This post was originally published on January 28, 2021.
Apps are a central part of our lives. We use them for navigation, fitness, work, gaming, and more—88% of U.S. smartphone usage takes place inside of apps. Increasingly, we’re compelled to install apps for travel, banking, and health records—including Covid-19 vaccine passports. The entertainment and utility provided by smartphone apps, however, is often tarnished by deep privacy issues.
Today, the ExpressVPN Digital Security Lab is shining a light on a pervasive problem that has a tangible effect on human rights: Location tracking of consumers via smartphone apps. We call this effort “Investigation Xoth” (a nod to the intelligence group in Cory Doctorow’s Attack Surface). Though location-tracking methods can be reminiscent of science fiction, they are unfortunately all too real. We identified location tracker SDKs in 450 apps, which have been downloaded at least 1.7 billion times. This threatens not only the privacy of ordinary people around the globe but also their autonomy.
These apps encompass a wide range of categories, and if you have them installed, your movements are likely being monitored. As you travel, tourism and food apps recommend restaurants while they send your location to Internet-of-Things (IoT) beacon devices. If you work in an office, health and fitness apps tell you to go for a walk, building behavioral profiles that are mapped to your movements. If you use your smartphone as a remote control for your TV, your sleep habits and who you welcome into your home may be deduced.
[Know your privacy risks. Sign up for the ExpressVPN Blog Newsletter.]
Location trackers are prevalent in messaging, dating, and social apps
Consumers have become increasingly aware of the privacy pitfalls they face while using apps. However, they are not given enough context to make informed choices. While millions of users have switched to Signal and Telegram in fear of WhatsApp’s questionable privacy practices, many alternative messenger apps can ensnare users who are trying to make a switch toward better privacy and security but end up being spied on instead.
Our research discovered messenger apps are a significant carrier of location trackers, present in 42 messenger apps with at least 187 million downloads. These include apps masquerading as popular services such as Telegram, Facebook Messenger, and WeChat. As consumers explore new options for messaging, millions may wind up sharing their location and proximity data with companies steeped in privacy scandals such as Predicio and X-Mode. This includes Tango, a popular video messaging and streaming app with at least 200 million users.
The findings of our investigation reveal widespread targeting that cuts across national, ethnic, and racial groups, creating a global presence. Dating and social apps targeting a range of sexual orientations and dating preferences make up 64 of the 450 apps we analyzed, with at least 52 million downloads.
In the past year, a steady stream of investigative reporting has underscored the rampant data-sharing between the companies behind location trackers. It has been reported that data harvested by some of these companies is shared with law enforcement, military, and intelligence organizations, and legislative scrutiny of location-tracking practices continues to grow.
At the ExpressVPN Digital Security Lab, we want to help put the puzzle together and empower consumers to better understand how their use of certain apps may have privacy and security implications. Please consult our list to determine whether you have any of the apps that we’ve identified installed on your smartphone or tablet. You may want to remove them or, at the very least, limit their location permissions.
Even if you don’t have these specific apps installed, follow our guide to iPhone and Android security and look for signs your apps might be spying on you, such as excessive battery drainage, network congestion, or high memory usage. As always, be careful where you place your digital trust.