Google and Apple block 20 data-stealing applications – 35M downloads later

The app analytics platform Sensor Tower was accused of data theft this week. The apps aren’t able to reveal who is behind them or what data they have collected.

The most worrying thing is that many apps require the user to have a man in the middle root certificate. It is perfectly acceptable.

Free VPNs and Ad Blockers: How did they anticipate it to turn out? We quote Serra, Schoolman again in this week’s Security Blogwatch.

These bloggy pieces were curated by , your humble blogwatcher . You can even have puppies!

Your product is you

Craig, what’s the fun? Mister Silverman reports Many VPN and Ad-Blocking apps secretly harvest user data:

Sensor Tower is a well-known analytics platform that secretly collects data from people who use popular VPN and ad blocking apps. These apps don’t reveal… that they send user data to Sensor Tower’s product. They have over 35 million ….downloads

The apps ask users to download a root certificate. This allows the issuer of the root certificate access to all data and traffic passing through their phones. Root certificate privileges are restricted by Apple and Google due to security risks to users. The apps allow users to bypass these restrictions and prompt them to download a certificate from an external site.

You can find more information here

These [apps] — Free VPN Unlimited, Luna VPN and Mobile Data — are now available on the Google Play Store. Adblock Focus was available in Apple’s App store. Luna VPN was also available. After being contacted [us], Apple deleted Adblock Focus, and Google removed Mobile Data.

You can find more information here

Randy Nelson is the Sensor Tower’s chief of mobile insight. He stated that… “Our applications do not track or request sensitive user data like usernames and passwords from users or any other apps on their device, even web browsers.”

Ah. It’s all right. It’s okay.

Surreptitiously collecting internet usage data has been possible with at least 20 VPNs and ad blocking apps for Android and iOS. Ad-blockers and VPNs are meant to protect your privacy. Sensor Tower apps are siphoning your internet traffic and doing exactly the opposite.

You can find more information here

It should be a reminder to you that you may have paid for your VPN service or ad blocker using cold cash. Unlimited VPN services are not available for free.

It is indeed true. Rachel England says An analytics platform that uses VPNs to steal user data:

The app economy is built on tracking user activity. Developers often present data-monitoring functions to users as safeguards. Facebook’s Onavo VPN app, which leaks user information to the company, is an excellent example. This case highlights how users are often misunderstood this practice, as well as the potential loopholes that companies may be able to exploit.

You can find more information here

Sensor Tower, the company that owns these 20 apps, claims it collects only anonymized usage data and analytics data which are integrated into its products. Both Apple and Google have removed affected apps from the respective stores. They both said they were investigating. Due to violations of policy, 13 Sensor Tower apps had been removed from the iOS App Store.

Do you want one? Rubyn00bie as **** would not:

It’s also the reason I won’t use any VPN that I don’t own (or one with poor reputation). I would certainly never ing consider using a free VPN. This could be a fun experiment that uses adversarial neural network to mine the *******s data.

So Rho Waxes:

Everyone needs to know that VPNs do not provide anonymity. This is not what VPNs are for and it never was. They will lie to you if they tell you that you can “protect your privacy online by using their service.”

You can find more information here

You control the VPN’s two ends, and it is your private network. It’s your private network if you use another software or endpoint.

Too much theorizing. Cik is there. That’s it.

Over the years, I have built multiple VPN networks. I do not use any of them. Since I don’t own the network anymore, my philosophy was that you can’t trust it.

You can find more information here

It is a hard truth that you can’t see what logs are being stored if you don’t have access to all the servers. My preference has always been to leave VPN servers running on open operating systems, accessible by the entire world, as read-only. This is one of my favorite forms of transparency.

is a lot smarter than you.

Is that a phone app free to track me? It is allegedly designed to increase my security and privacy.

It’s a VPN that encrypts all of my traffic. They don’t do it out of goodness?

They’ll then tell us that they sell data to Facebook, Google, and other governments. They do.

Next Shoe? AznHisoka claims a similar perp.

SimilarWeb, another company that has millions in funding is also sitting on a questionable foundation. The company owns a number of Chrome extensions which track your visits to websites and the queries that you type into Google.

What kind of name is “Sensor Tower” anyway? Strong like stronglikedan

It could have been called Eye of Sauron.

What is the moral of this story?

Which apps are being installed on your customers’ phones? What are these apps doing to your company’s data?

And last but not least

We all need six dogs in these difficult times


You’ve been reading Security Blogwatch by Richi Jannings. Richi curates some of the most interesting bloggy bits and forums… so that you don’t have too. @RiCHi and email sbw@richi.uk may receive hate mail. Before reading, consult your physician. You may have different mileage. E&OE

Source: KC Green ( cc.by-sa).

Continue to learn