This article was produced with support from WIRED.
Some of the world’s most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement.
The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush to dating apps like Tinder, to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem—not code developed by the app creators themselves—this data collection is likely happening both without users’ and even app developers’ knowledge.
“For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients, appears to be acquiring their data from the online advertising ‘bid stream,’” rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, and who has followed the location data industry closely, tells 404 Media after reviewing some of the data.
The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process, and harvest the location of peoples’ mobile phones.
“This is a nightmare scenario for privacy because not only does this data breach contain data scraped from the RTB systems, but there’s some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way,” Edwards adds.
Here's the podcast recorded at our recent second anniversary party in New York! We answered…
The Trump administration is throwing various hobbies enjoyed by Americans into chaos and is harming…
Comprehensive endpoint security for critical systems
The front page of Imgur, a popular image hosting and social media site, is full…
Popular chatbots offered direct responses to questions about self-harm methods while hesitating to answer questions…
An app developer has jailbroken Echelon exercise bikes to restore functionality that the company put…