Data is expensive. While some user data may not be directly sold for something in return, other data can uncover a whole world of priceless information.
Researchers have found some popular ad-blocking and VPN apps stealthily collecting users’ data. But what connects them is that, these apps can be linked back to the data analytics firm Sensor Tower, a popular platform for tech developers and investors.
The firm was found collecting data from millions of people who have installed popular VPNs and ad-blocking apps on both Android and iOS, a BuzzFeed News investigation has found. These apps, which don’t disclose their connection to the company or reveal that they feed their data to Sensor Tower, have a combined more than 35 million downloads.
According to the report from BuzzFeed News' investigation, Sensor Tower owned around 20 such apps since 2015, which they continued to use for secretly harvesting users’ data.
Those apps can collect so much data because they prompt users to install a root certificate, which is a small file that allows its issuer to access all traffic and data passing through the device.
While both Google and Apple restrict root certificate privileges, the apps were able to bypass the restriction by urging users to download the certificate from an external website.
BuzzFeed News managed to discover this by looking at their codes.
Here, the researchers found that the apps contained code authored by developers who work for the company. Digging a bit further, the online résumé of one Sensor Tower developer, whose GitHub username is in the code of the multiple apps, said that he built "Android apps to power the Sensor Tower analytics platform."
The personal website of another Sensor Tower developer said he’s “Working on awesome top secret iOS Projects.”
Sensor Tower's head of mobile insights, Randy Nelson, said that the company did not disclose ownership of the apps for competitive reasons. He also assures that the company do not collect any sensitive data.
“Our apps do not track, request, or store any sensitive user data such as passwords, usernames, etc., from users or other apps on a user’s device, including web browsers,” Nelson said.
“When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense — especially considering our history as a startup,” he said, adding that the company originally started with the goal of building an ad blocker.
Armando Orozco, an Android analyst for Malwarebytes, said that giving root privileges to an app exposes users to significant privacy risks.
“Your typical user is going to go through this and think, Oh, I‘m blocking ads, and not really be aware of how invasive this could be,” he said.
Nelson said that “the vast majority of these apps listed are now defunct (inactive) and a few are in the process of sunsetting.”
In most cases, the apps are no longer available because they were removed due to policy violations.
A dozen of Sensor Tower apps were previously removed from the iOS App Store due to violations, according to an Apple spokesperson. After being contacted by BuzzFeed News, Apple removed Adblock Focus and said it is continuing to investigate Luna VPN.
Google is also investigating on the apps but did not initially comment about the deadline.
“We take the app stores’ guidelines very seriously and make a concerted effort to comply with them, along with any changes to these rules that occur from time to time,” Nelson said.
The company told BuzzFeed News that it only collects anonymized usage and analytics data, which is integrated into its products. For obvious reasons, Sensor Tower’s app intelligence platform has long been used by developers, venture capitalists, publishers, and others to track the popularity, usage trends, and revenue of apps.
But still and nonetheless, asking users to install root certificates is itself a suspicious and potentially malicious act that risks a breach of privacy and security of users.