Some Developers Don't Know What Their Apps Do With Your Data. Here's Why.
Most apps use off-the-shelf code—and some of it can be risky
A couple of years ago, Disconnect, a small tech company in San Francisco, was approached with an enticing offer: For every 100,000 people who used Disconnect’s apps, a company called Elephant Data promised to pay it $1,000 a month. All Disconnect had to do was to add a few lines of code into its apps.
Thousands of dollars a month is a tidy sum for a small app company, but Disconnect turned down the offer. It develops apps and research that promote digital privacy—and occasionally collaborates with Consumer Reports on security investigations. Proposals like Elephant's often come from companies trying to collect user data for advertising, which could not be more at odds with Disconnect's mission.
As it turns out, what Elephant was doing was much worse. Last year, an investigation from Upstream, a mobile security company, found that Elephant Data’s code secretly recruited consumers’ phones into a scheme that jacked up their phone bills and contributed to the tens of billions of dollars digital ad networks lose to fraud every year.
Elephant was shopping around a shady SDK, or software development kit. SDKs are important building blocks found in almost every kind of software, including phone apps, and they range from the utterly mundane to the explicitly malicious. In between these extremes lies an entire world of code supplied by data brokers and app analytics companies with cheery tech-startup names the average consumer has probably never heard of.
But these data companies have heard about you: They exist to trade in information about who you are, the things you like, everywhere you go, and what you do on your phone.
Bad Actors Hiding in the Code
For Elephant Data and similar SDKs, this opacity is valuable cover. Nobody would knowingly sign up for an international ad-fraud conspiracy, but they might stumble into one if they download an app quietly running Elephant’s code in the background.
Upstream’s research focused on a popular file-sharing app called 4Shared that incorporated Elephant Data’s SDK. The app was silently loading and clicking on invisible ads on people’s phones, apparently to defraud companies that pay to have their ads displayed. In some cases, Elephant Data even made fraudulent purchases on behalf of users. Upstream found 2 million devices in 17 countries (including the U.S.) that were behaving this way, and estimated it may have cost their owners as much as $150 million in data charges.
Over the years, Disconnect was contacted by other companies offering money in return for installing their code. One came from a company called AppJolt, which later became part of OneAudience, an app-analytics company. In February, Facebook sued OneAudience over an SDK it claimed was improperly harvesting user data. A spokeswoman from OneAudience's public relations firm tells CR that the company shut down in November and pointed to a statement that said the data was "never intended to be collected, never added to our database and never used."
It's unusual for a company to pay developers to use their SDKs. More often, the software is free or developers are charged for it. Offering to pay for placement isn't a sure sign that a company is engaging in fraud, but consumers still may not be comfortable with what the SDK provider is doing. For instance, a company called X-mode pays app developers to use its SDK, which collects users' location data to be aggregated and sold to other businesses.
It’s not clear how many other apps are running Elephant Data’s SDK. The company, which appears to be based in Hong Kong, did not respond to CR’s repeated requests for comment.
Building From Scratch
Fraud aside, developers that want to build apps that respect their users' privacy can find it difficult to avoid participating in the legal third-party data economy.
Several years ago, one company—Perry Street Software—made the leap: It began stripping other companies’ SDKs out of its products, a pair of popular gay dating apps called Jack’d and Scruff. The effort took a “tremendous amount” of time and money, says Perry Street CEO Eric Silverberg.
But for a company that caters to the gay community in the U.S. and abroad—users who, depending on their circumstances, could be fired, arrested, or assaulted if their identities leaked—plugging those potential data leaks felt important. So the company pulled out vendors’ SDKs for analyzing app performance, tracking installs, and displaying advertisements bought on third-party networks. Now, marketers deal directly with Perry Street if they want to advertise in the dating apps. Facebook, too, got discarded, even though that meant Jack’d and Scruff wouldn’t be able to benefit from the company’s powerful advertising platform.
Silverberg shared a scrap of business-school advice that has stayed with him: Be careful of the company you keep. “There’s just a universe of actors all clamoring to get access to your data, and you need to be careful,” he says.
For the average startup, going cold turkey probably isn’t realistic. “When we got our start, we were using third-party ad networks, and they were a critical source of revenue,” Silverberg says. “We’d never be here if it weren’t for that revenue. I completely understand an app starting today needing revenue from those networks.”
That means the average consumer is constantly dealing with data-hungry companies operating just below the surface of their apps. Experts tell CR there’s little a user can do to protect themselves, beyond avoiding sketchy apps from anonymous developers. “I try to think: Is this developed by a company I’ve heard of? So I’m not just downloading random stuff from the App Store,” says Cynthia Taylor, a computer science professor at Oberlin College.
But that's not much of a defense against abuse, experts say. “Right now the issue is that the burden of determining whether an app is going to be behaving or not is shifted to the end user,” says Berkeley’s Egelman. “Consumers just don’t have the ability to make these decisions. And other stakeholders have abdicated their responsibility.”