A massive data breach of location data company Gravy Analytics has exposed how popular apps across the Android and Apple platforms are being exploited, often without the knowledge of users or app developers, to collect sensitive location information on an immense scale.
Wired reports that a recent hack of location data company Gravy Analytics has shed light on a disturbing trend in the mobile app industry. The breach revealed that thousands of the world’s most popular apps, ranging from games like Candy Crush and dating apps like Tinder to pregnancy tracking and religious prayer apps, are likely being exploited by rogue members of the advertising industry to harvest sensitive location data on a massive scale.
The data, which ended up with a location data company whose subsidiary has previously sold global location data to US law enforcement, is being collected through the advertising ecosystem rather than code developed by the app creators themselves. This means the data harvesting is likely happening without the knowledge of users or even app developers.
The hacked Gravy Analytics data provides a rare glimpse into the world of real-time bidding (RTB), where companies bid to place ads inside apps. While app developers historically paid location data firms to include code that collected user location data, many companies have turned to sourcing this information through the advertising ecosystem instead. However, data brokers can listen in on this bidding process and harvest the location of mobile phones as a side effect.
The hacked data includes tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe, with some files referencing an app next to each piece of location data. The list of apps mentioned is extensive, including well-known apps like Candy Crush, Tinder, Grindr, Moovit, MyFitnessPal, Tumblr, and Microsoft’s 365 office app, among many others.
It’s unclear whether Gravy Analytics collected this location data itself or sourced it from another company. Still, the implications are significant, as Gravy is known to collate mobile phone location data from various sources and sell it to commercial companies or, through its subsidiary Venntel, to U.S. government agencies.
The fact that the data appears to be sourced through RTB is crucial, as it dictates who is responsible (rogue members of the advertising industry and the tech giants that facilitate it), how users can protect themselves (by attempting to block ads), and the fact that massive app publishers may not even be aware their users’ data is being harvested.
While some app developers and companies included in the list claimed no relationship with Gravy Analytics or denied authorizing the collection of user location data, the nature of the RTB process means that a member of the advertising ecosystem could still extract such data without their knowledge.
The FTC has taken steps to curb this practice, banning location data company Mobilewalla from collecting consumer data from online advertising auctions for purposes other than participating in those auctions. The agency also ordered Venntel and Gravy Analytics to delete historical location data and banned them from selling data related to sensitive areas like health clinics and places of worship, except in limited circumstances.
Read more at Wired here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship.
