The systematic recording of motion profiles from smartphones is a billion dollar business, but little is known about how exactly this data is recorded and what exactly it is used for. A new research by AppCensus shows: Even seemingly harmless apps such as barcode scanners, GPS speedometers or weather apps collect systematic detailed movement histories of their users.
Like AppCensus in a blog post, the data collection was not noticed in the usual tests, as the SDK does not permanently upload the user data in real time, but stores it locally in a file. This data collection includes not only GPS data, but also information about nearby WLAN networks.
Release for everything
Such data is collected for a number of purposes. For example, municipalities can use movement data for traffic planning, and investors can find favorable locations for shops, for example. However, they are also suitable for individual advertising, as the data allow conclusions to be drawn as to which stores users shop in. In order to be able to assign them precisely, according to the analysis, Huq not only records the advertising ID of Android, but also assigns them their own permanent ID.
Apple and Google have restricted access to the exact location of app users in order to protect their privacy. Therefore, in the current versions of Android and iOS, access to GPS and other location data must be explicitly confirmed. But this is not perfect protection. The SDKs of the respective providers can often be found in apps that require location for their normal functionality. For example, AppCensus found Huq’s SDK in an app that displays speed cameras and has been installed over 10 million times.
App developer responsible?
On its homepage, the British provider advertises that it evaluates one billion data points from 161 countries every day, but leaves open exactly where this data comes from. You have to look for this information from the data protection declarations of the individual apps. As reported by the US magazine Vice, the analysis of the communication between two apps showed that they also transfer data if the collection of the data was expressly objected to. In relation to Vice, Huq blames the app developers for this behavior. These should only initialize the SDK if there is consent.