At least 20 ad-blocking and virtual private network (VPN) apps owned by analytics firm Sensor Tower may have been secretly spying on users’ phones, according to a BuzzFeed News investigation on Monday.
Sensor Tower owned over 20 Android and iOS apps that marketed themselves as ad blockers and VPNs (which are are supposed to protect users from prying eyes by re-routing internet traffic to and from a device through an encrypted tunnel). But like Facebook’s vampiric Onavo app, once activated, Sensor Tower’s apps gained access to the traffic on a device and shared their findings with their owner. According to BuzzFeed, the Sensor Tower-owned apps prompted users to install a root certificate via a third-party website, dodging security restrictions in Apple’s App Store and Google’s Play Store.
The apps “don’t disclose their connection to the company or reveal that they feed user data to Sensor Tower’s products,” according to BuzzFeed. Four of them were recently available on the Play Store under the names Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus. The Adblock Focus and Luna VPN apps also appeared on the App Store.
All told, the 20 or so apps owned by Sensor Tower had 35 million downloads. Most were already removed from app stores for rule violations, BuzzFeed wrote, while Apple and Google removed more after being contacted and are investigating the others.
Sensor Tower head of mobile insights Randy Nelson told BuzzFeed that the company originally wanted to build an ad blocker, adding “When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense—especially considering our history as a startup.”
“We take the app stores’ guidelines very seriously and make a concerted effort to comply with them, along with any changes to these rules that occur from time to time,” Nelson told BuzzFeed, saying that several of the apps were already removed or were being killed off. Nelson also added that Sensor Tower’s apps didn’t collect personally identifiable or sensitive information like passwords or usernames from users. (Note that many of the apps had been removed specifically because someone realized what they were actually doing, and that rules out only a small percentage of the phone activity users might think of as embarrassing, sensitive, or strictly private.)
Tracking user activity is essentially the foundation of the app economy, and hiding those functions in apps specifically designed to appear as though they actually safeguard users is a time-honored tactic. Facebook’s vampiric Onavo VPN is one of the more egregious cases, but everything from Tinder’s new panic button to cybersecurity firms have been tied to the ad-tech industry. Meanwhile, “anonymized” data can often be tracked back to the person it came from, which becomes a problem when it leaks out of the marketing ecosystem and into the hands of… whoever.