Guess what? Facebook still tracks you on Android apps (even if you don't have a Facebook account)
In December 2018, we revealed how some of the most widely used apps in the Google Play Store automatically send personal data to Facebook the moment they are launched. That happens even if you don't have a Facebook account or are logged out of the Facebook platform (watch our talk at the Chaos Communication Congress (CCC) in Leipzig or read our full legal analysis here).
Today, we have some good news for you: we retested all the apps from our report and it seems as if we have made some impact. Two thirds of all apps we retested, including Spotify, Skyscanner and KAYAK, have updated their apps so that they no longer contact Facebook when you open the app.
Here’s the bad news: seven apps, including Yelp, the language-learning app Duolingo and the job search app Indeed, as well as the King James Bible app and two Muslim prayer apps, Qibla Connect and Muslim Pro, still send your personal data to Facebook before you can decide whether you want to consent or not. Keep in mind: these are apps with millions of installs.
Since we published our report, mobilsicher.de could also confirm that apps on iOS exhibit similar behaviour.
Why is this a problem?
This is hugely problematic, not just for privacy, but also for competition. The data that apps send to Facebook typically includes information such as the fact that a specific app, such as a Muslim prayer app, was opened or closed. This sounds fairly basic, but it really isn’t. Since the data is sent with a unique identifier, a user’s Google advertising ID, it would be easy to link this data into a profile and paint a fine-grained picture of someone’s interests, identities and daily routines. And since so many apps still send this kind of data to Facebook, this could give the company an extraordinary insight into a large share of the app ecosystem. We know how valuable such information is, because documents released by the UK parliament show how Facebook used its Onavo virtual private network (VPN) app to gather usage data on competitors.
What is PI doing about this?
Today, we’ve raised the issue of third-party tracking on apps with the European Data Protection Board and the European Data Protection Supervisor. We request that both consider our findings and the legal issues raised in their forthcoming work and opinions.
We've written to every single app that still sends too much data to Facebook and asked them to release an update. Good news for language-learners: Duolingo has promised us to remove the Facebook SDK App Events component from both the Android and iOS apps in the next version releases.
We also contacted Facebook again and urged them to change the default behavior of the Facebook Software Development Kit (SDK) – a Facebook business product that apps integrate into their code. As it stands, the Facebook SDK is designed to automatically transmit personal data to Facebook the moment a user opens the app. We believe that this is contrary to the principle of data protection by design and by default – a requirement under European data protection law.
We also think that this default implementation is really unfair to developers. Apps relay on the Facebook SDK to integrate their product with Facebook services, like Facebook’s login and ad tracking tools. However, Facebook places all responsibility on apps to ensure that the data they send to Facebook has been collected lawfully (even though our legal analysis suggests that this is more complicated). Developers can disable the automated transmission of data, but this option only became available in June last year, so weeks after the General Data Protection Regulation (GDPR) entered into force. We also have evidence which suggests that this feature didn’t always work as it was intended.
How can I replicate your work?
Luckily, we have some other good news for you: as promised during our talk at CCC, we’re releasing our testing environment so that more people can replicate our work! The Facebook SDK is just one of many third-party trackers that apps, including the ones we retested, use. In fact, nearly 90% of free apps on the Google Play store share data with Google parent company Alphabet.
Many apps we tested, including those that no longer send data to Facebook, still send a shocking amount of personal data to all sorts of third parties, like advertisers or data brokers, in ways that are not transparent and don’t give users a genuine choice. So please do replicate our work, and let us know what you find!
I'm an app developer. What can I do?
Reconsider whether your application really needs to use the Facebook SDK, and if it does, use its components selectively, and in a manner that is fair and transparent towards users.
Apps, especially those with millions of installs, need to take the privacy of their users seriously. We recommend that apps limit third party tracking to what is strictly necessary.
How can I protect myself?
We care about third-party tracking on mobile apps because it causes unique privacy issues. You can block some unwanted cookies and tracking technology in web browsers, but it’s excruciatingly difficult to do the same in apps. For example, no mainstream operating system, including Android and iOS, allows users to opt out of third-party tracking in apps, which leaves people vulnerable to exploitative data practices.
Still, everybody can take steps to reduce app tracking on Androids, even if it won’t affect the kind of tracking that we described in our report (sorry!):
- Reset your advertising ID regularly. This won’t stop you from being tracked and profiled, but it can nonetheless temporarily limit the invasiveness of your profile. This can be found on most Android devices under, Settings > Google > Ads > Reset Advertising ID.
- Limit ad personalization by opting out of ad personalization in the Android settings. This can be found on most Android devices under, Settings > Google > Ads > Opt Out of Personalized Advertising.
- Regularly review the permissions that you have given to different apps and limit them to what is strictly necessary for how you want to use that app. For example, setting Apps that collect location information, to collect this information not “always” but only “when in use” etc. This can be found on most Android devices under, Settings > Apps or Application Manager (depending on your device, this may look different) > tap the app you want to review > Permissions. On recent Android versions, this is supported natively within the Apps section of settings. On older Android versions, App Ops can be used on supported ROMs.
- Many apps can control how other apps on your phone interact with the network and one another. An example is Shelter, which allows you to separate out apps into different profiles within the Android device, allowing for different access controls or separate Google accounts, allowing separate advertising ID’s to be used for different apps. We haven’t tested the efficacy of such tools at length, however.
- The addition of a phone-based firewall, like AFWall+ or NetGuard, can also limit connections to addresses such as graph.facebook.com. We suggest that users conduct their own research before using such tools and understand their limitations and ramifications.
What will happen next?
Privacy International will continue to work on this issue over the coming year. We are committed to fighting for the right to privacy across the world - but we need your support. Individual donations are incredibly important to us, and allow us to fund work like this
We would also like to thank:
- All the contributors to the Open Source projects used in our testing environment
- The 35th Chaos Communication Congress (35C3) and the Chaos Computer Club (CCC) - for their help and support
- Exodus Privacy - for their original research and tools
- Mobilesicher.de - for their research
 We found an example of a Muslim prayer app using the SDK version 4.38.0 that disabled app_events_auto_logging and still sent users’ Google advertising ID immediately after the app was opened.This suggests that apps that used the SDK were unable to deactivate the automated sending of data even if they deactivated it up until October 23, 2018 (the day that the SDK was updated (see: https://developers.facebook.com/docs/ios/downloads/).