Some of the world’s most popular apps will likely be co-opted by rogue members of the advertising industry to collect sensitive location data on a large scale, with that data ultimately ending up with a location data company whose subsidiary previously sold global location data to the United States. Law enforcement.
Thousands of applications, Included in the hacked files From location data company Gravy Analytics, including everything from games like Candy Crush And dating apps like Tinder, pregnancy tracking, and religious prayer apps across both Android and iOS. Since much of the collection is done through the advertising ecosystem — not code developed by the app creators themselves — this data collection likely occurs without users or even app developers’ knowledge.
“For the first time publicly, we appear to have evidence that one of the largest data brokers selling to commercial and government customers appears to be getting their data from the ‘bidding stream’ of online advertising,” rather than from code embedded in the applications themselves, says Zach Edwards, senior threat analyst. at cybersecurity firm Silent Push, which has closely followed the location data industry, told 404 Media after reviewing some of the data.
The data provides a rare glimpse into the world of real-time bidding (RTB). Historically, location data companies Paid app developers To include packages of code that collected location data for its users. Many companies have instead turned to… Obtaining location information through the advertising ecosystemWhere companies bid on placing ads within applications. But one side effect is that data brokers can eavesdrop on that process and pinpoint the locations of people’s cell phones.
“This is a nightmare scenario for privacy, because not only does this data breach involve data obtained from RTB systems, but there are some companies that are behaving like global honey badgers, doing whatever they please with every piece of data that comes their way.”, Edwards says.
Gravy’s compromised data includes tens of millions of cell phone coordinates for devices within the United States, Russia, and Europe. Some of these files also point to an application next to each piece of site data. 404 Media extracted the app names and created a list of the apps mentioned.
The list includes dating sites Tinder and Grindr; Huge games like Candy Crush, Run the temple, Subway surfersand Harry Potter: Puzzles and Spells; Moovit transportation app; My Period and Tracker, a menstrual cycle tracking app with over 10 million downloads; and the popular fitness app MyFitness Pro; Social network tumblr. Yahoo’s email client; Microsoft 365 Office app; And flight tracker Flightradar24. The list also mentions several religion-focused apps such as Muslim prayer and Christian Bible apps, several pregnancy tracking apps, and several VPN apps, which some users may download, ironically, in an attempt to protect their privacy.
The full list can be found here. Many security researchers I posted Other listings of applications embedded in the data, of varying sizes. Our version is relatively larger because it includes both Android and iOS apps, and we decided to keep duplicate instances of the same app with slight name differences to make it easier for readers to search for apps they have installed.
Although this data set came from an apparent Gravy hack, it’s not clear whether Gravy collected this location data itself or obtained it from another company, or which location company ultimately owns it or is licensed to use it.
https://media.wired.com/photos/6780349b52e18f7d54f734ac/191:100/w_1280,c_limit/app-hack-sec-1752520492.jpg
Source link