Some of the world's most popular apps may be being teamed up by rogue members of the advertising industry to collect sensitive location data on a large scale, with that data going to a data company location has a subsidiary that previously sold global location data to the United States. law enforcement.
Thousands of applications, contained in the hacked files from location data company Gravy Analytics, which includes everything from games like Crush candy and dating apps like Tinder to pregnancy tracking and religious prayer apps on both Android and iOS. Because the majority of collection happens through the advertising ecosystem—not code developed by the app creators themselves—this data collection can take place without the user or even the app developer did not know.
“For the first time publicly, we appear to have evidence that one of the largest data brokers selling to both commercial and government customers appears to be getting their data from the 'price stream'. bids' online advertising, rather than code embedded into the app itself, says Zach Edwards, a senior threat analyst at cybersecurity company Silent Push and someone who has closely followed the location data industry. with 404 Media after looking at some data.
The data provides a rare glimpse into the world of real-time bidding (RTB). Historically, location data companies Paid app developer to include code packages that collect user location data. Instead, many companies have moved on Sourcing location information through the advertising ecosystemwhere companies bid to place ads inside the app. But the side effect is that data brokers can listen in on that process and collect people's cell phone locations.
“This is a nightmare scenario for privacy, because this data breach not only contained data taken from the RTB system, but there were also several companies out there acting like honey badgers global bees, doing whatever they want with every piece of data that comes its way. ,” Edwards said.
In the attacked Gravy data there were tens of millions of mobile phone coordinates of devices in the US, Russia and Europe. Some of those files also reference apps in addition to each piece of location data. 404 Media extracts the app name and builds a list of mentioned apps.
The list includes dating sites Tinder and Grindr; Big games like Crush candy, Run Temple, Subway surferAnd Harry Potter: Puzzles & Magic; Moovit transit app; My Period Tracker & Calendar, a period tracking app with over 10 million downloads; popular fitness app MyFitness Pro; social network Tumblr; Yahoo email client; Microsoft Office 365 Apps; and flight tracker Flightradar24. The list also mentions many religion-focused apps like Muslim prayer apps and Christian Bibles, various pregnancy trackers, and various VPN apps that some users have. downloadable, ironically, in an effort to protect their privacy.
The full list can be found This. Many security researchers published other list of applications contained in the data, which vary in size. Our version is relatively larger as it includes both Android and iOS apps and we have decided to keep duplicate versions of the same app with slight name variations to make it easier for readers to find Find more apps they have installed.
While this dataset came from an apparent Gravy hack, it's unclear whether Gravy collected this location data itself, got it from another company, or which location company ultimately owned it or was assigned to it. license to use it.