The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on May 29, 2019

Your iPhone is leaking personal info to tracking companies

Your iPhone is leaking personal info to tracking companies Image by: Chris Velazco/Twitter
Ravie Lakshmanan

Ahead of Consumer Electronics Show (CES) in Las Vegas earlier this January, Apple strategically placed a privacy-focused billboard bearing the catchphrase: “What happens on your iPhone, stays on your iPhone.”

It’s a clever spin on the Vegas slogan, and a not-so-subtle dig at its data-hungry competitors. But it is also quite misleading.

As the Washington Post recently discovered, a lot of third-party iOS apps are abusing Background App Refresh to regularly send sensitive personal information to tracking companies. The feature allows apps to refresh their content by running periodically in the background.

What are the app trackers for?

It’s no surprise that third-party apps use trackers to gather all sorts of analytics. But the frequency with which the apps send data back to tracking companies is quite alarming, as is the kind of data shared.

Using Disconnect’s Privacy Pro app, the Washington Post found that apps were sending details like phone number, email, exact location, IP address, and more.

On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.

The list of offending apps include: Microsoft OneDrive, Mint, Nike, Doordash, Spotify, Yelp, The Weather Channel, Citizen, and The Washington Post’s own iOS app.

Citizen was found to be sharing personally identifiable information that was in violation of its published privacy policy (it removed the tracker after the Washington Post contacted them), and Yelp was sending a message containing IP addresses every five minutes, a behavior the company later acknowledged was a bug.

In all, the Washington Post encountered over 5,400 trackers during a week-long testing.

Privacy concerns with app trackers

App trackers aren’t inherently bad. Some are used to diagnose app behavior to improve performance, while others analyze usage patterns to serve targeted ads.

DoorDash’s app, for example, was found using nine different trackers to gather details from your phone — device name, model, ad identifier, memory size, accelerometer data, delivery address, name, email, and cellular phone carrier — to help identify fraud.

It is also using trackers from Facebook and Google for ads, meaning the two companies know everytime you open the app.

To be fair, this behavior is not just about DoorDash alone. Using tracking information to tailor ads is the norm everywhere, but unfortunately not many people are aware that this is happening.

It also raises significant privacy concerns about how long these companies might store such information, and the third-parties they might be sharing this with.

There’s more work to be done

As we continue to spend more time on apps, it is becoming evident that app permissions and privacy policies alone aren’t enough. There needs to be tracking protection controls built into Android and iOS to ensure data collection and sharing practices are more transparent.

For now, it’s impossible to determine what trackers are used and for what purpose without downloading a third-party app like Disconnect’s Privacy Pro (iOS) or Exodus Privacy (Android). Another option is to turn off background app refresh on your iOS device by heading to: Settings > General > Background App Refresh > Off.

At a time when data breaches and privacy violations are so frequent, Apple has built a marketing strategy centred around privacy. It’s not entirely wrong. But it’s also factually incorrect.

What Apple is really implying with the ad campaign is that the company treats your personal data with more respect than its rivals. It will not eavesdrop on your conversations. Apple’s Safari browser won’t track you as you browse the web. And Apple won’t use your identifiable information to serve ads.

However, iPhones leak all sorts of data, often without your knowledge. “What happens on your iPhone, stays on your iPhone” is likely to be the case only if you choose to live in an Apple-centric universe, surrounded by its ecosystem of apps and services.

And as we have just learnt, it’s simply an improbable scenario.

Also tagged with