Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government. The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements, and they are threatening to publish the data publicly.
The samples of data posted by the hackers include the apparent historical location of smartphones. The files contain precise latitude and longitude coordinates of the phone, and the time at which the phone was there. Some screenshots indicate what country the data has been collected from. One alphabetically ordered list mentions Mexico, Morocco, Netherlands, North Korea, Pakistan, and “Palestinian State (proposed).” That is only a snapshot of where Gravy sourced data from; one file includes location data relating to phones in Russia, and U.S. agencies have previously used such data as part of immigration operations on the country’s border. (Gravy provides some of its data to subsidiary Venntel, which then works directly with those and other agencies).
Another screenshot shows classifiers that Gravy has added to collected data, such as “LIKELY_DRIVING.”
I would assume potential mitigations of this could be done with various tracker blocking DNS providers and/or Pi-hole? I know some apps bypass that using their own DoT or DoH.
From what I can find, Private DNS is quite robust and apps shouldn’t be able to bypass private DNS, unless they embed IP address in their app in case the DNS query got refused, some apps do that, e.g. WeChat (I learnt this when I was setting up Private DNS for someone).
Mostly seems to be full of dubious copy paste low quality apps, so I don’t think 12,000 or whatever is significant at all. There are lots of shitty apps out there, doesn’t mean you can’t filter for bad ones easily.
I mean I know what to use between Proton VPN and “Free Japan VPN: 100% Private!!!”
Perhaps it shouldn’t come as a surprise, but it seems to me that many of these apps are blatantly lying in the ‘Data safety’ category on the Google Play Store. I would honestly expect Google to at least take action when these apps when they are caught lying. For example:
Table of Top 10 Apps on List with Third-Party Location Sharing Disclosure(s)
App Name
Package
Ion
Third-Party Location Sharing
Weather & Radar
de.wetteronline.wetterapp
360977
Approximate location: Analytics, Advertising or marketing Precise location: Advertising or marketing
Block Blast!
com.block.juggle
212608
No data shared with third parties
Candy Crush Saga
com.king.candycrushsaga
175503
Approximate location: Advertising or marketing
Happy Color®: Coloring Book
com.pixel.art.coloring.color.number
120648
Approximate location: Analytics, Advertising or marketing, Fraud prevention, security, and compliance
Words of Wonders: Crossword
com.fugo.wow
78771
No location data shared with third parties
Vita Mahjong
com.vitastudio.mahjong
68649
No data shared with third parties
Number Match - Number Games
com.easybrain.number.puzzle.game
68320
Approximate location: Analytics, Advertising or marketing, Fraud prevention, security, and compliance
Mahjong Club - Solitaire Game
com.gamovation.mahjongclub
51093
Approximate location: Analytics, Advertising or marketing, Personalization
QBlock: Wood Block Puzzle Game
puzzle.blockpuzzle.cube.relax
42668
No data shared with third parties
Woodle Screw Jam: Nuts & Bolts
com.wood.bolt.wordle.screw.nuts.puzzle
42367
No location data shared with third parties
Given that Gravy Analytics is a location tracking company, it seems to me that as many as 50% of the top ten apps on this list are potentially lying about the fact that they are sharing location data with third-parties.
I suspect the same is true for the iOS AppStore equivalent (Developer’s Privacy self attestation).
Even Apple acknowledges they don’t verify what the Developer attests to:
“The developer indicated that the app’s privacy practices may include handling of data as described below. This information has not been verified by Apple. For more information, see the developer’s privacy policy.
To help you better understand the developer’s responses, see Privacy Definitions and Examples.
Privacy practices may vary, for example, based on the features you use or your age.”