A report on Android apps that do location tracking identified 450 apps that use tracker SDKs, many of which use an SDK called X-Mode, which Apple and Google have banned, but are still in Google’s Play Store.
X-Mode, based in Reston, Virginia in the US, is a broker for location data. The pitch to developers is that by embedding the X-Mode libraries in their apps, they get a revenue stream that is not dependent on showing ads. “You can earn $10K or more a month by contributing to our Premium Location Data Platform,” its website boasts.
That data is then licensed to third parties with X-Mode claiming to cover more than 25 per cent of the US adult population and up to 10 per cent in 11 other countries including the UK, Canada, Australia, Spain, Italy and France.
Use cases presented on X-Mode’s site include validating whether a customer visited a store after seeing an ad online (unlikely in lockdown), and targeting customers who have been in a Best Buy, Apple or T-Mobile store with ads for phone warranties. Another example monitors the geolocation data to work out driver behaviour and speed, and presents it as an opportunity for insurance companies to “build better risk models around aggregated driving data.”
X-Mode has said that it has “automated privacy compliance”, targets the device rather than person, and does not collect personally identifiable information such as names or emails. These assurances were not enough for Apple and Google, who in early December last year required developers to remove X-Mode from their apps or be banned from their app stores. According to the Wall Street Journal, Google gave developers seven days to remove X-Mode, while Apple specified two weeks.
Most X-Mode-using apps still in Google Play after ban
New research conducted by Sean O’Brien at ExpressVPN, assisted by the Paris-based Defensive Lab Agency, has detected location tracking SDKs (Software Development Kits) in 450 Android apps at the end of January, 44 per cent of which used the supposedly banned X-Mode code. “Only 10 per cent of these apps have been removed from Google Play [after the ban],” the researchers said.
The apps are said to have been downloaded “at least 1.7 billion times.” Specific targets appear to include Muslim audiences and also dating and social apps.
It is not safe to conclude that all these apps have nefarious intent, however. “App developers have decided to include tracker SDKs in apps for a variety of reasons, and we do not categorize all usage of trackers as malicious or condemn the app authors,” said the researchers, who also believe that the “complexity and pace” of software development means that trackers may sometimes end up in apps without the developers realising it.
The detailed findings are on GitHub.
The X-Mode libraries are not standalone but reference other providers which have access to “beacons”, installations at known locations which communicate with nearby mobile devices. For example, a beacon may use BLE (Bluetooth Low Energy) advertising to broadcast its presence to nearby smartphones.
A smartphone app with access to Bluetooth can pick up that the beacon is nearby and report that data. No pairing or other communication with the beacon needs to take place. These other providers include Placed (owned by Foursquare), Sense360, Wireless Registry, BeaconsInSpace, and OneAudience.
The conclusion of the ExpressVPN report is that “we identified evidence of the ubiquity of location tracking SDKs in a wide range of consumer apps” and that the banning of certain trackers from app stores was not effective (though no evidence is presented for apps on Apple’s platform.)
This begs many questions, and although it happily references press articles on such matters as police, military and intelligence services abusing location data the report does not present direct evidence of this, nor attempt to work out which apps have hidden or unreasonable behaviour beyond the use of the banned X-Mode libraries.
O’Brien said the goal is to educate consumers on “how their use of certain apps may have privacy and security implications” and to encourage users to consult the list of apps and consider removing them or limiting their permissions.
Location ‘necessary’ for more than you realise
The Express VPN guide to smartphone security, though, will leave privacy-conscious users with a sense of hopelessness.
For example, one of the tips is to turn Bluetooth off: a good suggestion, but that also means not using wireless headphones. Google has complicated the issue around location permissions by requiring apps that scan for Bluetooth devices also to have access to full Location Services, and that Google’s Location Services have to be running; this is justified on the grounds that it makes users more aware that location may be revealed via Bluetooth, but also means that users give broader location permissions to apps than they may wish, simply to get them working at all.
“The fact that Android requires FINE location and background permissions to do this on the latest version has proven to be a great headache. The idiots reject my app because of this, yet the app does not need location info or care about location,” complained one developer.
We have asked Google for comment.
Location data does, of course, have many legitimate uses of great value to users, such as mapping and local search. This means that even privacy advocates such as the Electronic Frontier Foundation merely state that we “work to ensure that location based service providers don’t abuse the information they collect on their customers or hand it off to other companies or the police without consent or probable cause.”
Protecting privacy with a smartphone is easy: Turn off the Wi-Fi, turn off the Bluetooth, and remove the SIM card. Unfortunately devices so configured are of little use. What remains is regulation and the behaviour of entities such as vendors of trusted applications, mobile operators, Google and Apple. ®