Android’s hidden trackers

0
Information Privacy on computer keyboard background

Last Updated on 2022-07-09 by Joop Beris

I think it’s old news by now that your smart phone tracks you. Advertising companies and government agencies both want to get their hands on as much information about you as they can, for various reasons. But how much information does your phone leak about you and to whom? Apple provides transparency reports and even allows users to opt out from tracking by advertisers. But what is the situation on Android? DuckDuckGo‘s App Tracking Protection, now in beta, offers insight in Android’s hidden trackers.

Taking a look at App Tracking Protection

Readers of my blog know that I am concerned about our loss of privacy. When DuckDuckGo announced the beta release of their App Tracking Protection, I signed up. A couple of days ago, I was admitted as a beta user and turned on App Tracking Protection right away. Of course I want to know more about Android’s hidden trackers!

How does it work?

To enable the feature, it registers itself as a VPN on your phone. It’s important to understand that App Tracking Protection is not a VPN, it works only locally to intercept your network traffic so it can filter out connections to the companies tracking you. Since Android can only have one always-on VPN at the same time, you lose the protection a real VPN offers by using this feature. It’s unsure how this feature compares to a service like ProtonVPN’s Netshield feature, which blocks trackers at the DNS level if the VPN is running.

I contacted ProtonVPN support in an effort to find out if they block trackers hiding in apps. While they confirm that the Netshield feature blocks ads, malware and tracking, they are unable to share exactly what trackers are blocked. The block lists and underlying database are considered sensitive information. They also refer to an article describing the threat model a VPN protects against. Because ProtonVPN doesn’t tell what it is blocking precisely I have no way to know if Netshield is better or worse. NordVPN support on the other hand, confirms they block trackers in apps on Android without exception.

Experience so far

While not a full VPN, I still decided to turn the feature on to see what it could show me about Android’s hidden trackers on my phone. I am not happy by what I see in the results. As far as I can tell, App Tracking Protection works nicely. I am not seeing any slowdowns or malfunctioning apps on my phone. However, in the past 7 days, it managed to block 823 tracking attempts across 35 apps! While a lot of those attempts were to Google, which already tracks your phone, I also see tracking attempts to companies like Urban Airship, Bugsnag, Functional Software, Branch Metrics and Verizon Media coming from apps. Even from apps that I didn’t actively use during this time.

An overview of the latest trackers blocked by DuckDuckGo's App Tracking Protection on my phone
An overview of the latest trackers blocked by DuckDuckGo’s App Tracking Protection on my phone. I haven’t even launched some of these apps in the past 7 days.
(Source: beris.nl)

Worst offender here is is definitely the Playstation app. I didn’t launch it recently but today alone it’s made 56 connection attempts to Urban Airship and Branch Metrics! And what do these companies collect about me?

What information is shared?

The App Tracking Protection feature shows that too. Simply click on them in the list and you can see the details. The Playstation app sends the following information back to the tracking companies mentioned:

  • Time zone
  • Unique identifier
  • GPS coordinates
  • Email address
  • Device model
  • Network carrier
  • OS version
  • Device total memory

Because an email address is usually linked to an individual, both these companies can track where someone is.

Google remains king of tracking, though. Google records me through several apps, for instance Groupon. In addition to the information above, Google collects:

  • Local IP address
  • First name
  • Last name
  • Headphone status
  • Device orientation
  • System volume
  • Gender
  • Network connection type
  • Cookies

Another surprise is that official apps from the Dutch government, like Berichtenbox and DigiD contain hidden trackers. Both contain Visual Studio App Center, which collects a lot of the same information listed above. Our government promotes the use of these apps, for instance for secure login. However, users installing them also unknowingly transmit a lot of personal information to Visual Studio App Center servers. It’s not mentioned anywhere in the privacy policy either, as far as I can tell.

Legitimate use?

Companies using these trackers have a legitimate reason for collecting some of the information displayed. Information like screen size, OS version, device model and device memory give them feedback on how their app is used and on what devices. That’s fair enough. But they don’t need to know my name, email address, gender or precise geographic location. While they might have mechanisms in place to assure the collected information is not retained, why collect what you don’t need in the first place? That’s not privacy by design!

Verdict

DuckDuckGo’s App Tracking Protection is great for getting insight in which apps are following you and what information they collect. Based on what I have seen, I’m definitely going to remove some apps from my phone. On the other hand, my real always-on VPN offers a wider range of protection. ProtonVPN with Netshield fully enabled might even block all these trackers too but it’s impossible to be sure.

For now, I think I will continue to use my normal VPN but it’s worth switching to App Tracking Protection every now and then, just to keep tabs on who’s watching you. A feature that offers insight into Android’s hidden trackers is good news any day of the week.

Hits: 80

%d bloggers like this: