Craig Silverman, BuzzFeed News:
Sensor Tower, a popular analytics platform for tech developers and investors, has been secretly collecting data from millions of people who have installed popular VPN and ad-blocking apps for Android and iOS, a BuzzFeed News investigation has found. These apps, which don’t disclose their connection to the company or reveal that they feed user data to Sensor Tower’s products, have more than 35 million downloads.
Since 2015, Sensor Tower has owned at least 20 Android and iOS apps. Four of these — Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus — were recently available in the Google Play store. Adblock Focus and Luna VPN were in Apple’s App Store. Apple removed Adblock Focus and Google removed Mobile Data after being contacted by BuzzFeed News. The companies said they continue to investigate.
Once installed, Sensor Tower’s apps prompt users to install a root certificate, a small file that lets its issuer access all traffic and data passing through a phone. The company told BuzzFeed News it only collects anonymized usage and analytics data, which is integrated into its products. Sensor Tower’s app intelligence platform is used by developers, venture capitalists, publishers, and others to track the popularity, usage trends, and revenue of apps.
This is comparable to Facebook’s use of its Onavo VPN to spy on users’ app activity.
Joseph Cox and Jason Koebler, Vice:
Banjo, an artificial intelligence firm that works with police used a shadow company to create an array of Android and iOS apps that looked innocuous but were specifically designed to secretly scrape social media, Motherboard has learned.
Banjo did not have that sort of data access. So it created Pink Unicorn Labs, which one former employee described as a “shadow company,” that developed apps to harvest social media data.
But once users logged into the innocent looking apps via a social network OAuth provider, Banjo saved the login credentials, according to two former employees and an expert analysis of the apps performed by Kasra Rahjerdi, who has been an Android developer since the original Android project was launched. Banjo then scraped social media content, those two former employees added. The app also contained nonstandard code written by Pink Unicorn Labs: “The biggest red flag for me is that all the code related to grabbing Facebook friends, photos, location history, etc. is directly from their own codebase,” Rahjerdi said.
These are entirely separate events and companies, but the reports overlap in their descriptions of what can only be described as a worrying indifference to ethical norms. If the people running these companies have to cauterize their soul before work each day, perhaps they should treat that as a yelping klaxon that something is wildly wrong.
I expect to see more reports like these in the coming years as the country where similar companies are headquartered — and, consequently, where users’ rights are often contractually obligated — has yet to enact and enforce meaningful privacy rights.