A controversial SDK used for location tracking is still present in hundreds of Android applications, despite bans from Apple and Google. In 2020, the use of the X-Mode data broker tracking software was banned from the world’s two major app stores due to the company’s connections with government agencies, but a new study from ExpressVPN’s Digital Security Lab reveals that only 10% of apps that used it previously have removed it at this time.
ExpressVPN found 199 apps currently listed on Google Play that continue to make use of X-Mode. These apps have been collectively downloaded over a billion times. X-Mode made headlines in November when it was discovered in a Quran and Muslim prayer app that had been downloaded 98 million times.
Controversial location tracking SDKs are still widely used despite heightened scrutiny and bans
Called “Xoth Research,” the ExpressVPN study examined a range of software development kits (SDKs) that are widely used by developers to add location tracking functionality to their applications. While SDKs are generally benign in general, they can represent a particular privacy issue as they are embedded in the application code in such a way that it is difficult for app store control mechanisms to identify them and determine exactly what They are doing.
ExpressVPN security researchers identified a number of location-tracking SDKs with suspicious features, including X-Mode. These “crawler SDKs” are sometimes bundled into applications without the application developers being fully aware of their range of privacy-invading features or to whom exactly the user data is being passed on. Is was the case with X-Mode, which had been in use since 2013 unaware that the company was collecting and selling identity and location data to US military and government organizations (until the investigative reports were released in late 2020). X-Mode was criticized for its use in Muslim Pro, a popular application that makes use of the user’s location data to determine the current address of Mecca.
While the ExpressVPN study doesn’t mention any Apple apps, it’s not because they’ve tested clean. The study was limited to examining Android apps due to technical and legal barriers to unpacking apps from the Apple store to an appropriate level. However, applications that still contain X-Mode (and other types of location tracking SDKs) are present in the Android and Apple stores.
Data brokers who profit from the surreptitious collection of personal information
Due to its notoriety, ExpressVPN researchers made X-Mode a special focus of this research. Aside from the problem of transferring identity and location data to government agencies without the user’s knowledge, these location-tracking SDKs sometimes pass data to unknown data brokers, who in turn pass it on to unknown clients. For example, the research found a new component of the X-Mode SDK that led to five previously unknown entities that it is passing data to: Foursquare subsidiary Placed, audience profiling data brokers Sense360, and OneAudience, the service WiFi SignalFrame mapping software and SDK developer (and data broker location) BeaconsInSpace.
Two of these hidden data broker partners are particularly controversial. SignalFrame received a grant from the US Air Force to develop software that can be integrated into phones for interception purposes. And OneAudience has been banned from Facebook and Twitter (among other platforms) and received lawsuits for using suspicious data collection practices reminiscent of what was done in the Cambridge Analytica scandal. OneAudience has been hit with high-profile lawsuits (including one involving Facebook) and was supposed to have shut down its SDK in November 2019.
ExpressVPN found communications code ranging from X-Mode to various of these partners in quite a few apps, including love others that are specifically marketed for Muslim users. However, these questionable location tracking elements and connections to data brokers are not limited to prayer apps and religious profiles. ExpressVPN notes that these questionable SDK bookmarks are most commonly found in dating and social apps that list specific user or country demographics in their names. Video and file converters are also among the applications that use X-Mode, a category that should have no reason to need granular location information other than surreptitious profiling and tracking.
Anurag Kahol, Chief Technology Officer and Co-Founder of Bitglass, shared some ideas on how organizations can protect themselves from inadvertent use of services that feed questionable data brokers: “Application developers have a responsibility to their users to request explicit consent to share data and allow them full control over their information. private … In addition to violating user privacy, refusal to adhere to data privacy regulations like the CCPA could also result in hefty compliance penalties … To maintain compliance, organizations can start by obtaining the consent from users, then equip themselves with Data Loss Prevention (DLP), Multiple-Factor Authentication Capabilities (MFA), and User and Entity Behavior Analysis (UEBA). By implementing a robust security protocol, companies can maintain visibility and control of data wherever it goes, while they prevent data trackers from accessing users’ private information.
Two of these hidden #databrokers are particularly controversial. SignalFrame developed software that can tap phones, and OneAudience has been banned from Facebook and Twitter. #privacy #respectdata
A group of Democratic senators, including Ron Wyden and Elizabeth Warren, requested information from Mobilewalla in August about the surreptitious tracking of the mobile location of the Black Lives Matter protesters. These incidents have increasingly focused on the extent to which government agencies are engaging in warrantless monitoring and surveillance through purchases from data brokers. Some agencies have taken the position that information obtained from data brokers does not violate First Amendment protections.