Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Some of the world’s most popular apps are likely co-opting rogue members of the ad industry to collect sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary previously sold global location data to US law enforcement.
Thousands of apps, Included in the hacked file Include everything from location data company Gravy Analytics, to games Candy Crush and dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because most of the collection is happening through the advertising ecosystem — not code created by app creators — this data collection is likely happening without the knowledge of users or even app developers.
“Publicly for the first time, we have evidence that one of the largest data brokers selling to both commercial and government clients appears to be deriving their data from online ad ‘bid streams’ rather than code embedded in apps. , Jack Edwards, senior threat analyst at cybersecurity firm Silent Push and who closely follows the location data industry, told 404 Media after reviewing some of the data.
The data provides a rare glimpse into the world of real-time bidding (RTB). Historically, location information agencies Paid app developers to include bundles of code that collected location data from their users. Many companies have turned instead Sourcing location information through the advertising ecosystemWhere companies bid to advertise inside the app. But a side effect is that data brokers can eavesdrop on that process and collect the location of people’s mobile phones.
“It’s a nightmare scenario for privacy, because these data breaches don’t just involve scraping data from RTB systems, but there are companies out there acting like global honey badgers, doing whatever they want with each data,” Edwards said.
The hacked gravy data includes hundreds of millions of mobile phone coordinates inside the US, Russia and Europe. Some of these files specify an app next to each piece of location data. 404 Media extracts app names and creates a list of mentioned apps.
The list includes dating sites Tinder and Grindr; Huge games eg Candy Crush, Temple Run, Subway SurferAnd Harry Potter: Riddles and Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with over 10 million downloads; popular fitness app MyFitness Pro; social network Tumblr; Yahoo email client; Microsoft’s 365 Office app; and flight tracker Flightradar24. The list also mentions several religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download ironically in an attempt to protect their privacy.
Full list available here. Multiple security researchers has been published Other lists Apps include different sizes of data. Our version is relatively large as it contains both Android and iOS apps and we decided to have duplicate instances of the same app with slightly different names to make it easier for readers to search for their installed apps.
Although this dataset comes from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or sourced it from another company, or which location company ultimately owns it or has a license to use it.
