Popular VPN and Ad-Block Apps Are Secretly Collecting Your Data
When apps have more than 35 million downloads, one would think that they’re safe to use based on their popularity. However, some apps are marketed as offering a particular function, when their real purpose for existing is entirely another. That’s exactly what’s been going on with Sensor Tower (The top analytics platform). Apparently, It’s been secretly collecting data from millions of people who operate their VPN and ad-blocking app on iOS and Android. What’s this all about? What are the apps? Find out below.
What’s Going On?
Ever since 2015, Sensor Tower has owned at least 20 Android and iOS apps. Little did we know, they used these apps to harvest our data and use them to collect app usage data from end-users in order to make estimations about app trends and revenues.
The company operates 4 of the most popular apps on App Stores, including Luna VPN, Free and Unlimited VPN, Adblock Focus, and Mobile Data.
According to BuzzFeed’s report, they reached out to Apple and Google, resulting in the removal of Adblock Focus form Apple App Store and Mobile Data from the Play Store.
The problem is, none of the apps mentioned or revealed their affiliation with Sensor Tower or their data collection practices. This is a complete violation of users’ privacy, which has become a habit nowadays.
When confronted about the apps’ shady purpose, Randy Nelson, the company’s head of mobile insights, defended the lack of transparency. He used to words, “Competitive Reasons.” That’s not all, he also added:
“When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense — especially considering our history as a startup.”
Nelson stated that the applications don’t collect user data such as passwords, usernames, etc.. However, he then adds that the data collected by Sensor Tower is anonymized. Contradiction?
Despite all the explantation he tried to give, Nelson wasn’t even able to provide any evidence of the claim to BuzzFeed.
But How Does it Work?
Lack of transparency is something, and how the apps actually work is another. It’s so much worse. Once a user installs the app on a mobile, it asks him/her to install a root certificate.
Now, that’s how the harvesting magic happens. Upon hitting install, you’re practically allowing Sensor Tower to monitor “all traffic and data passing through your phone.”
Emphasis on “All,” meaning that there’s a huge possibility that the app is harvesting, not just the data passing through Sensor Tower’s VPN servers, but maybe all of your data.
The small files you agreed to install can give developers escalated access to everything you hold dear and personal. You might ask yourself: How is it possible to install a root certificate when both Google and Apple block root privileges by default?
It’s simple; the apps can circumvent these restrictions by prompting users to download the root certificate through an external website. Be careful. Whatever app asks for such a request, instantly, look the other way.
Our Luna Incident
After learning about this fact, we wanted to see what one of these apps is really like. That’s when we downloaded Luna, the free VPN service.
Before we continue, you have to know that whatever “Free” app you encounter out there, is not really free. In other words, if you’re not paying for the product, you are the product.
When we downloaded Luna VPN, the first thing it showed us is this:
It clearly states that they collect some sort of data about users. However, that wasn’t our problem. The issue was when we deactivated the software. For some reason, it kept running again and again. Every time we disable it, Luna connects one more time.
It was pretty alarming then, which lead us to uninstall the app.
Sensor Tower’s Statement
This is what Sensor Tower had to say about the matter:
“Our business model is predicated on high-level, macro app trends. As such, we do not collect or store any personally identifiable information (PII) about users on our servers or elsewhere.
In fact, based on the way our apps are designed, such data is separated before we could possibly view or interact with it, and all we see are ad creatives being served to users. What we do store is extremely high level, aggregated advertising data that may demonstrate trends that we share with customers.
Our privacy policy follows best practices and makes our data use clear. We want to reiterate that our apps do not collect any PII, and therefore it cannot be shared with any other entity, Sensor Tower or otherwise.
We’ve made this very clear in our privacy policy, which users actively opt into during the apps’ onboarding processes after being shown an unambiguous disclaimer detailing what data is shared with us.
As a routine matter, and as our business evolves, we’ll always take a privacy-centric approach to new features to help ensure that any PII remains uncollected and is fully safeguarded.
Based on the feedback we’ve received, we’re taking immediate steps to make Sensor Tower’s connection to our apps perfectly clear, and adding even more visibility around the data their users share with us.”
Google and Apple’s Responsibility
Let’s be honest; both Google and Apple are culpable here. Google is well-known for its pro-data collection process; it’s just its nature since the beginning.
It is, after all, an advertising-powered company. Let’s not forget that it also monitors and tracks users in the real world using its Google Maps app.
But the real issue is Apple, which labels itself as a privacy-focused company. Therefore, we blame it more when it comes to such a breach of privacy.
Following the Onavo Scandal, it seemed quite reasonable for Apple to take a closer look at the VPN app industry and what it offers within its App Store.
They had to make sure that the apps provided by Sensor Tower were compliant with its rules and transparent about the nature of their businesses.
Let’s face it, Apple is not in the dark, and it definitely knows how these types of companies operate and acquire data. Come on; it’s basic industry knowledge.
So, we can blame Apple more than Google for such a misstep.
Not Our First Rodeo!
We would love a safer environment for internet users, but we don’t always get what we wish for. Unfortunately, these kinds of data collection apps are not new and most certainly not unique to Sensor Tower’s operation.
In fact, both Google and Facebook still operate such apps, as well as Sensor Tower’s rival, App Annie. Shall we remind you of what went on?
Back in 2013, Facebook acquired the VPN app Onavo, which we shed some light on above. We’re going to talk about it a bit more now.
Facebook used Onavo to gain a competitive advantage. It became a tool that harvests the traffic through the app and gives insight to Facebook about which other social applications were growing in popularity.
This allows Facebook to memic other apps’ features or acquire them if necessary. Later on, Apple removed Onavo from the App Store, which Facebook brought back in the form of Facebook Research. While it was a bit more transparent, it sure did collect user data.
Google also used an app called Screenwise Meter app, which invited users 18 and up to participate in the panel. Despite granting gift cards, it did so in exchange for collecting their data.
Screenwise Meter used Apple’s Enterprise Certificate program to operate, which is a violation of Apple’s policy. As a result, Apple removed the application for its Store, yet launched it again later on. As of now, the app is up and running, and it continues to track usage, among other data.
App Annie
Finally, we have App Annie. The company also operates its own set of apps to track app usage. Take its Phone Guardian app, which is used by over 1 million people. Here’s what it says:
“Trusted by more than 1 million users, App Annie is the leading global provider of mobile performance estimates. In short, we help app developers build better apps. We build our mobile performance estimates by learning how people use their devices. We do this with the help of this app.”
The app admits its relationship with App Annie in the description, but remains vague about its true purpose. Yes, it collects user data.
See? This is not the first time we encountered such a privacy breach, and it sure won’t be the last.
Popular VPN and Ad-Block Apps Are Harvesting Your Data
Data collection has been a habit of major companies around the world. Whether they use it to improve their service, as some state, or to sell for sister companies, the act is still unacceptable.
We’ve already witnessed such incidents before, and we sure will encounter more in the future. We just have to be careful about which apps to install on our devices if we want to protect our privacy.
Now, what is your feedback about Sensor Tower’s data collection? Do you use any of their products? Share your thoughts and experience below.