This doesn’t look like they hijacked the apps to spy on users’ location. It looks to me like these apps were already illegitimately collecting location data and passing it to Gravy Analytics where it was sold to the highest bidder. If I’m interpreting this article correctly, the hackers only hijacked Gravy Analytics so they could get the location data without paying. The location data was already in the malicious hands of Gravy Analytics.
But it seems rather nebulous. Many of the app developers’ quoted responses in the article seem to be blatant lies, which the article disproves. Many of the app developers deny handing over location data, but do run ads. If those ads execute arbitrary javascript, then IP geolocation is easy. I don’t know how cookies/tracking would work for in-app ads, though.
The developers probably fall into the “incompetence” bucket, and were also ignorant to the full effect of serving ads
Short of deleting the offending apps and not using them, how can you protect yourself from the data collection of the app?
What others said and give permissions on a “need to know basis”
Protective DNS, when set up with a DNS provider that blocks known ad / tracking domains, would help with that. NextDNS, Control-D, and Mullvad all offer this service, for example.
Mullvad VPN is best one stop shop to get started but the process is so much more than getting a VPN.
A lot of ia behavioural though, hygiene
Protonvpn also blocks ads, trackers, malware. With some of my apps needing google play services, I get trackers block constantly on my grapheneos phone.
Edit: I would also mention that I am very selective with my permissions. I don’t grant internet unless absolutely required. Sensors and gyro data are very rarely needed for apps unless it’s navigation. Location permission only for when app is open, nothing in the background. Microphone and camera permission the same too. Though, for proprietary apps that need mic and cam like social media, expect them to watch your face and listen to you all the time, extracting every muscle twitch and word that comes out your mouth.
There are quite a few apps in there I wasn’t expecting. Guess you just can’t trust proprietary adware, huh.
Crazy. These are the apps that bundle location and network scraping libraries. Those libraries not only gather location data (GPS or network based) but also spy on your surrounding wifis, bluetooth beacons and cell towers.
This allows the distributors to build huge databases that allow to locate things without GPS, just cell networks.
This is actually really useful and I encourage people to help improve this. Use NeoStumbler and collect such data. It is all opensource and will be processed to not allow such tracking. But it will allow geolocation privately, for everyone.
Ironically people are already doing this all the time, and not privately at all.
Is there something like NeoStumbler for iOS?
I mean there is no way to use the database on iOS
But no, afaik there is also no Stumbler. Apps need quite some extended privileges to work well, might be restricted
- record network data
- record location in background
- read all available networks
Well… apple itself does this (and btw apples location data is actively scraped. Really poorly protected) but no other app can do it likely
