Skip to main content

The secret way most apps spy on you even when you think they aren’t

The moment you install an app, it begins scavenging and pestering you for your data. It requests permissions to tap into your phone’s internals, asks you to register a handful of personal information — you know the drill.

However, no matter how frugal and vigilant you are at each step, there’s still one way most apps end up covertly mining your data.

Every app comes packaged with a range of what are technically called Software Development Kits (SDK). To understand these better, think of an app as a Lego house — with each block acting as a single key module.

Julian Chokkattu/Digital Trends

Developers program the blocks that are unique to their apps, such as its design and functions. But components like advertising and analytics are not usually built in-house. For that, they turn to third-parties that already offer these services. All developers need to do is plug them in their apps.

SDKs were designed, as you may assume, to accelerate development and eliminate redundant effort. But of late, these little entities have evolved as critical loopholes in our quest for privacy as companies have abused them to siphon up personal user data even when they are not supposed to.

SDKs have evolved as loopholes in our privacy as companies have abused them to siphon up personal user data even when they are not supposed to.

Detriment to privacy

An Oxford University study found that nearly a third of all the apps in Play Store were linked to at least 10 third-party SDKs and one in five were sharing user data with as many as 20 SDKs. That figure goes up exponentially on large-scale free apps. For instance, as per MightySignal, a mobile intelligence firm, Tinder is connected to a staggering 51 SDKs, Airbnb has 41, and ESPN has 40.

The majority of SDKs collect data you wouldn’t normally think is of any significance. They track what you tap inside an app, areas where you spend most of your time, which ads you interact with, and more. But this seemingly harmless practice can be critically detrimental to your privacy when you look at how all that data fits in the broader picture.

The Oxford study also revealed that 88% of the researched apps could beam data to companies that are ultimately owned by Alphabet (Google’s parent) and 43% to Facebook-owned services.

Companies like Facebook and Google already know a fair bit about you, and by tapping into hundreds of thousands of apps through SDKs, they are able to fine-tune your digital profile in their database and serve you targeted ads. For instance, if you are expecting and have installed a pregnancy-related app, Google or Facebook can potentially begin showing you ads for baby products based on this new information.

SDK Visualization Rufana Rahimova/Getty Images

Personal data mined

Developers tend to justify all these SDKs by claiming the data is kept anonymous and personal information like your phone number is never shared.

But in reality, large businesses have the ability to tie in even the tiniest bit of data to your digital profile. The app may not be telling an SDK your name or email address, but tech companies can figure it out on their own by cross-processing it with their existing knowledge.

Apps do not always share only anonymized data with SDKs. Kaspersky Lab researcher Roman Unuchek found 4 million Android apps were sending unencrypted user profile data — including names, incomes, phone numbers, email addresses, and, in one example, GPS coordinates — to the advertisers’ servers.

A few weeks ago, an Electronic Frontier Foundation (EFF) investigation discovered that four analytics and marketing companies were accumulating information such as names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data from the Amazon Ring app.

Two of the SDKs EFF highlighted — Appsflyer and Facebook Graph — can be found in a multitude of apps, and experts say it’s likely that they are gathering a similar set of data from other apps as well.

In a statement, an Appsflyer spokesperson said the company is not a data broker and “does not build targeting profiles, does not sell data, and does not otherwise utilize any app user personal data for its own purposes.”

The app may not be telling an SDK your name or email address but tech companies can figure it out on their own by cross-processing it with their existing knowledge.

“Some analytics companies give the app developers fine control over what information is being delivered, but it seems like a good assumption that other apps will be giving a similar amount of sensitive data if they include these same libraries,” William Budington, author of the EFF investigation, told Digital Trends.

A bunch of SDKs that currently play an indispensable role in app development don’t often clearly state how they handle user data. In some cases, developers overlook and skip checking how an SDK works, putting user security at risk.

“Unfortunately, most developers might not know … how intrusive a given SDK can be when building their own software, while users are completely unaware of the fact that, when running a mobile app, there might be dozens of other organizations potentially collecting sensitive and personal data,” said Narseo Vallina-Rodriguez, a research scientist at the International Computer Science Institute’s Networking and Security division and a member of the team that developed Lumen, an app that monitors which SDKs your phone is transmitting data to.

Key information buried

Another bottleneck that has enabled SDKs to run amok is that their consent is generally buried deep down in an app’s Privacy Policy and a lot of times, developers fail to explicitly underline what users are giving up. Further, the app’s security settings don’t apply to third-party SDKs, leaving people little to no choice.

“As a matter of fact, there is evidence showing that what many apps report on their privacy policies offers an incomplete picture of their actual runtime and data collection behaviors,” added Narseo Vallina-Rodriguez.

Up until Android 10, SDKs could even share permissions between two unrelated apps. Therefore, say app A has the location permission and B doesn’t and both come equipped with the same SDK, there’s a decent chance B can feed off A’s location permission and collect your GPS data.

Unlike browsers, you also can’t simply block app trackers. Your only option is to go through an app’s settings and make sure to uncheck the Collect data for the analytics box if there is one.

Genevieve Poblano/Digital Trends

You can also start using web apps on your phone via your browser, which allows you to block trackers with the browser’s built-in tools. Most leading apps like Instagram and Tinder offer comparable web apps that largely behave as regular mobile apps. In the process, you’ll also save a ton of storage and RAM.

Your privacy is only as strong as the weakest link in the whole app chain, and on phones, that link is an SDK. And unfortunately, you cannot do anything about it other than switch to apps that promise more security for your data. Hopefully, in the future versions of Android and iOS, Google and Apple will introduce better protections against third-party trackers.

Shubham Agarwal
Former Digital Trends Contributor
Shubham Agarwal is a freelance technology journalist from Ahmedabad, India. His work has previously appeared in Firstpost…
Microsoft upgrades its Outlook apps for improved after-hours working
microsoft surface go pro book laptop deals amazon best buy pre memorial day sale 3

There has been a 52% jump in the number of instant messages sent between 6 p.m. and midnight, according to Microsoft. A lot of the increase is happening on phones, hence Microsoft's emphasis on its iOS and Android apps in its recent round of Outlook updates.

One of these updated app features is called "Meeting Insights" for Outlook for Android. With Meeting Insights, the Outlook Android app will show messages and files relevant to your meeting right in the event details on your calendar. Meeting Insights pairs well with enhancements for suggested replies on both mobile and Outlook on the web.

Read more
Microsoft’s new Office app hints at the Surface Duo’s potential
new microsoft office app productivity surface duo splashvideothumbnail

This holiday season, Microsoft will release a dual-screen smartphone known as the Surface Duo. As a dual-screen device, you can stack your favorite apps side by side, span apps across the screen for a better view of your work, and generally do more while on the go.

That demands software and hardware work hand-in-hand, however, so the new Office app for iOS and Android is paving the way forward. It'll make your phone a bit more useful for work -- in Office apps, at least.
One hub for all things Office
You can already use the dedicated Word, Excel, and PowerPoint apps on your phone. With the new Office app, however, Microsoft is creating a one-stop hub for all things related to work. Word, Excel, and PowerPoint are all part of the Office app. Yet it's lightweight, coming in at less than 100MB.

Read more
Google is shutting down your Chromebook apps, but here’s why you shouldn’t worry
pixelbook go hands on features price photos video release date google hero

The focus of Chromebooks has always been the Chrome web browser. Apps were always an afterthought, and ever since Google introduced the Android Play Store to Chrome OS, users have had three different ways to experience apps on their Chromebooks.

First, there are Chrome Apps, which are specially packaged and run inside the Chrome web browser. These are the ones Google is shutting down, with a final shutdown date set for 2022.

Read more