTTP cookies are set to track users as they travel from website to website and record which commercial advertisements they view and select while browsing. DoubleClick has also been criticized for misleading users by offering an opt-out option that is effectively useless. According to a San Francisco IT consulting group, although the opt-out option affects cookies, DoubleClick does not allow users to opt out of IP address-based tracking. DoubleClick and MSN were shown serving malware via drive-by download exploits by a group of attackers for some time in December 2010.
DoubleClick, together with several other advertisers, is also known to not respect users' privacy wishes – as e.g. reported by MediaPost in an article in 8/2016.
Also see:
Permissions required by DoubleClick:
INTERNET
ACCESS_NETWORK_STATE
inMobi has a history of intruding privacy – be it annoying popup ads, or tracking your whereabouts. You should definitely keep your fingers off apps using inMobi while having access to your microphon and/or calendars. Background readings:
According to A Measurement Study of Tracking in Paid Mobile Applications, inMobi is one of the two ad networks collecting most user data. Further, Underestimated Privacy Implications of the ACCESS_WIFI_STATE Android Permission (2014, PDF) reports it collecting WiFi APs in reach and sending those data home.
In addition, Is Smartphone App Privacy Groundhog Day for Regulators? notes:
More alarming were two other ad libraries, mOcean and Inmobi, that were able to make phone calls from users’ phones without any prior interaction with the user. Inmobi could also send SMS texts without notifying the user.
Investigating User Privacy in Android Ad Libraries points out:
The mOcean and Inmobi ad libraries contain functionality to start phone calls and add events to a user’s calendar without user interaction. Additionally, mOcean can send SMS messages without user interaction. These largely undocumented “features” are quite alarming.
Permissions required/used by inMobi:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
ACCESS_WIFI_STATE
CHANGE_WIFI_STATE
READ_LOGS
VIBRATE
RECORD_AUDIO
WRITE_EXTERNAL_STORAGE
ACTIVITY_RECOGNITION
READ_CALENDAR
WRITE_CALENDAR
Like Flurry, this one was known for ads appearing out of context – e.g. as popups, in the notification bar, as icons on the desktop. At the same time the boss of LeadBolt says „his company takes privacy seriously“ (to me that looks like a missing comma: „takes privacy, seriously“, i.e. away). Furthermore, quoting Hyphenet (emphasis mine):
AirPush and Leadbolt have gained quite a poor reputation for their “aggressive marketing practices,” which include placing ads to the notification/status bar, placing ad-enabled search icons on your mobile desk, and collecting user information.
Which confirms my suspicion. McAfee remarks:
We found that Adsmogo and LeadBolt are two ad libraries that we found seldom appear without malware.
Even more cause for caution – though it admits exceptions. LeadBolt is the worst offender when it comes to invading your privacy. In the same report: 50% of the time, LeadBolt is associated with Malware.
Permissions required by LeadBolt:
INTERNET
ACCESS_NETWORK_STATE
In addition to information available via those two permissions, LeadBolt encourages developers to also transmit e.g. age and gender of their users. I'm not sure whether it also transmits additional information made available by its „host app“ and the permissions available to that.
LiveRail belongs to Facebook, and serves video ads. Q3 2014 Internet & Digital Media Market Snapshot points out:
[LiveRail] Drives user engagement and ad revenue by combining Facebook's collection of user data with LiveRail's targeting technology.
Facebook seems to combine here, suggests a Study on future trends and business models in communication services:
We do note that Facebook uses three types of advertising platforms: LiveRail specialises in video ads, Atlas focuses on cross-device advertising, and Audience Network allows advertisers to run Facebook ads on other mobile apps.
According to this report, LiveRail was shut down in 2016 – though it's still reported as if alive in 11/2017 (but their hosts no longer resolve).
Data Mining Mobile Devices, page 71:
Millenia Media´s MYDAS technology engine leverages unrefined user data and aggregates it into actionable audience profiles based on key behavior, location and content trends. These profiles, when coupled with multiple layers of mobiles data, create specific and targetable audiences for advertisers via app.
According to A Measurement Study of Tracking in Paid Mobile Applications, Millennia Media a.o. collects your location, AndroidID, IMEI, OS build info, connectivity info, operator info.
Permissions required by Millennia Media:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
ACCESS_FINE_LOCATION
WRITE_EXTERNAL_STORAGE
NFC
BLUETOOTH
WRITE_CALENDAR
VIBRATE
RECORD_AUDIO
MWR Security revealed that a one-off app it built sent text messages from the user's phone, their call log and contacts' details to an advertising company called MobClix, which has not responded to comment requests.
(Android app permissions silently duplicated to advertisers)
That is, if the host app has requested the corresponding permissions. The Addon itself, according to instructions, doesn't explicitly require them. Moreover, Mobclix is reported to give running ads access to smartphone data/APIs.
Mobclix was renamed to Axonix around 2014.
Permissions required by Mobclix:
INTERNET
ACCESS_NETWORK_STATE
MobFox belongs to Matomy. It also absorbed mAdserver. From MobFox's Terms of Service:
Matomy collects personal information from mobile applications and devices, subject to permission, such as your gender, age, location and other attributes. Further collected data includes your device attributes (such as model, make, device agent details, device ID) and traffic/session information, including session durations, IP address and additional activity information. Matomy may use additional users’ statistical analysis-driven data, such as your age group, areas of interest and general location.
Matomy uses this information to analyze trends, understand users’ activities and gather demographic information to enable, manage and develop its interest-based ads related services, and share data with affiliates and business partners.
Matomy retains your information in accordance with Matomy’s legitimate business purposes for processing the information. Thereafter the data is removed, archived for restricted legitimate interests, or anonymized. Non-identifying information may be kept without time and use limitations.
They offern an opt-out and speak of „anonymizing PII“ – but as usual, an opt-in and not collecting PII in the first place would be the better privacy choice.
Permissions required by MobFox:
INTERNET
ACCESS_NETWORK_STATE
According to MobileAppScrutinator, mobileCore collects and sends AndroidID, IMEI and WiFi-MAC address to their servers in clear-text. Their privacy policy outlines collected information may include
version of the SDK available as part of the Developer Apps that are installed on your users’ device, information regarding their device, their Android advertising identifier and/or IDFA, as applicable, their IP address, their device’s operating system details and Media Access Control (MAC) address and other statistical and technical information […] third parties applications installed on your users’ device, their age and gender
Further it states:
We may share your and/or the users’ information with third parties with whom we have a strategic relationship, such as advertisers. We currently use Amazon Web Services, Inc. servers to process your information.
It also says they store the information „password-protected/encrypted“ – and you can request your data stored there to be deleted, to which they'll comply within 30 days.
Permissions required by mobileCore:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
READ_PHONE_STATE
WRITE_EXTERNAL_STORAGE
WAKE_LOCK
Owned by Cheetah Mobile – which alone already makes it suspicious. Their RTB Privacy states it collects e.g. names, physical addresses, email addresses, telephone, information stored within your Device and other information you transmit or receive using the Service – but also claims to not share any end-users Personal Information.
As with other mobile optimising businesses like Onavo (which Facebook acquired), products like Clean Master, CM Browser (a light internet browser) and Battery Doctor (a smartphone battery life extending app for iOS and Android) give Cheetah a large trove of data about mobile usage.
Matching this up with MobPartner’s business will give the latter product far greater reach and potential. While Cheetah has already been trying to do this, MobPartner will provide a more effective front end suite of services to utilize this data.
(Cheetah Mobile Buys MobPartner For M As Ad Tech Consolidates, 03/2015)
Cheetah Mobile does not play fair. Many of their apps are bogus. So they claim their app Clean Master drastically improves your mobile's performance. But in two interviews they fail to proof or even explain that „fact“. On the other hand they are fast to discredit competition:
Apus said in July it was taking legal action in China against the company for unfair competition. It claimed that two of Cheetah Mobile's utility apps were misleading users into uninstalling the Apus launcher app by portraying it as more resource-consuming and battery draining than it in fact is. […]
(Chinese app developer Cheetah Mobile throws down gauntlet to mobile advertising platforms, 8/2015)
So don'*t even expect their ads to be fair – and even less their dealing with your data.
Permissions required by MobPartner:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
READ_PHONE_STATE
WRITE_EXTERNAL_STORAGE
Is Smartphone App Privacy Groundhog Day for Regulators? notes:
More alarming were two other ad libraries, mOcean and Inmobi, that were able to make phone calls from users’ phones without any prior interaction with the user. Inmobi could also send SMS texts without notifying the user.
Investigating User Privacy in Android Ad Libraries writes:
The mOcean and Inmobi ad libraries contain functionality to start phone calls and add events to a user’s calendar without user interaction. Additionally, mOcean can send SMS messages without user interaction. These largely undocumented “features” are quite alarming. […]
From the mOcean ad library, we were able to initiate a phone call to an arbitrary number with no user interaction. An attacker could monetize this exploit by initiating phone calls to 0900 numbers on victims’ devices. We were also able to obtain the device’s location and start the email application with a pre-populated address, subject, and message from the mOcean ad library.
Permissions required by mOcean:
INTERNET
ACCESS_NETWORK_STATE
READ_PHONE_STATE
CAMERA
CALL_PHONE
WRITE_EXTERNAL_STORAGE
READ_CALENDAR
WRITE_CALENDAR
SEND_SMS
READ_LOGS
ACCESS_FINE_LOCATION
Moolah seems to belong into the same category as Airpush and LeadBolt, as e.g. Mobile ads can hijack your phone and steal your contacts points out:
Other ad networks Lookout considers aggressive include Moolah Media and Leadbolt, which publish apps for both Android and iOS.
Attack of the covert commercials complements that by:
Lookout, a mobile-security company, has analysed Google's Android ecosystem and spotlighted ten ad providers, including Moolah Media (which did not respond to requests for comment) and LeadBolt, that use one or more monetisation strategies it considers “aggressive”. These include making ads appear outside apps (for instance, in the notification bar usually reserved for a person's text messages); altering mobile desktops and browsers so that, among other things, new icons appear that display ads when they are clicked on; and gaining access to personal information without giving a clear warning.
Permissions required by Moolah:
INTERNET
ACCESS_NETWORK_STATE
WRITE_EXTERNAL_STORAGE
ACCESS_FINE_LOCATION
ACCESS_COARSE_LOCATION
READ_CALENDAR
WRITE_CALENDAR
MoPub is a „mediator“, i.e. it acts as a gateway to several other ad networks. Like RevMob, which was already mentioned on this page. MoPub is owned by Twitter. And of course closely interacts with it. You certainly don't wonder that it's tracking you across devices even. How that might work? See the links below.
What data MoPub collects can be seen by an example URL given by the first document linked. To make it clearer, I've split it up:
http://ads.mopub.com/m/ad?v=8
: Unencrypted (note the http://
)
&udid=ifa:90E*****CC9-4**C-B7B8-6D24*****B54
: the device ID (here sanitized)
&id=agltb3B1Yi1pbmNyDAsSBFNpdGUYorkhDA&nv=1.17.2.0
:
&q=m_gender:m,m_age:21
: gender and age
&o=p&sc=2.0&z=0400
&ll=40.69770885046903,-73.99321115040379
: location (longitude and latitude)
&lla=65&mr=1&ct=2&av=2.2.2
&cn=Verizon&iso=us&mnc=480&mcc=311
: mobile carrier data
&dn=iPhone7%2C2
: device brand/model
Also see Details described for AdMarvel on „enabling malicious ads to steal data“. As an additional risk, MoPub often uses unsafe connections.
Permissions required by MoPub:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
WRITE_EXTERNAL_STORAGE
RevMob was caught transferring PII (Personal Identifying Information) without
asking for the user's consent, at which place Google even banned apps using
their SDK from the Play Store – probably the only reason for their fixing
that specific issue. To find out what it accesses, even the developer
documentation, you first have to register with your personal details – which is
why the permissions list below was posted to a Gist for easier access. Requiring
the READ_PHONE_STATE
permission suggests
they still want to get to your device identifications (IMEI, serial etc.). And so
this analysis confirms that AndroidID, IMEI and Device Serial are sent to
their servers.
Further readings:
Permissions required/used by RevMob:
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
INTERNET
READ_PHONE_STATE
The name essentially says it: this adware replaces your „ring, ring“ by audio ads. A softpedia article describes:
Furthermore, the advertisements played back to the user should stop when the person who's being called answers, but that doesn’t always happen. In some cases, the ad is played during the call, making conversation nearly impossible.
An annoying thing about the post-call sellAring ads is that they remain on screen for over a minute, making the task of making quick phone calls more difficult.
Although sellAring claims that it’s not collecting any user information, in reality, researchers have found that IMEI and MEID are collected. Last, but not least, Android applications bundled with sellAring eat up a lot of the device’s resources.
While I couldn't find which permissions it exactly requires (except for
CALL_PHONE
and PROCESS_OUTGOING_CALLS
), an XDA
post
points out:
Sellaring is annoying for users and requieres alot of permission which leads to the thing that some users title apps with sellaring as spyware / malware.
A quick search didn't reveal any horror stories, but a look at the requested permissions might let your hair stand on end:
Permissions required/used by Smaato:
INTERNET
ACCESS_NETWORK_STATE
READ_PHONE_STATE
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
READ_CALENDAR
WRITE_CALENDAR
WRITE_EXTERNAL_STORAGE
StartApp can get quite intrusive: popups, search icon on your homescreen, affecting the performance of your apps… And besides it sends quite a few of your private data home to its makers: IP, AndroidID, carrier, app details, device manufacturer, location, IMEI. So better avoid it.
Permissions required by StartApp:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
Optional (but „highly recommended for better performance“):
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
BLUETOOTH
RECEIVE_BOOT_COMPLETED
Again an advertiser that's relatively unknown, and not much to find about. But the permission list is alarming:
Permissions required by Tap for Tap:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
READ_PHONE_STATE
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
WRITE_EXTERNAL_STORAGE
GET_TASKS
GET_ACCOUNTS
ACTIVITY_RECOGNITION
CALL_PHONE
WAKE_LOCK
GCM
Networks like Tapjoy and Flurry’s AppCircle pay app publishers for sending traffic, registrations, and in some cases installations to other app publishers.
This means those libraries will unnecessarily eat your data (sending traffic) and might lead to unwanted app installs. Moreover, in 1/2017, TapJoy, AdColony, Chartboost, Vungle, IronSource, InMobi, and others faced a lawsuit for exporting personal data without asking first.
People also experienced Tapjoy adding pictures to their gallery and other nasty stuff.
Only recently (11/2017), Tapjoy stopped collecting the IMEI and removed the
READ_PHONE_STATE
permission requirement – despite of having
already in 11/2014 to have
switched to the GAID.
Permissions required by Tapjoy:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
Of course, this again is all about vast amounts of user data, as officially admitted. How those are acquired can be guessed by the permissions needed. Examples? From the linked article:
If Tencent knows that a user is planning a vacation to the United States in a month’s time, for example, an advertiser can use that information to target campaigns in the weeks leading up to the trip.
Well. That sounds like they respect your privacy, right?
Permissions required by Tencent Social Ads:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
READ_PHONE_STATE
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
WRITE_EXTERNAL_STORAGE
RECORD_AUDIO
According to Threadpost, Heise and others, a lawsuit was filed against a.o. Upsight for violating COPPA (having collected PII of children).
Permissions required by Upsight:
INTERNET
ACCESS_NETWORK_STATE
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
GCM
VServ is not only excessive concerning permissions it officially uses – but also reported to use more than those when found. By the permissions it's known to use, it can safely be assumed aggressively burgling into your privacy:
Permissions required by VServ:
INTERNET
ACCESS_COARSE_LOCATION
ACCESS_WIFI_STATE
WRITE_EXTERNAL_STORAGE
READ_PHONE_STATE
WRITE_CALENDAR
READ_CALENDAR
CALL_PHONE
[USE_CREDENTIALS]
WRITE_CONTACTS
READ_CONTACTS
SEND_SMS
ACCESS_FINE_LOCATION
YouMi has been reported to have secretly sent user data to their servers – even without the app developers knowing. Those data included user information, device IDs, apps installed and more.
Computer Science & Information Technology reports in a study, using their malware vetting system DMIA:
For apps using [the YouMi] SDK, the proportion of malware in is much higher than others. Especially, almost all of the app texts containing youmi.com are judged to be abnormal by DMIA. So we suspect that the issue is in Youmi SDK. We download Youmi SDK from its official website and program a demo app according to its instructions. Then we test this demo with DMIA. And we get a total of 3221 lines information, of which 153 line involving private API. But it had unauthorized network transmission only when starting the app, and the requests at the rest of the time are all normal.
The iRiS project had similar findings:
To verify our concern, we downloaded the library, built a dummy application with it and analyzed the application using iRiS. As we expected, the application exhibited similar behavior to APPs and sent user information to this advertisement service provider. It is worth noting that in the advertisement serving library, the Objective-C class names and method names are all obfuscated to random meaningless strings, probably to thwart the effort of manual analysis.
Though the above was reported on iOS, it's not restricted to that. MalwareTips asks: What can an advertising SDK do to steal your privacy? – and answers it, based upon the YouMi SDK, with a 10 item list, including: get a list of all apps installed, a list of all running processes (what are you doing), which apps you're using right now, which apps you've recently used, gather app usage details, get your location, your device's IMEI, AndroidID, MAC address. So it can track your device across apps and sessions, while collecting information on you.