A recent investigation has uncovered a systematic and repeated method of harvesting personal user data from iPhone and Android users through over 20 VPN and mobile ad blocking apps. The apps in question were all developed by Sensor Tower, a smartphone and apps usage analytics firm that advertises its market intelligence and insights into user behaviour. None of the apps were official tied to Sensor Tower, and they did not disclose that they gathered data to share with the analytics platform. Many of these apps were removed from the Apple App Store and Google Play Store in the past, but some continue to be in circulation. The behaviour, which users would not have been aware of, could compromise privacy and security.
According to Buzzfeed News, which carried out the investigation, the apps collectively had over 35 million downloads. Some of the apps identified in the report are named Adblock Focus, Adblock WiFi, Adblock Mobile, Mobile Data, Hotspot VPN, Free and Unlimited VPN, Wi-Fi Booster, Luna, and Ad Terminator. Some of these were being used as far back as 2015.
The firm was able to collect data from users because these apps all convince users to install third-party root certificates by promising to speed up Web browsing, remove ads from websites and YouTube, or even to protect users from tracking scripts. These certificates allow Apple and Google’s default protections to be bypassed, which then means that data can be harvested through a backdoor.
Several of the apps named in the report had been previously blacklisted by Google and Apple for violating their policies. Adblock Focus was removed by Apple and Mobile Data was delisted by Google after the companies were notified by Buzzfeed News. However, Luna VPN continues to be available on both platforms. Both companies have said they are continuing their internal investigations into the apps’ improper behaviour.
Sensor Tower did not deny its methods of acquiring user data when approached by Buzzfeed News for comment, and said that it hid its connection to the apps in order to protect its market position. In a response to the report, Sensor Tower’s Head of Mobile Insights, Randy Nelson, said that the apps did not collect sensitive information such as usernames or passwords. However, root certificates can be misused, and users were not informed about how much of their data was being siphoned off, and what it was being used for.