Popular analytics platform Sensor Tower has been secretly harvesting data from millions of people with Android and iOS ad-blocking and VPN apps, according to an investigation by BuzzFeed News. It's not clear that the apps -- which include Free and Unlimited VPN, Luna VPN and Adblock Focus -- were owned by Sensor Tower, nor were their users made aware that by using them they were exposing their data to potential risk.
As BuzzFeed reports, users installing one of these apps were prompted to install a root certificate –Apple and Google restrict root certificate privileges due to the security risk to users. Sensor Tower's apps bypass the restrictions by prompting users to install a certificate through an external website after an app is downloaded. Its apps had been downloaded 35 million times.
According to Sensor Tower -- which owns 20 of these apps -- it only collects anonymized usage and analytics data, which is integrated into its products. Speaking to BuzzFeed, Sensor Tower's head of mobile insights Randy Nelson said the company's apps do not collect sensitive data or personally identifiable information, and that "the vast majority of these apps listed are now defunct and a few are in the process of sunsetting." Nelson also said that Sensor Tower chose not to disclose its ownership of the apps "for competitive reasons."
A list of the apps. Only Luna VPN remains in the App Store as of now. Luna, Adblock, and Free and Unlimited VPN are still in the Play Store. Apple and Google continue to investigate. pic.twitter.com/CQ6jNinA1x
— Craig Silverman (@CraigSilverman) March 9, 2020
After being contacted by BuzzFeed News, Apple and Google removed a number of affected apps from their respective stores, with both saying they are now investigating the issue. BuzzFeed reports that 13 Sensor Tower apps were previously removed from the iOS App Store due to policy violations, but it's not clear if these are the same "defunct" apps Nelson is referring to.
Tracking user activity is the cornerstone of the app economy, and it's not unusual for developers to present data-monitoring functions as user safeguards -- Facebook's info-leeching Onavo VPN app is a prime example. However, Sensor Tower's case serves to highlight how this practice is largely misunderstood by users, and indeed, the loopholes companies are prepared to exploit in a bid to get their hands on your valuable data.