Sensor Tower is reported to have been anonymously harvesting data from millions of users of several popular VPN and ad-blocking apps. Data collection without user knowledge is not a new incident. However, the use of VPN and ad-blocking apps that users install are usually for protecting their privacy, not adding to the issue.
Secret data harvesting by mobile apps continues to be a pressing issue and one that should be a cause of concern for all users. Apps today have access to so much user data that this is not only proving to be a serious issue for user privacy, but in some cases, even the wellbeing of users. There have been numerous incidents in recent times when data collected without user knowledge has found its way to both advertisers and law enforcement agencies. The popularity of VPN and ad-blocking apps are, in fact, testament to how worried users are about their data.
It now seems as though even those apps aren't safe. As a recent Buzzfeed report suggests, Sensor Tower has been collecting data from at least 20 such apps available from both the Google Play Store and Apple's App Store. Sensor Tower, however, clarified that it is not collecting any sensitive personal data through these apps and most of which are either now defunct or in the process of shutting down. Although the part about the defunct apps is certainly true, what isn't mentioned is that most of those apps were removed from the app stores due to policy violations. With more than 35 million combined downloads, the apps had access to information on a massive number of users. Free and Unlimited VPN, Luna VPN, Mobile Data and Adblock Focus are four of those 20 apps, and none of them disclose their connection to Sensor Tower, nor reveal that they share any data with the company. Once the investigation was published, Buzzfeed's Craig Silverman released a full list of the apps understood to be involved in this.
Here's How The Apps Were Harvesting Data
The data harvested by these apps was taking place through a root certificate. These small files can be used to give developers escalated access, including a phone's traffic and data, and in this case appear to have been used to provide the user information to Sensor Tower. These root certificates have to be installed via external websites, since both Google and Apple restrict their installation due to the associated security risks. The data collected through this approach is likely to have been invaluable to Sensor Tower, whose various products provide clients with competitive insight for succeeding in the mobile app eco-system.
While secret data harvesting of any kind is a severe issue, this sort of collection through apps that are supposed to protect user privacy lulls users into a false sense of security. However there have been so many data leaks, that it is in a way becoming normalized at the moment. User data is a gold mine for companies, especially advertisers, making it a lucrative business for those involved. As an extension of this, apps also often collect far more than is necessary for the working of the app, highlighting the need for users to consider whether that's a price worth paying for access to a service. Furthermore, it is time developers started becoming more transparent on what they are doing with user data, rather than hiding that information.
Source: Buzzfeed