New report sheds light on apps sending information back to tracking services

App Store teaser

Allowing applications on devices to collect some data is a standard expectation these days. Permissions are meant to let users know what they are collecting, why they need it, and should give the user the power to say no if they so choose. However, some apps use a built-in feature within iOS to take advantage of data collection and send that information to tracking services.

A new report from The Washington Post aims to shed light on just how much data some applications are sending out on a regular basis, oftentimes in the middle of the night when you aren’t even using the device in question. According to the report, Geoffrey Fowler teamed up with a company called Disconnect, which allowed Fowler to connect his iPhone to some hardware and use specialized software that’s meant to track the device’s actions throughout the day. This allowed Fowler to see just what his phone was doing and the times those events were taking place.

Over the course of a week, Fowler learned that his phone was sending out critical information on a regular basis, including his phone number, exact location, email addresses, and even the IP address associated with the iPhone. Some of the information being sent, the time it was being sent, and where it was ending up is pretty shocking:

On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.

Fowler discovered that many popular apps are culprits in this method of sending out information. That includes Spotify, The Washington Post‘s own app, The Weather Channel, Microsoft’s OneDrive, and Intuit’s Mint. These apps are passing information to third-party tracking services, oftentimes utilizing the background app refresh feature built into iOS. This app allows apps to refresh their content when the phone is connected to Wi-Fi or a cellular network.

Even more shocking, Fowler discovered that over the stretch of time for testing, upwards of 5,400 trackers were utilized in some fashion or another in connection with the data his iPhone was sending out. According to the company Disconnect, all of this could equal out to be about 1.5 gigabytes of personal information being sent out over the course of a month.

Apple did provide a comment on the story, but it’s the company’s standard fare:

At Apple we do a great deal to help users keep their data private,” the company says in a statement. “Apple hardware and software are designed to provide advanced security and privacy at every level of the system.”

“For the data and services that apps create on their own, our App Store Guidelines require developers to have clearly posted privacy policies and to ask users for permission to collect data before doing so. When we learn that apps have not followed our Guidelines in these areas, we either make apps change their practice or keep those apps from being on the store,” Apple says.

Now, it’s worth noting here that tracking is not inherently bad. Companies have the ability to anonymize the data that is sent out, and can store the information for just a limited amount of time. However, in the cases presented here, the results are not great. Especially when it really comes down to where the personal information is going.

One example provided in the report is DoorDash, a popular food-delivery service. According to Fowler, just opinion that app can kick tracking into gear, and up to nine different third-party tracking services will be getting information right out of the gate. Here’s a taste of what is happening when you use DoorDash:

In the case of DoorDash, one tracker called Sift Science gets a fingerprint of your phone (device name, model, ad identifier and memory size) and even accelerometer motion data to help identify fraud. Three more trackers help DoorDash monitor app performance — including one called Segment that routes onward data including your delivery address, name, email and cell carrier.

DoorDash’s other five trackers, including Facebook and Google Ad Services, help it understand the effectiveness of its marketing. Their presence means Facebook and Google know every time you open DoorDash.

DoorDash’s privacy policy explicitly states, “DoorDash is not responsible for the privacy practices of these entities”. However, the company also tells Fowler that it does not sell or share personal data collected from mobile devices.

The full report is certainly worth checking out. The findings are pretty crazy, especially when you think about Apple’s “What happens on your iPhone stays on your iPhone” privacy marketing. Apple does do a better job of handling user security and privacy as a whole, but this is one area where the company could probably do better.

Not all tracking is bad, as it can be tweaked to be user-friendly, but there are certainly bad actors out there. And the information is a lucrative money maker for some companies. But this amount of tracking, even when the phone is resting while the owner sleeps, is outrageous.