Some apps may track your activity as time go on, even when you let them know to forget recent. And there’s nothing you can possibly do about it. These mobile phone apps avoid privacy settings. Think about this the next time you look to make an iPhone upgrade.
Roughly 17,000 Android apps collect identifying information that creates a permanent record of the activity on your device, according to research from the International Computer Science Institute. The data collection appears to violate the search giant’s policy on collecting data that can be used to target users for advertising in many cases, the researchers said.
How Are Apps Tracking Your Usage?
The apps can track you by linking your Advertising ID– a unique but resettable number used to tailor advertising– with other identifiers on your phone that are difficult or impossible to change. Those IDs are the device’s unique signatures: the MAC address, IMEI and Android ID. No more than a third of the apps that collect identifiers take only the Advertising ID, as recommended by Google’s best practices for developers.
“Privacy disappears” when apps collect those persistent identifiers, said Serge Egelman, who led the research. He said his team, which reported the findings to Google in September, observed the majority of the apps sending identifying information to advertising services, an apparent violation of Google’s policies.
The company’s policies allow developers to collect the identifiers but forbid them from combining the Advertising ID with hardware IDs without explicit consent of the user, or from using the identifiers that can’t be reset, to target ads. What’s more, Google’s best practices for developers recommend collecting only the Advertising ID.
A Tech Industry Privacy Standard
The behavior matches the tech industry’s long history of creating privacy measures that websites and app developers quickly learn to bypass. Adobe, for example, was forced to address Flash cookies in 2011 after complaints that the snippets of software could survive in your web browser even after you cleared all your cookies.
Similar complaints arose in 2014 over Verizon’s and AT&T’s use of so-called “supercookies,” which tracked users across multiple devices and couldn’t be cleared. In 2012, Microsoft accused Google of circumventing its P3P web privacy standard, which let users of the Internet Explorer browser set their preferences for cookies.
Data picked up by mobile apps has provoked even broader scrutiny because of the explosion of smartphones and tablets. In January, Facebook and Google were both found to have used a developer tool to circumvent Apple’s privacy rules and build iOS apps that collect user information. Facebook’s scandal in 2018 and other privacy controversies have sparked greater scrutiny over how data is being collected and used.
Which Apps Violate Privacy Settings the Most
It’s been discovered that about 6,000 children’s apps were improperly collecting user data, and then there is an extremely large number of big-name apps for that are exclusively for adults which are sending permanent identifiers to various advertising services.
The apps included Angry Birds Classic, the smartphone game, as well as Audiobooks by Audible and Flipboard. Clean Master, Battery Doctor and Cheetah Keyboard, all utilities developed by Cheetah Mobile, were also found to send permanent info to advertising networks.
All of these apps have been installed on at least 100 million devices. Clean Master, a phone utility that includes antivirus and phone optimization services, has been installed on 1 billion devices.
What is Google’s Doing About the Phone App Privacy Issues?
Google said it had investigated the report and taken action on some apps. It declined to say the number of apps it did something about or what action was taken, or to identify which of its policies the mobile apps had violated. Google said its policies allow for the collection of hardware identifiers and the Android ID for some purposes, like for fraud detection, but except the targeting of ads.
Google strictly enforces its policies only when Android apps send the identifiers to Google’s own ad networks, including AdMob. The next time you buy an unlocked Samsung Galaxy S9 Plus Unlocked, remember these facts. If the apps send the data to outside networks, Google says it can’t monitor those violations.
Google has a number of initiatives that aim to protect user privacy and security. Google has actually increased the range of abusive apps it blocked from it’s Google Play store by 55 percent in 2018.
The data collection identified got Uber in trouble with Apple in 2015. According to The New York Times, Apple CEO Tim Cook was angry to learn that Uber was collecting iOS users’ hardware identifiers against Apple’s policies and threatened to remove the Uber app from the App Store.
They all tested the apps as they operated on Android 6, also known as Marshmallow. Just over half of all Android devices run Android 6 or an earlier version of the system, according to a Google analysis from October. The researchers configured a version of Android that allowed them to track which identifiers an app collected then afterwards ran thousands of apps on the modified software.
Changing your Advertising ID should serve the same function as clearing out your web browsing data. When you clear cookies, websites you visited previously won’t recognize you. That stops them from building up data about you over time.
But you can’t reset other identifiers, like the MAC address and IMEI. The MAC address is a unique identifier that your device broadcasts to internet connections like Wi-Fi routers. The IMEI is an identifier for your specific device. Both identifiers can sometimes be used to prevent stolen phones from accessing a cellular network. The Android ID is another identifier that’s unique to every device. It can possibly be reset, but only if you run a factory reset of your device.
If apps send ad networks any of those identifiers, it won’t matter how many times you reset your advertising ID. They can still tell it’s you.
What Does the App Privacy Issue Mean to You?
Google remains in the best position to punish apps that use hardware identifiers and the Android ID in ways that violate its own policies.
The fact that developers are creating workarounds to the Advertising ID suggests that many individuals are resetting the identifier, Cranor said, even though most users are unaware of the privacy feature.