Some Android apps are secretly sharing your data with FB
Android apps have been secretly sharing usage data with Facebook, even when users are logged out of the social network – or don’t have an account at all.
Advocacy group Privacy International announced the findings in a presentation at the 35th Chaos Computer Congress late last month. The organization tested 34 apps and documented the results, as part of a downloadable report.
The investigators found that 61% of the apps tested automatically tell Facebook that a user has opened them. This accompanies other basic event data such as an app being closed, along with information about their device and suspected location based on language and time settings. Apps have been doing this even when users don’t have a Facebook account, the report said.
Some apps went far beyond basic event information, sending highly detailed data. For example, the travel app Kayak routinely sends search information including departure and arrival dates and cities, and numbers of tickets (including tickets for children).
Language learning app Duolingo was among several apps that the report called out for sharing extra data, including “how the app is used, which menus the user has visited, and other interaction information”.
The occasional message telling someone that you’ve opened a language learning app and decided to brush up on your German may seem harmless enough, but it still has Privacy International worried. The report said:
If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines.
Moreover, the report says that this basic SDK data could cross over into a special category of user data specially protected under GDPR. If you open a medical or religious app and that data is sent to Facebook, it could include data about the user’s health or religious beliefs, it says.
This is more likely when apps send this information with a unique Google advertising ID (AAID), which according to the report they often do. Many advertising technology companies sync AAIDs across different devices so that they can build a better profile of a user’s activities across mobile and desktop.
What could Facebook use such information for? Some possible uses highlighted by the report include matching contacts and building targetable audiences. The social network has also been known to track application usage in the past to gain market intelligence about which apps people are using, as it did with the Onavo VPN product that it purchased and subsequently removed from Apple’s app store.