Everyone knows your location: tracking myself down through in-app ads

One big privacy issue is that there is no sane way to protect your contact details from being sold, regardless of what you do.<p>As soon as your cousin clicks &quot;Yes, I would like to share the entire contents of my contacts with you&quot; when they launch TikTok your name, phone number, email etc are all in the crowd.<p>And I buy this stuff. Every time I need customer service and I&#x27;m getting stonewalled I just go onto a marketplace, find an exec and buy their details for pennies and call them up on their cellphone. (this is usually successful, but can backfire badly -- CashApp terminated my account for this shenanigans)

I&#x27;m really happy to see this level of detail and research. So many privacy-related articles either wholly lack in technical skill, or hysterically cannot differentiate between different levels of privacy concerns and risks.<p>People commonly point to Mozilla&#x27;s research regarding vehicle&#x27;s privacy policies. (<a href="https:&#x2F;&#x2F;foundation.mozilla.org&#x2F;en&#x2F;blog&#x2F;privacy-nightmare-on-wheels-every-car-brand-reviewed-by-mozilla-including-ford-volkswagen-and-toyota-flunks-privacy-test&#x2F;" rel="nofollow">https:&#x2F;&#x2F;foundation.mozilla.org&#x2F;en&#x2F;blog&#x2F;privacy-nightmare-on-...</a>) But that research only states what the car company&#x27;s lawyers felt they must include in their privacy policies. These policies imply (and I&#x27;m sure, correctly imply) that your conversations will be recorded when you&#x27;re in the vehicle. But, they never drill down into the real technical details. For instance ..... are car companies recording you the whole time and streaming ALL of your audio from ALL of your driving? Are they just recording you at a random samples? Are they ONLY recording you when you&#x27;re issuing voice commands, and the lawyers are simply hedging their bets regarding what sort of data _might_ come through accidentally during those instances? Once they record you, where is the data stored, and for how long? Is it sent to 3rd parties, etc? Which of these systems can be disabled, and via what means? Does disabling these systems disable any other functionality of the vehicle, or void its warranty? Lastly, does your insurance shoot up if you have a car without one of these systems? etc ...<p>The list of questions could go almost indefinitely, and presumably, would vary strongly across manufacturers. So much of the privacy news out there is nothing but scary and often not very substantiated worst case scenarios. Without the details and means to improve privacy, all these stories can do is spread cynicism. I&#x27;m really glad to see this level of discourse for the author.

There are quite a few interesting tracking flows out there.<p>My <i>rent</i> is paid through a company called Bilt.<p>I discovered that when I shop at Walgreens now, Bilt sends me an email containing the full receipt of what I bought like so:<p><pre><code> &gt; Hey [inahga], &gt; &gt; You shopped at Walgreens on 12&#x2F;1&#x2F;24 and earned Bilt Points with your &gt; Neighborhood Pharmacy benefit. &gt; &gt; Items eligible for rewards &gt; TOSTITOS HINT OF LIME RSTC 11OZ &gt; $3.50 &gt; &gt; +3 pts &gt; TOSTITOS RSTC 12OZ &gt; $3.50 &gt; &gt; +3 pts &gt; Other items* &gt; EXCLUDED ITEMS &gt; $0.07 &gt; &gt; *May include rewards-ineligible items and&#x2F;or prescriptions. </code></pre> Ostensibly (hopefully) it would exclude sensitive items, plan B, condoms, etc...<p>I&#x27;m curious how this data flows from Walgreens to my rent company, but maybe I&#x27;d rather not know and just use cash&#x2F;certified check from now on.

&gt; Why do they need to know my screen brightness, memory amount, current volume and if I&#x27;m wearing headphones?<p>This is clearly adding entropy to de-anonymize users between apps, rather than to add specificity to ad bids.

&gt;If it was LTE, I bet the lat&#x2F;lon would be much more precise.<p>False. Apps don&#x27;t have access to cellid information unless they also have location permissions, in which case they can just request your location directly.<p>&gt;the free apps you install and use collect your precise location with timestamp [...]<p>This is alarmist and contradictory given that the author admits a few paragraphs up that the &quot;location shared was not very precise&quot;. It might be possible for the app to request precise location via location services, but the app doesn&#x27;t request such permissions (at least on android, you can&#x27;t check for requested permissions on iOS without installing the app and running it), so such apps are most definitely limited to &quot;not very precise&quot; locations.<p>&gt;At the same time, there is so much data in the requests that I&#x27;d expect ad exchanges to find some loophole ID that would allow cross-app tracking without the need for IDFA.<p>At least in theory they&#x27;re not supposed to do that, but it&#x27;d be hard to enforce.<p>&quot;If a user resets the Advertising Identifier, then You agree not to combine, correlate, link or otherwise associate, either directly or indirectly, the prior Advertising Identifier and any derived information with the reset Advertising Identifier. &quot;<p><a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;support&#x2F;terms&#x2F;apple-developer-program-license-agreement&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;support&#x2F;terms&#x2F;apple-developer-pr...</a>

&gt; Advertising Tracking ID was actually set to 000000-0000... because I &quot;Asked app not to track&quot;.<p>&gt; I checked this by manually disabling and enabling tracking option for the Stack app and comparing requests in both cases.<p>&gt; And that&#x27;s the only difference between allowing and disallowing tracking<p>This is revealing! I&#x27;d wondered about Apple&#x27;s curious wording &quot;<i>Ask</i> App not to track&quot; leaves suspicious wriggle room - apps may not track by an <i>id</i>, but could easily &#x27;fingerprint&#x27; users (given how much other data is sent), so even without a unique ID, enough data would be provided for them to know who you are 99% of the time.<p>Amended Dead Privacy Theory:<p>The Dead Internet Theory says most activity on the internet is by bots [0]. The Dead Privacy Theory says approximately all private data is not private; but rather is accessible on whim by any data scientist, SWE, analyst, or db admin with access to the database, <i>and third parties</i>.<p>[0] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Dead_Internet_theory" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Dead_Internet_theory</a>

&gt; There&#x27;s no &quot;personal information&quot; here, but honestly this amount of data shared with an arbitrary list of 3rd parties is scary. Why do they need to know my screen brightness, memory amount, current volume and if I&#x27;m wearing headphones?<p>Screen brightness, boot time, memory, and network operator could probably fingerprint any device all by itself.

I find it fascinating reading hacker news, full of IT folk who simultaneously build software that enables and profits from the advertising and personal information selling &amp; tracking industry - are also the same people who complain the loudest about it. Unbelievable.

A long time ago I had the idea to create an &#x27;accountability server&#x27;. The high level idea was for it to generate unique credentials so that you could track to the source who sold your info. There are some ways to do that now, but I wonder if it is time to start exploring that idea again. If you exposed it as a VPN&#x2F;proxy+app that ran on a server in your home, so that you could collect your own data and provide unique credentials on account creation, then I wonder how much that combination could figure out. Since it could act as a man in the middle it potentially could annotate credential source and see the ads and potentially track them to source. &quot;This male enhancement pill ad is linked to your tire purchase.&quot; There is a lot of hand waving here, but I wonder if something like this could be built. The first step to stopping things like this is showing people who did it to them.

wow @apokryptein thanks for posting my article here... I&#x27;m shocked it&#x27;s #1 rn. if anyone has any questions regarding the post - I&#x27;m here to answer &amp; talk!

Don&#x27;t use mobile apps that could just be websites.

How much money is tied back to, or generated from, wifi AP SSID databases for geolocation ?<p>Because <i>wow</i> that would be simple to spoof and chaff and spam.<p>It&#x27;s dinnertime here but if I had a few minutes I could make (my own house) appear indistinguishable from (Chase Center) from the perspective of SSID landscape.<p>It would cost nothing and is trivially easy. Even if they pair MAC addresses that&#x27;s not a big hurdle. I&#x27;ll bet relative signal strengths are not measured.<p>It might be a good flushing action[1].<p>[1] <a href="https:&#x2F;&#x2F;kozubik.com&#x2F;items&#x2F;FlushingAction&#x2F;" rel="nofollow">https:&#x2F;&#x2F;kozubik.com&#x2F;items&#x2F;FlushingAction&#x2F;</a>

&gt; There&#x27;s no &quot;personal information&quot; here, but honestly this amount of data shared with an arbitrary list of 3rd parties is scary. Why do they need to know my screen brightness, memory amount, current volume and if I&#x27;m wearing headphones?<p>&gt; I know the &quot;right&quot; answer - to help companies target their audience better! For example, if you&#x27;re promoting a mobile app that is 1 GB of size, and the user only has 500 MB of space left - don&#x27;t show him the ad, right?<p>Author jumps to the incorrect conclusion here. The answer is fingerprinting.

The thing I found I grokked, and think is important from this article is that private browsing doesn&#x27;t end this information flow. It only marks the JSON data blob as &quot;asked not to be identified or collated&quot; and its substantively an honour system. There are penalties (lawsuit against google for misleading people on the fact data was still collected) but the walls to breach here are low, given that non-PII can be crossmatched, to confirm &quot;who you are&quot; in some sense.<p>There is no such thing as &quot;private&quot; browsing inside the factory installed browser, with factory installed DNS, and any kind of location data, or other cross-collating information along with your IP. The loss of privacy may be contextual and somewhat statistical, but it would be wrong to assume you weren&#x27;t identified.<p>What it does do, is let you see how bidding mechanisms in services like flights and hotels will change bid when the same location as you comes to request service and doesn&#x27;t have the prior search cookie state. Thats useful I guess.<p>&quot;find things at a different pricepoint&quot; cookie monster mode?

Apple’s “privacy protections” are nothing more than marketing.<p>“Ask app not to track” is a wash and privacy theater at best. One of the reasons I still run ad blocking on _all_ websites and at the network layer. Sorry “content creators” but you need to get your revenue from elsewhere (ie, sponsored content).<p>Now I want a phone that scrambles all of this data on a per app (or phone) basis.<p>Malicious app wants this data? Sure you can have it. But you will get randomized values for every bit of information — resolution, lat&#x2F;lon, brightness, battery level (user can set range of 90-100%), ….

&gt; was shocked by the amount and types of data sent with the bids to ad exchanges.<p>Can this data fall into the hands of &quot;evil&quot; state actors, and why is Congress OK with that and not with tiktok?

There was a nice talk on the recent Chaos Communication Congress (from Chaos Computer Club):<p><a href="https:&#x2F;&#x2F;media.ccc.de&#x2F;v&#x2F;38c3-databroker-files-wie-uns-apps-und-datenhndler-der-massenberwachung-ausliefern" rel="nofollow">https:&#x2F;&#x2F;media.ccc.de&#x2F;v&#x2F;38c3-databroker-files-wie-uns-apps-un...</a><p>(English audio available)

This is one of the many good reasons to avoid the google app store but most apps in general.<p>Let it be known, having an app to do something which used to be doable by a website is to me a red flag. Although I refuse to install anything other than what I genuinely trust.

I&#x27;m a very happy paying customer of NextDNS (<a href="https:&#x2F;&#x2F;nextdns.io" rel="nofollow">https:&#x2F;&#x2F;nextdns.io</a>) which blocks known adware and tracking hosts across all mobile and desktop platforms.

Very interesting and disturbing research, definitely a wake up call for me. Does anyone know&#x2F;can anyone recommend me software that can block these sorts of requests from going through? I know of pihole which blocks adds but does it also filter out these sorts of things?

I would like to bring attention to this project. They aim to function in an application firewall like manner and manage to block connections by category, classified by domain name. Android only though, and the &#x27;full&#x27; version is available only on f-droid due to some anti-adblock-like Play store policy. <a href="https:&#x2F;&#x2F;trackercontrol.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;trackercontrol.org&#x2F;</a>

How do I dump a list of installed app identifiers to cross reference with the list of apps selling this data? [0]<p>0: <a href="https:&#x2F;&#x2F;docs.google.com&#x2F;spreadsheets&#x2F;d&#x2F;1Ukgd0gIWd9gpV6bOx2pcSHsVO6yIUqbjnlM4ewjO6Cs&#x2F;edit?gid=1257088277&amp;ref=timsh.org#gid=1257088277" rel="nofollow">https:&#x2F;&#x2F;docs.google.com&#x2F;spreadsheets&#x2F;d&#x2F;1Ukgd0gIWd9gpV6bOx2pc...</a>

Parts I found relevant:<p><pre><code> - It was a clean state of a somewhat old phone (iPhone 11, factory defaults + new apple id) - A single (old) app was installed (Stack by KetchApp, 10-12 years old) - Was sending out an update a second pretty much instantly (5 kB - ~300 KB every second) - Within a minute: IP, Lat &#x2F; Lon, country, phone model, carrier &#x2F; network operator, vendor, OS version, connection type (wifi), headphone status (?), volume setting (?), screen brightness setting (?), battery status (?), CPU count, system RAM, free RAM allocation, free hard drive capacity, system boot time (?) </code></pre> Might as well just screen grab the Task Manager equivalent and hand it to them. Have better, quicker data about my own current RAM allocation and free hard space than I do. It hands them when the system booted for an ad? The headphone, volume, brightness, and battery was just &quot;what&quot; kind of headshake about invasiveness. Somebody&#x27;d hand wave they <i>need</i> it (we <i>want</i> it, we <i>want</i> it). They obviously don&#x27;t.<p>Edit: It&#x27;s almost Remote Desktop, on an iPhone. Realtime (~1 Hz) RAM &#x2F; ROM allocation. Not sure how many Apple user even know how to check their realtime RAM &#x2F; ROM allocation. The free hard drive space especially is just asking for botnet downloads.<p>Edit: Right, and ... disabling tracking doesn&#x27;t mean anything because numerous updates blatantly ignore the setting (&quot;uc&quot;: &quot;1&quot;, &#x2F;&#x2F; User consent for tracking = True;) and it&#x27;s just a flag while they still send your vendor specific customer identifier anyways.<p>Really interesting article, and great investigation, just disturbing how much on an effectively clean phone.

[emotions redacted]<p>Long ago there was XPrivacy project for Android that allowed to granularly set permissions for each app &amp; system service and ensure they won&#x27;t get the real private data. It&#x27;s no longer alive these days, I guess. Can someone share their experience with the alternatives for the modern latest Android?

Related: has anyone else noticed the practice of using cheap commodity &#x27;living room&#x27; appliances to get access to your data? A while ago I bought a ceiling light for my daughters&#x27; bedroom, brand unknown to me. It had a built-in speaker controlled via bluetooth, and dozens of light patterns and colors it could emit via a ring of small leds. My daughter was extactic looking at the youtube promo vid. Turned out that to use any of these features, you needed to install their app. Fine okay installing. Then the app demanded access to contacts and camera or it refused to connect to the ceiling light. Fine okay uninstalling the app and returning that crap.

Reddit app has no permissions on my phone, but the feed suggests communities based on my location never the less. I&#x27;ve been traveling for the last two months, every city I&#x27;ve been has been suggested

I wonder: to which extent are purchased&#x2F;brokered app real-time location data feeds used by various intelligence services to target missile strikes in war zones? In e.g. Ukraine&#x2F;Russia.

Anyone understand why an apparently accurate latitude&#x2F;longitude showed up in one of those traces despite location services not being enabled for the app in question?

All these companies operate from within USA jurisdiction, that should send the world clear message.<p>Snowden in one of interviews talks about exactly this kind of tracking with Amazon example (ts 01:18:00) <a href="https:&#x2F;&#x2F;x.com&#x2F;JohnStossel&#x2F;status&#x2F;1885382675810181612" rel="nofollow">https:&#x2F;&#x2F;x.com&#x2F;JohnStossel&#x2F;status&#x2F;1885382675810181612</a><p>Basically, all these companies, ad networks, data brokers, big tech with absence of basic privacy laws (not to be confused with 4th amendment that binds Fed and State gov only, but does not restraint companies) act with wilful conspiracy with US government regulators, washing each other hand like a monopoly. This data gets enriched and collided and is perpetually on a permanent record.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Permanent_Record_(autobiography)" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Permanent_Record_(autobiograph...</a><p>So next time you talk about totalitarian regimes around the world look in the window.

Anyone working on this tech used for tracking people should feel bad.

One of the big WTF moments I&#x27;ve had in the &quot;web vs. device&quot; Ad-related privacy journey was realizing that even if you create an &quot;anonymous&quot; account on an app in your phone, your device ID is shared and can be recognized by Ad vendors.<p>Example:<p>- You&#x27;re using a known account on a Mac to search for a shelf to buy<p>- You&#x27;re using a anonymous account to browse Reddit on an iPhone<p>And the shelf Ad pops up on the Reddit feed. Yep, as long as you logged in with a known account on both devices, they&#x27;re now linked by device id. An all you do on those devices (regardless of the account) can be traced back to you.<p>I read about this in &quot;Chaos Monkeys&quot; but it never really hit me until this experience.

This is why I am so against letting Web Browsers have access to so much device information. Every time, a web dev says they should be able to push notifications, or get battery information, or whatever, this is why they should be ignored.

I was just screwing around today with data like this. I was making it to have as a exhibit at a up coming event at my university<p><a href="https:&#x2F;&#x2F;bsky.app&#x2F;profile&#x2F;balsa.info&#x2F;post&#x2F;3lh7z776lbk2w" rel="nofollow">https:&#x2F;&#x2F;bsky.app&#x2F;profile&#x2F;balsa.info&#x2F;post&#x2F;3lh7z776lbk2w</a><p>You connect to a special WiFi SSID and compares your traffic to known tracking&#x2F;ad domains (Pi-Hole Lists mostly) and the &quot;food&quot; is the packets being sent to those servers.<p>its crude and has some high false positive rates, but it does have a chilling effect for me when exploring what data is going where

Use NextDNS (<a href="https:&#x2F;&#x2F;nextdns.io" rel="nofollow">https:&#x2F;&#x2F;nextdns.io</a>) on your mobile phone as a Private DNS provider, and switch as many apps as allow it to be web apps, i.e. <a href="https:&#x2F;&#x2F;m.uber.com" rel="nofollow">https:&#x2F;&#x2F;m.uber.com</a> works just fine, and use Firefox on mobile and enable `about:config` via `chrome:&#x2F;&#x2F;geckoview&#x2F;content&#x2F;config.xhtml` , from there switch `beacon.enabled` to false.<p>Far less requires an actual app than most people imagine. It&#x27;s the apps that leak so much.

NetGuard with DROP OUTBOUND policy once again proves helpful. The only app that shows ads that I have on my phone is a PDF scanner, and I don&#x27;t allow it internet access.

Even just to look at the picture near the top (which is also repeated near the bottom), if you do not allow the app to track you that only disables one of the items of the information and not all of them. This is explained later in the document, that it is not explained very well to end users. I agree that it could be explained better. Perhaps, &quot;Allow app to track your activity...&quot; can have a option to display a more elaborate description, explaining that it only affects the Advertising Tracking ID (and what that means) and has no effect on other methods of tracking.<p>And, looking further in the document, we can see there is more.<p>Some of them, such as IP address and timestamp it is reasonable to use for programs that access the internet (although it should be possible for the user to set up a proxy and&#x2F;or adjust the clock in order to change these things, the server would still use its own timestamp anyways).<p>Available memory also makes sense to be readable (although ideally, the user should be allowed to limit the amount of memory available to specific programs, in order that there is enough memory remaining for other programs; the reported total memory should then include only the memory available to this program and not to all programs), and the same should be true of the number of CPU cores and the amount of available disk space.<p>Others probably should not normally be known by most programs (but some are usefulf or some kind of programs), and even when they are, the operating system ought to allow users to reprogram what information is available and what filters, logging, etc will be used.<p>The presence of wired headphones probably should not be accessible by software, and the redirection should be handled by hardware. Perhaps an exception makes sense if the settings need to be different, e.g. mono vs stereo, although even then, programs should only see those settings (and only if they have audio output), and the user should be allowed to override them due to preferences (e.g. some users might want mono even if connected to external speakers or headphones; on my computer sometimes only one speaker works and sometimes both, so it is useful to me to be able to switch to mono).<p>Furthermore, there is the consideration, if the advertisers&#x2F;spies are stealing your power and network bandwidth and quota in order to do these things; then, that is theft.

Minor nitpick, but aren&#x27;t ads sold to the highest bidder?

Imo, the real takeaway here is that ad-tech isn’t just tracking people — it’s that it&#x27;s becoming a decentralised surveillance network where no single entity takes any responsibility. Even with &quot;Ask App Not to Track,&quot; your IP, geolocation, and device fingerprint still end up being leaked! It shows that tracking isn’t a feature anymore — it’s the business model.

Is WiFi access point geolocation by SSID or MAC address? Do mobile OS&#x27;s require additional permissions for apps to get either of these data points?

This is a wonderful write up. The part that isn&#x27;t clear to me is how they&#x27;re getting the geolocation data if location services are turned off. Are they just going off geo-ip lookups? If you grant access to Bluetooth or finding devices on your local network, they can get more information to track your location. Absent that, how would they get better than geo-ip?

The fact that your &quot;do not track&quot; preference makes almost no difference in practice? Depressing but not surprising...

I&#x27;m surprised people think they have any kind of privacy - especially when using free services. They are not free. You pay with whatever data can be extracted from your devices and behavior.<p>Also, there&#x27;s a looong list of companies who know the location of your mobile device, starting from the cell phone tower operator to Apple&#x2F;Google and many in between.

The people who reported about the Gravy analytics leak is 404media. They&#x27;re an independent techincal media group that has been reporting on stories I haven&#x27;t seen elsewhere. They&#x27;re pretty awesome. I&#x27;ve personally paid-subscribed. (I&#x27;m not affilated with them, nor am I receiving comp to say this)

I clicked the link at the beginning of your article, that led to the Google sheet with the list of apps. That list had 12,373 lines, not “over 2,000”, fyi. And while most of the apps looked like small time games that I have never downloaded and would probably not download, I saw included there “Microsoft Office 365”. Interesting.

Whilst I trust that the author did in fact look at the data of each request eventually, the screenshot they provided of Charles could not have been of the exact requests they intercepted given Charles is indicating that those are not yet SSL proxied (except for the 2 GET requests).<p>EDIT: please ignore, author did it differently to what I expected.

How many people only turn on GPS for maps? Aside from that all tracking methods are pretty inaccurate anyway.

I read an interesting newspaper article about how the police confiscated a hired gun&#x27;s iPhone and found that he ran a search on the city his victim lived in. It is these little digital breadcrumbs that makes life easy for the prosecution.<p>Seriously if you are going to do illegal things never ever buy a smartphone.

I don&#x27;t think there is a hope when it comes to our privacy and ads and our data being sold - none. Even if I&#x27;m somewhat off the grid or low in activities, the indirect way of targeting me still exists, by my family members, friends, people associated with me. I surrender.

Would be interesting to know how much data leaks on a new iPhone with some of the iOS privacy settings enabled and a handful of popular apps installed (WhatsApp, Instagram, Google Maps, Uber, etc).<p>And then if you use a commercial VPN with DNS ad-blocking enabled, how much more does this help?

How did were the apps able to collect geolocation even though location services were disabled?

It seems still possible to avoid being tracked (protections, filters, degoogle, etc), and the business is not very interested in the minority willing to trade off functionality, practicality and ease for privacy. For how long?

I don&#x27;t understand how this isn&#x27;t considered an incredible national security issue, e.g., what stops an actor buying data for high value targets known to use certain apps, like the President or Prime Minister of a country?

From TFA:<p>&gt; This is the worst thing about these data trades that happen constantly around the world - each small part of it is (or seems) legit. It&#x27;s the bigger picture that makes them look ugly.<p>No it doesn&#x27;t seem legit to me at all. Any of it.

I paid for pcapdroid, it&#x27;s a network monitoring app that use the vpn protocol on Android to monitor every packet sent, register which app made the request, to whom, dates and so on.<p>In it&#x27;s paid feature, you can select app to block internet connection or you can select country, ip and host.<p>After browsing my internet logs, it shocked me to see some app I had absolutely no idea were spying so much.<p>Xiaomi home ? Yeah I knew Xiaomi app would be spyware. But Spotify for instance, how could I guess it sends every few hours data to remote server including Facebook ones.<p>Until I find replacement for Spotify, but most music streaming app do spy on its user (and I don&#x27;t mean just learning what music you like), I can still block all the graph.facebook.com tracking.eu.miui.com Google ads.gdoubleclick.net and so on.<p>It&#x27;s open source but firewall is paid feature, i highly recommend it if you&#x27;re on Android.<p><a href="https:&#x2F;&#x2F;f-droid.org&#x2F;fr&#x2F;packages&#x2F;com.emanuelef.remote_capture&#x2F;" rel="nofollow">https:&#x2F;&#x2F;f-droid.org&#x2F;fr&#x2F;packages&#x2F;com.emanuelef.remote_capture...</a><p>There is even the possibility to decrypt packet and analyze them although it require root, i did it on another phone and yeah it&#x27;s similar to what the author found. Every single bit of data, ip adress, since how long the phone is on, the wifi connections, when did I unlock the phone and so on.<p>Every data taken individually is not important to me but this stream of little data constantly going God knows where is creepy as fuck.

Posting here from an anonymized account about Meta. No one probably recalls that meta stopped most of their background location services(Remember Nearby Friends) on the main application ~2021-2022[1]. It was just not even worth a repeat NYT story with this much money on infra to collect locations.<p>But, this is basically after they figured how to do &quot;good enough&quot; location targetting using IP and a bunch of this info this guy talked about. You don&#x27;t actually need a lat, long, just the 1 mile radius&#x2F;city area is good enough to run ads and they have ALL of that.<p>This was why meta&#x27;s revenue dropped so much after apple&#x27;s move, they could not fall back to collecting precise location. This is the last game in town. You shut this down, meta&#x27;s precise targetting will suffer gravely, ads will become flakey.<p>One last thing. You may ask, who are the businesses that need precise lat longs? are like this one[2]. These businesses are like whack-a-mole. They saturate the app market steal data get money and shit down when someone yells and in a few months and comeback again, rebranded and come back as another app. They exist not just to collect data but to act as an arbiter on who get eyeballs on IRL activities to influence behavior at the (Top of the funnel) TOFu. In the Worst. Possible. Way.<p>[1] <a href="https:&#x2F;&#x2F;techcrunch.co&#x2F;2022&#x2F;05&#x2F;09&#x2F;facebook-to-shutter-its-nearby-friends-service-having-lost-the-friend-finding-market&#x2F;" rel="nofollow">https:&#x2F;&#x2F;techcrunch.co&#x2F;2022&#x2F;05&#x2F;09&#x2F;facebook-to-shutter-its-nea...</a> [2] <a href="https:&#x2F;&#x2F;www.joinpogo.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.joinpogo.com&#x2F;</a>

This makes me wonder - is there not a ‘Little Snitch’ equivalent for iOS?

I think one thing people are discussing a lot here about Privacy around contacts and sharing. Limiting access to contacts , completely or partially, is the wrong way to design such systems. There are two problems with this approach:<p>1. Having permission to contacts is NOT a capability. Running a function on it that is by design not leak PII is infinitely more valuable and a capability.<p>2. Asking users to grant permission is broken by design: You are giving a very bad multiple choice to the user: `(a)Creepy? (b). LessCreepy (c). Don&#x27;t Use App`<p>Instead if we only granted operation rights and hid the actual information instead it would be so much better. We need a <i>separation</i> of data from the function to empower apps to give better choices to users.

I really find this fascinating - great article. As an experiment if you like, can anyone identify anything about me from this post? And if not, why not? Would love to know.

When someone wants to install an app rather then go to a website that could do the same thing, they are advertising that they are up to something nefarious.

Another &quot;funny&quot; thing regarding Microsoft xandr<p>I sent them my uid2 and they still say they can&#x27;t link to an identity and don&#x27;t have a match in their database

&gt; Moloco ads is a DSP network<p>A digital signal processing network? A bit annoying to introduce an acronym without defining it. Great article otherwise.

That you can get an approximate address based on an IP address is not very new, and is in fact a feature baked into the very IP protocol.

With articles like these, I&#x27;m glad for my dumbphone. At least that sends data only to my mobile operator, hopefully.

&quot;I would highly recommend Tomcyberghost@gmail.com I felt a strong connection with him and appreciate his knowledge, expertise and manner in which he worked with my former partner and I. He handled the challenging dynamics of our relationship, and through our work I was able to leave a relationship that was hurting and hindering me. I came to that conclusion not through any direct encouragement, but through doing the work.&quot;

Is it correct to assume that if you disable the GPS for apps the exact location is not sent or I am missing something?

I thought this was common knowledge among (at least) IT industry workers. It&#x27;s been like this for a long time.

At the same time &quot;know your location&quot; notification is less it seems to ask (ask lawyers), also portals

most of the modern internet just seems to be the greatest inescapable surveillance system in all of human history.

What do you think a design would look like for the web and internet where users actually have privacy on it?

I wonder if Apple will extend their iCloud+ private relay service to apps as a result of this.

does incogni work to erase your data and prevent these SSP&#x2F;DSPs from never collecting your data?

It&#x27;s a bit ironic that Privacy Badger extension finds 7 trackers on the article&#x27;s page.

What does happen if I turn off location&#x2F;gps? I guess that location has to be quite imprecise.

how is this legal? This is apples problem and they need to be sued into oblivion. If i have location tracking turned off on my phone why is my phone still sending location data?

No they don&#x27;t, because:<p>I have location services disabled 99% of the time<p>And I often leave the house without my smartphone (when walking or bicycling), much to the dismay of my better half... I am sorry, I forget!

How is the MAID &lt;&gt; IDFA link constructed?

By &quot;location&quot;, the OP means country. So not exactly a GPS point to 6 decimals... This is the second time I&#x27;ve seen a post with this problem here.

Punish Unity and Facebook even more.

This write up is fantastic

Total bs. Do not give location permissions to untrusted apps. If the app insists on it, use mock GPS feature on android which will spoof your location. Can we all please stop exaggerating the slopiness of normies with their pretentious acts of being shocked after not being cautious about their privacy? Privacy is not by default, you have to put some effort into it

Starting earlier this year I&#x27;ve set up a mitmproxy a lot on my entire home network, and often have it on for all traffic at times. I put up an old NAS and I&#x27;m abusing it as a mitmproxy tool for my home.<p>There would be so much to write about what I&#x27;ve seen. I&#x27;ve thought of making a blog post. I use mitmproxy to check on sketchy apps and to learn in general.<p>The information sent out is fascinating. I knew extensive telemetry is pretty norm these days, but it&#x27;s another thing to see it with your own eyes. My exercise has also made the typical &quot;yes, we collect data&#x2F;telemetry, but it&#x27;s deanonymized&#x2F;secured&#x2F;etc. and deleted after X days so no worries&quot; sound very hollow; even if a company goes in good faith by their own rules, how am I supposed to trust the other 1000 companies who also do data collection. If someone hacked my mitmproxy itself and downloaded all the payloads it collected, they would probably know me better than I do.<p>Random examples on top of my head from mitmproxy (when I say &quot;chatty&quot; I mean they talk a lot to server somewhere):<p>I had GitHub CoPilot neovim plugin. I didn&#x27;t realize how chatty it was until I did this (although I wasn&#x27;t surprised either, obviously completions are sent out to a server, but it also has your usual telemetry+AB test experiment stuff). I had wanted to ditch that service for a long time so I finally did it after seeing with a local setup since open stuff has mostly caught up. Also it&#x27;s not actually open source I think? I had no idea (I thought it would just be a simple wrapper to call into some APIs, but: no PRs, no issues, code has blobs of .wasm and .node: <a href="https:&#x2F;&#x2F;github.com&#x2F;github&#x2F;copilot.vim">https:&#x2F;&#x2F;github.com&#x2F;github&#x2F;copilot.vim</a>)<p>Firefox telemetry, if it&#x27;s turned on, is a bit concerningly detailed to me. I think I might be completely identifiable on some of the payloads if someone decided to really take a go at analyzing the payloads I send. Also I find it funny that one of the JSON fields says &quot;telemetry is off&quot;. Telemetry is actually on on the menu (I leave it on purpose to see stuff like this); just in the JSON for some reason it says off. I&#x27;m not sure if that telemetry is meant to be non-identifiable though in the first place.<p>Unity-made software (also mentioned in the article) send out a Unity piece at start-up that looks similar to the article, although I didn&#x27;t take a deeper look myself.<p>Author mentioned the battery: I also noticed that a lot of mobile apps are interested in the battery level. I didn&#x27;t connect the pieces why but the article mentions Uber 4% battery surcharge, and now it makes a bit more sense.<p>One app that has at least once been on HN at high scores starts sending out analytics before you&#x27;ve consented to any terms and conditions. One of the fields is your computer hostname (one of my computers has my real name in my hostname...it does not anymore). Usually web pages have &quot;by downloading you accept terms and conditions&quot; but this one only presented that text after you launch app before you get to the main portion. I never clicked it (still haven&#x27;t), but I allowed the app mellow on background to snoop on its behavior.<p>Video games: The ones I&#x27;ve tried seen mostly don&#x27;t do anything too interesting. But I haven&#x27;t tried any crappy mobile games for example. One unity game on the laptop, Bloons TD 6 sends out analytics at every menu click and a finished game sends a summary and is the &quot;chattiest&quot; game so far, although seems limited to what the game actually needs to do (it has an.online aspect). The payloads had more detailed info on my game stats though, they should add those to the game UI ;)<p>Apple updates don&#x27;t work through mitmproxy (won&#x27;t trust the certificates). Neither do many mobile apps (none of the banking ones did, now I know what a mitm attack would look like to my bank app).<p>Some requests have a boatload of HTTP headers. I&#x27;ve thought of writing a mitmproxy module to make a top 10 list. I think some Google services might be at the top that I&#x27;ve seen. (I think Google also has developed new HTTP tech, is it so that they can more efficiently set even more cookies? ;)<p>I think anything Microsoft-tied may be chattiest programs overall on my laptop. But I haven&#x27;t done stats or anything like that.<p>Aside from mitmproxy, I&#x27;m learning security&#x2F;cryptography (managed to find real world vulnerabilities although frankly very boring ones so far...), Ghidra, started learning some low-level seccomp() stuff, qemu user emulation, things in that nature to get some skills in this space. Still need to learn: legal side of things (ToSes like to say &#x27;no reverse engineering&#x27;), how to not get into trouble if you reverse engineer something someone didn&#x27;t like. I&#x27;ve not dared to report some things, and to not poke some APIs or even mention them because I don&#x27;t know enough yet how to cover my ass.<p>Modern computing privacy and security is a mess.<p>I&#x27;ve worked a good part of my career at a DSP company (it would be in the box that says &quot;Criteo&quot; on it on the author&#x27;s article). So I have some idea what companies in that space have as data.

great writeup. keep forensic faraday bags around.

This is wild.

I realize this feels like a pipe dream, like a million miles away from our branch of reality in 2025, but I really think the entire online surveillance advertising industry needs to be burnt to the ground and (maybe, partially) rebuilt. Many of the problems we see nowadays are rooted in the fact that data is being collected and used to (supposedly) profitable ends.<p>Sure, there may be the occasional honest actor in the industry, but they&#x27;re so marginal and outcompeted by dishonest and shady ones that it really doesn&#x27;t matter. IMHO the right move is to simply ban any collection that&#x27;s not strictly necessary. Kind of like GDPR but without the &quot;if the user agrees&quot; exceptions.<p>Reminds me of a regulation about artificial stone (?) being banned in Australia, not because it&#x27;s impossible to use safely but because the regulator concluded that the entire supply chain is unwilling to and disincentivized from using the material safely, so the best move at this point was to ban it outright.<p>Edit: found that article<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38634213">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38634213</a>

They say the leaked list is 2000 apps, but the linked spreadsheet has over 12000...<p>And are these getting pulled from the store due to privacy violations? I&#x27;d assume Google would be aware at this point?

I am using AdGuard DNS and its absolutely sickening how many ads and trackers it is blocking on a daily basis. Just on my smartphone alone.

This is honestly a masterpiece.

Shame on all of the people working on those systems. Legit companies trying to make the world better struggle to find competent people.

Related?<p>NSA Warns iPhone and Android Users–Disable Location Tracking <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42713536">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42713536</a><p>Hackers Claim Breach of Location Data Giant, Threaten to Leak Data <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42627336">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42627336</a>

May be Steve Jobs was right all along. We dont need Smartphone with App Store. Either 1st Party Apps and Everything else should be on Browser or Apps that uses Browser Engine.

A while ago a co worker told me &quot;why would you care about your privacy? all my data is already out there anyway and what can even be done with it anyway&quot;.<p>What would be the ideal response to such an absurd comment? At the time I found it hard to answer because she surprised me with that opinion.<p>Edit to note: the explanation should be compatible with a professional context. I don&#x27;t want to scare my co workers or appear crazy&#x2F;paranoid.

neat details shared, might check out later.<p>Does this apply to Brave browser?