Some of the world’s most popular apps are likely to be co-opted by unscrupulous members of the ad industry to collect sensitive location data on a massive scale, with that data ending up in a location data company whose subsidiary has already sold global location data to the US. . Law enforcement
The thousands of apps included in Gravy Analytics’ hacked files include everything from games to Candy Crush and dating apps like Tinder to pregnancy trackers and prayer apps on both Android and iOS. Because most of this collection is done through the ad ecosystem — not code created by the app creators themselves — this data collection is likely done without the knowledge of users or even app developers.
“For the first time publicly, it appears we have evidence that one of the largest data brokers selling to commercial and government customers appears to be using its own data, rather than the code embedded in the applications themselves. from the “suggestion stream” of online ads, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, who has followed the location data industry closely, told 404 Media after reviewing some of the cases. data I see
The data offers a rare glimpse into the world of real-time bidding (RTB). Historically, location data companies paid app developers to add bundles of code that collected their users’ location data. Many companies have instead turned to sourcing location data through the advertising ecosystem, where companies bid to place ads within apps. But a side effect is that data brokers can listen to that process and discover the location of people’s cell phones.
This is a nightmare scenario for privacy because not only does this data breach involve data being removed from RTB systems, but some companies are out there acting like a global badger and doing whatever they want with whatever data they get. does Edwards says.
Gravy’s hacked data included tens of millions of mobile phone coordinates of devices in the US, Russia and Europe. Some of these files also point to a program next to each piece of location data. 404 Media extracted the names of the programs and made a list of the mentioned programs.
This list includes the dating sites Tinder and Grindr. Huge games like Candy Crush, Temple implementation, Subway surfersand Harry Potter: Puzzles and Spells; Moovit transportation app; My Period Calendar & Tracker, a period tracking app with over 10 million downloads; the popular fitness app MyFitnessPal; Tumblr social network; Yahoo email client; Microsoft Office 365 application; and Flightradar24 flight tracker. The list also mentions numerous religious apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps that some users may download, ironically, to protect their privacy.
The full list can be found here. Several security researchers have published other lists of programs in the data of varying sizes. Our version is relatively larger because it includes both Android and iOS apps, and we decided to keep duplicates of the same app with slight name changes to make it easier for readers to find the apps they have installed.
Although this dataset was obtained from an apparent Gravy hack, it is unclear whether Gravy collected this location data itself or obtained it from another company, or which location company ultimately owns it. has permission to use it.
