Android versions of the popular cryptocurrency app Bitcoin Ticker Widget, and what appears to be a clone of Steemit, Steemit Earn Money, included SDK (software development kit) tools that extract extensive data about users in the past, and possibly with the location tracking code from X-Mode a are linked to a new report from the Express VPN Digital Security Lab, the company is notorious for data tracking. Two other personal finance apps were also found to contain these data trackers.
“We wanted to tell consumers, ‘This is a big problem. You may not be aware of this, ”said Sean O’Brien, lead researcher at ExpressVPN Digital Security Lab. “While these apps are not all big brands, these apps have been downloaded 1.7 billion times in total and millions for each individual app. They run on people’s cell phones in their pockets. People use it for dating, social purposes, and finance, but they don’t know exactly how much data is being collected. “
Create personal data
While there are many companies out there that buy and sell access to location data obtained from unsuspecting phones, X-Mode came under scrutiny after its connections with government contractors and the military emerged.
In November 2020, Vice reported that X-Mode was getting detailed location data back from several Muslim prayer apps and then selling that data “to contractors and, more broadly, the military.”
Read more: From SIM swaps to home invasion threats, Ledger Leak has cascading consequences
This new report, a far larger study of the issue, found that 44% of the 450 apps they analyzed contained X-mode code and those apps had been downloaded at least a billion times.
“These apps are global and include health and weather apps, games and makeup photo filters,” the report said.
“They run on people’s cell phones in their pockets. People use it for dating, social purposes, and finance, but they don’t know exactly how much data is being collected. “
While Steemit Earn Money was only downloaded about 100 times, the Bitcoin Ticker Widget was downloaded over 1 million times.
In December, Apple and Google asked developers to remove X-Mode from their apps or to ban it from their app stores. By the end of January, the report said, many apps hadn’t yet met the requirements, which TechCrunch at least confirmed was a case.
In total, the study examined 450 Android apps for data trackers.
X-Mode SDKs and data brokers
SDKs are essential tools that developers can use to build apps faster and easier. That being said, these tools can contain code that is not required for the core functionality of an app. This additional code can track the location, extract data, and generally send information back to the creator of the SDK. This information can then be shared or sold to be used for a variety of purposes.
Read more: How a lawsuit against the IRS seeks to expand privacy for crypto users
“There are code references to five data providers in the X-Mode SDK,” said O’Brien. “These are other companies that people loosely refer to as ‘data brokers’. Sometimes they actually sell data and sometimes they don’t. While these five companies are somewhat complex, they are basically well-known brands in this area of site surveillance. “
“What seems to be happening based on the contents of the code is that these data providers have some sort of business relationship with X-Mode, either current or past,” said O’Brien. “And when they are enabled in these apps, these providers also get some information from the app, which has the X-Mode SDK.”
OneAudience, Opensignal and location data tracking
OneAudience, which is included in both the Bitcoin Ticker Widget and Steemit Earn Money, was a “data broker” tracker referenced in the X-Mode code as part of the SDK. It was the subject of a ban and a data breach lawsuit by Facebook based on data collected by OneAudience’s SDK.
In February 2020, Twitter and Facebook claimed, “OneAudience has collected private data such as names, genders, emails, usernames and possibly recent tweets from people to such an extent that it has been compared to the Cambridge Analytica scandal. The SDK was closed at the end of 2019.
Another data tracker, Opensignal, acts primarily as a WiFi mapper that can be used to determine the locations of users.
In its lawsuit against OneAudience, Facebook argued, according to Recode: “OneAudience has also paid apps to collect Google and Twitter information from users when they have logged into one of the vulnerable apps with their Google or Twitter account information.”
Read more: This elusive malware has been targeting crypto wallets for a year
On shutting down the SDK that was the subject of the lawsuit, OneAudience said, “We were made aware that personal information from hundreds of mobile IDs may have been leaked to our OneAudience platform. This data should never be collected, never included in our database and never used. “
Opensignal’s business model, on the other hand, depends primarily on the use case of Wi-Fi mapping.
“The question is, how much of the Wi-Fi data are they drawing in?” Asked O’Brien.
OneAudience did not respond to a request for comment. In response to a request for comment, Opensignal referred readers to its privacy charter.
A “rich amount” of personal information
O’Brien steps back and looks at the reporting and traffic from these apps. In terms of the privacy impact, O’Brien has two major advantages.
“Usually the data isn’t processed very well,” he said. “And there is a huge amount of data that can be used to identify a person walking the line, even if location is the only stated reason the data is being collected.”
If you continue to use apps like the Bitcoin Ticker Widget and Steemit Earn Money, there are ways to limit the data tracking capabilities. O’Brien said users should go into Settings and review and revoke permissions on the app, particularly location permissions.
“That could mean the app becomes less functional or shows nagging screens asking for permission,” he said. “Otherwise, unfortunately, the only other step is to remove the app. If you are a California or [European Union] Residents may need to take several other steps to request the deletion of information, or at least a request for a copy of the existing information. “