A controversial location tracking SDK is present in hundreds of Android apps despite Apple and Google bans. Data Broker X-Mode’s tracking software was banned from the world’s two largest app stores in 2020 due to the company’s connections with government agencies. However, a new study by the ExpressVPN Digital Security Lab found that only 10% of apps were previously used and removed it at this point.
ExpressVPN found 199 apps currently listed on Google Play that continue to use X mode. Together, these apps have been downloaded over a billion times. X-Mode made news in November when it was discovered in a Muslim prayer and Quran app downloaded 98 million times.
Controversial location tracking SDKs are still widely used despite increased scrutiny & amp; Prohibitions
Called « Investigation Xoth, » the ExpressVPN study looked at a number of software development kits (SDKs) that are commonly used by developers to add location tracking functionality to their apps. While SDKs are often harmless in general, they can present a particular privacy concern because they are so embedded in app code that it is difficult for app stores’ gatekeeping mechanisms to identify them and determine exactly what they are doing.
ExpressVPN security researchers identified a number of location tracking SDKs with suspicious features, including X-Mode. These “tracker SDKs” are sometimes included in apps without the app developers being aware of their range of functions that compromise data protection or with whom exactly they are passing user data. Such was the case with X-Mode, which had been used since 2013 without knowing that the company collected identity and location data and sold it to U.S. military and government organizations (investigation reports were released by the end of 2020). X-Mode has come under fire for its use in Muslim Pro, a popular app that uses user location data to determine the current direction of Mecca.
While the ExpressVPN study doesn’t name Apple apps, it’s not because they were properly tested. The study was limited to examining Android apps as there are technical and legal barriers to unzipping apps from the Apple Store to an appropriate level. However, apps that still contain X-Mode (and other types of location tracking SDKs) are available in both the Android and Apple stores.
Data brokers who benefit from secretly collecting personal data
Because of its notoriety, ExpressVPN researchers made X-Mode a special focus of this research. Aside from releasing identity and location data to government agencies without user knowledge, these location tracking SDKs sometimes leak data to unknown data brokers who in turn relay it to unknown customers. The investigation revealed, for example, a new component of the X-Mode SDK, which led to five previously unknown entities to which data is passed: Foursquare subsidiary Placed, data broker for target group profiles Sense360 and OneAudience, WLAN map service ServiceFFame and SDK developer (and Location) data broker) BeaconsInSpace.
Two of these hidden data broker partners are particularly controversial. SignalFrame received a US Air Force grant to develop software that could be embedded in phones for eavesdropping. And OneAudience has been banned from Facebook and Twitter (among others) and brought to justice for using shady data collection practices reminiscent of what was done in the Cambridge Analytica scandal. OneAudience has been hit by high profile lawsuits (including one involving Facebook) and should have closed its SDK in November 2019.
ExpressVPN has found communication code in some apps that leads from X-Mode to a number of these partners, including seven more that are specifically marketed to Muslim users. However, these questionable location tracking elements and connections to data brokers are rarely limited to prayer apps and religious profiles. ExpressVPN notes that markers for these questionable SDKs are most commonly found in social and dating apps that list specific user demographics or countries on their behalf. Video and file converters were also among the apps using X-Mode, a category that shouldn’t have any reason to need detailed location information other than sneak profiling and tracking.
Anurag Kahol, CTO and co-founder of Bitglass, shared some thoughts on how companies can protect themselves from inadvertently using services that feed questionable data brokers: “App developers are responsible to their users for obtaining explicit consent to exchange data and allowing them full control over their private information … In addition to violating users’ privacy, refusing to comply with data protection regulations like the CCPA can also result in heavy regulatory fines. To ensure compliance, companies can first get user consent and then equip themselves with DLP (Data Loss Prevention), MFA (Multi-Factor Authentication) and UEBA (User and Entity Behavior Analytics) functions. By implementing a strong security protocol, organizations can maintain visibility and control over data anywhere, while preventing data trackers from accessing users’ private information. «
& # xD;
Two of these hidden #databrokers are particularly controversial. SignalFrame has developed software that can be used to tap telephones. OneAudience has been banned from Facebook and Twitter. #privacy # respect data & # xD;