Location tracking report: X-Mode SDK use much more widespread than first thought
450 Android apps tracked your whereabouts, 1.7bn downloads, 44% used X-Mode code
Updated Apps that tracked and sold people's whereabouts were more prevalent than perhaps first thought. A report out today has identified 450 Android apps downloaded 1.7 billion times that used SDKs to track the location of smartphones. Many of these programs were using an SDK called X-Mode, which Apple and Google banned at the end of last year.
X-Mode, based in Reston, Virginia in the United States, is a broker for location data. The pitch to developers is that by embedding the X-Mode libraries in their apps, they get a revenue stream that is not dependent on showing ads. “You can earn $10K or more a month by contributing to our Premium Location Data Platform,” its website boasts.
That data is then licensed to third parties with X-Mode claiming to cover more than 25 per cent of the US adult population and up to 10 per cent in 11 other countries including the UK, Canada, Australia, Spain, Italy, and France.
Use cases presented on X-Mode's site include validating whether someone visited a store after seeing an ad online (unlikely in lockdown), and targeting folks who have been in a Best Buy, Apple, or T-Mobile US stores with ads for phone warranties. Another example monitors the geolocation data to work out driver behavior and speed while on the road, and presents it as an opportunity for insurance companies to “build better risk models around aggregated driving data.”
X-Mode has said it has “automated privacy compliance,” targets the device rather than person, and does not collect personally identifiable information such as names or email addresses. These assurances were not enough for Apple and Google, which in early December last year required developers to remove X-Mode code from applications or be banned from their app stores. According to the Wall Street Journal, Google gave developers seven days to remove X-Mode, while Apple specified two weeks.
Most X-Mode-using apps still in Google Play after ban
New research conducted by Sean O’Brien at ExpressVPN, assisted by the Paris-based Defensive Lab Agency, detected location tracking SDKs in 450 Android apps at the end of January, all downloaded nearly two billion times, and 44 per cent (199) of which used the now-banned X-Mode code at some point. We're told Google removed 10 per cent of those applications from its Play Store.
No one at Google was available to comment.
The apps are wide ranging, from dating and social media platforms to services targeting Muslim audiences. It is not safe to conclude that all these apps have nefarious intent, however. “App developers have decided to include tracker SDKs in apps for a variety of reasons, and we do not categorize all usage of trackers as malicious or condemn the app authors,” said the researchers, who also believe that the “complexity and pace” of software development and app frameworks and stacks means that trackers may sometimes end up in apps without developers realizing it.
The detailed findings of the study are on GitHub.
The X-Mode libraries do not work standalone, and tap up other providers that have access to so-called beacons: gadgets that are placed in locations like stores and communicate wirelessly with nearby mobile devices. For example, a beacon may use Bluetooth Low Energy (BLE) to broadcast its presence to nearby smartphones, which is picked up and processed by apps containing X-Mode's code and its connected libraries. No pairing or other interaction with the beacon needs to take place. These providers include Placed (owned by Foursquare), Sense360, Wireless Registry, BeaconsInSpace, and OneAudience.
The conclusion of the ExpressVPN report is that “we identified evidence of the ubiquity of location tracking SDKs in a wide range of consumer apps." This raises many questions, and although it happily references press articles on such matters as police, military, and intelligence services abusing location data, the report does not present direct evidence of this, nor attempt to work out which apps have hidden or unreasonable behavior beyond the inclusion of the banned X-Mode libraries.
O’Brien said the goal is to educate consumers on “how their use of certain apps may have privacy and security implications” and to encourage users to consult the list of apps and consider removing them or limiting their permissions.
Location 'necessary' for more than you realise
The Express VPN guide to smartphone security, though, will leave privacy-conscious users with a sense of hopelessness.
For example, one of the tips is to turn Bluetooth off: a good suggestion, but that also means not using wireless headphones. Google has complicated the issue around location permissions by requiring apps that scan for Bluetooth devices also to have access to full Location Services, and that Google’s Location Services have to be running; this is justified on the grounds that it makes users more aware that location may be revealed via Bluetooth, but also means that users give broader location permissions to apps than they may wish, simply to get them working at all.
“The fact that Android requires FINE location and background permissions to do this on the latest version has proven to be a great headache. The idiots reject my app because of this, yet the app does not need location info or care about location,” complained one developer.
Location data does, of course, have many legitimate uses of great value to users, such as mapping and local search. This means that even privacy advocates such as the Electronic Frontier Foundation merely state that we "work to ensure that location based service providers don’t abuse the information they collect on their customers or hand it off to other companies or the police without consent or probable cause."
Protecting privacy with a smartphone is easy: turn off the Wi-Fi, turn off the Bluetooth, and remove the SIM card. Unfortunately devices so configured are of little use. What remains is regulation and the behaviour of entities such as vendors of trusted applications, mobile operators, Google, and Apple. ®
This article was revised after publication to tackle some of ambiguity. The ExpressVPN report states that despite Google's ban on the use of X-Mode code in apps, "our investigation found that X-Mode maintains a strong presence on Google Play. We identified 199 apps with X-Mode tracker SDKs in them, collectively downloaded at least 1 billion times. 90 per cent of these apps continue to be listed in Google Play after the ban."
Indeed, most of those apps are still in the Play Store today, though they appear to have been updated since mid-December presumably to remove the X-Mode SDK to avoid being banned by Google. For example, Arranger Keyboard, with 500,000+ installs, is listed as having had the tracking code, though it was updated on December 12.
ExpressVPN's position is that apps remained in the Play Store after the ban despite said software using X-Mode. And TechCrunch found one instance of such – a city subway app – that was still using X-Mode up until this week. That has now apparently been dealt with.
After our story was published, Google got in touch to stress that, certainly now, there are no apps using the banned library in the Play Store nor did the X-Mode code maintain a strong presence in the software souk after the ban. "To be clear, X-Mode remains banned, and there are currently no apps on the Play Store using that SDK," a spokesperson told us.
We put Google's assertion to ExpressVPN, which performed another scan of the Play Store and found that 25 apps remained in the software souk that still contained the forbidden X-Mode SDK. Google has now removed those applications.