A controversial SDK used for location tracking remains present in hundreds of Android apps, in spite of bans by both Apple and Google. Data broker X-Mode’s tracking software was forbidden from use in the world’s two major app stores in 2020 due to the company’s connections to government agencies, but a new study from the ExpressVPN Digital Security Lab reveals that only 10% of apps that previously made use of it have removed it at this point.
ExpressVPN found 199 apps currently listed on Google Play that continue to make use of X-Mode. These apps have collectively been downloaded over one billion times. X-Mode made news in November when it was discovered in a Muslim prayer and Quran app that had been downloaded 98 million times.
Controversial location tracking SDKs still widely in use despite increased scrutiny & bans
Called “Investigation Xoth,” the ExpressVPN study examined a range of software development kits (SDKs) that are widely used by developers to add location tracking function to their apps. While SDKs are often benign in general, they can be a particular privacy problem as they are embedded in app code in such a way that it is difficult for the gatekeeping mechanisms of the app stores to identify them and determine exactly what they are doing.
The ExpressVPN security researchers identified a number of location tracking SDKs with suspicious functions, X-Mode among them. These “tracker SDKs” are sometimes included in apps without the app developers being fully aware of their range of privacy-invasive functions or to whom exactly they are passing user data. This was the case with X-Mode, which had been in use since 2013 without knowledge that the company was collecting and selling identity and location data to US military and government organizations (until investigative reports were published in late 2020). X-Mode came under fire for its use in Muslim Pro, a popular app that makes use of user location data to determine the current direction of Mecca.
While the ExpressVPN study does not name any Apple apps, it is not because they tested clean. The study was limited to examining Android apps due to technical and legal barriers to unpacking apps from Apple’s store to an adequate level. Apps that still contain X-Mode (and other types of location tracking SDKs) are present on both the Android and Apple stores, however.
Data brokers benefiting from surreptitious personal information collection
Due to its notoriety, the ExpressVPN researchers made X-Mode a special focus of this investigation. Aside from the issue of identity and location data being passed to government agencies without user knowledge, these location tracking SDKs sometimes pass data to unknown data brokers who in turn pass it to unknown customers. For example, the investigation found a new component of X-Mode’s SDK that led to five previously unknown entities that it is passing data to: Foursquare subsidiary Placed, audience profiling data brokers Sense360 and OneAudience, WiFi mapping service SignalFrame and SDK developer (and location data broker) BeaconsInSpace.
Two of these hidden data broker partners are particularly controversial. SignalFrame received a grant from the US Air Force to develop software that can be embedded on phones for tapping purposes. And OneAudience has been banned from Facebook and Twitter (among other platforms) and hit with lawsuits for using shady data-gathering practices reminiscent of what was done in the Cambridge Analytica scandal. OneAudience has been hit with high-profile lawsuits (including one involving Facebook) and was supposed to have shut down its SDK in November 2019.
ExpressVPN found communications code leading from X-Mode to a number of these partners in quite a few apps, including seven others that are specifically marketed to Muslim users. These questionable location tracking elements and connections to data brokers are hardly limited to prayer apps and religious profiling, however. ExpressVPN notes that markers of these questionable SDKs are most commonly found in social and dating apps that list specific user demographics or countries in their names. Video and file converters were also among the apps found to be using X-Mode, a category that should have no reason for needing granular location information other than surreptitious profiling and tracking.
Anurag Kahol, CTO and Cofounder of Bitglass, shared some thoughts on how organizations can protect themselves from unwittingly making use of services that are feeding questionable data brokers: “App developers hold a responsibility to their users to request explicit consent for data sharing and allow them full control over their private information … In addition to violating users’ privacy, refusal to adhere to data privacy regulations like the CCPA could also result in steep compliance fines … To maintain compliance, organizations can start by obtaining consent from users, then equip themselves with data loss prevention (DLP), multi-factor authentication (MFA) and user and entity behavior analytics (UEBA) capabilities. By implementing a strong security protocol, companies can maintain visibility and control over data wherever it goes, while also preventing data trackers from accessing users’ private information.”
A group of Democrat senators, including Ron Wyden and Elizabeth Warren, requested information from Mobilewalla in August regarding surreptitious mobile location tracking of Black Lives Matter protesters. These incidents have put increased focus on the extent to which government agencies are engaging in warrantless tracking and surveillance via purchases from data brokers. Some agencies have taken the position that information obtained from data brokers does not violate First Amendment protections.