Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Some of the world’s most popular apps are likely to be co-opted by members of the advertising industry to collect sensitive location data on a massive scale, with this data ending up with a location data company whose subsidiary has already sold global location data to the United States. the application of the law.
The thousands of apps, included in the pirated files from location data company Gravy Analytics, includes everything from games like Candy Crush and dating apps like Tinder to pregnancy tracking and religious prayer apps on Android and iOS. Because most of the collection happened through the advertising ecosystem, not the code developed by the app creators themselves, this data collection likely happened without the knowledge of the users or even the app developers. app.
“For the first time publicly, we appear to have evidence that one of the largest data brokers selling to commercial and government clients appears to have acquired its data from the ‘offer stream’ of online advertising “rather than code embedded in the applications themselves. , Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data.
The data provides a rare view into the world of real-time bidding (RTB). Historically, location data companies paid app developers to include bundles of code that collect location data of its users. Many companies have turned instead to searching for location information through the advertising ecosystemwhere companies offer to place ads in applications. But a side effect is that data brokers can listen in on that process and collect the location of people’s mobile phones.
“This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from RTB systems, but there is a certain company that acts as a global honeybee, doing what it likes with every piece of data coming their way,” Edwards says.
Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices in the United States, Russia and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of the mentioned apps.
The list includes dating sites Tinder and Grindr; massive games like Candy Crush, Temple Run, Subway surfersand Harry Potter: Puzzles and Spells; transportation app Moovit; My Period Calendar & Tracker, a period tracking app with over 10 million downloads; popular fitness app MyFitness Pro; social network Tumblr; Yahoo’s email client; Microsoft’s Office 365 app; and the flight tracker Flightradar24. The list also mentions several religion-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and several VPN apps, which some users may download, ironically, in an attempt to protect themselves. their privacy.
The full list can be found here here. Various security researchers they published other lists of the applications included in the data, of various sizes. Our version is relatively larger because it includes Android and iOS apps, and we decided to keep duplicate instances of the same app that had slight name variations to make it easier for readers to search for the apps they have installed.
Although this data set came from an apparent hack of Gravy, it is unclear whether Gravy collected this location data itself or acquired it from another company, or whether the location company ultimately owns it. or is licensed to use.
