This article is more than 1 year old

Oops: Google admits failing to wipe all Android apps with location-selling X-Mode SDK from its Play Store

For best results, take a second dose of privacy cleanse

Google on Friday removed 25 Android apps from the Google Play Store after missing them during a prior purge. The apps contained the X-Mode SDK that the Chocolate Factory previously banned for selling location data.

“Due to an oversight during our enforcement process, 25 apps containing the X-Mode SDK were not removed from Google Play after the developers were given a 7-day warning," a Google spokesperson said in a statement emailed to The Register. "After learning of the error, we immediately removed the apps."

The SDK gathers location data that X-Mode, a Reston, Virginia-based data broker, then sells to third-parties. In early December, Google and Apple gave mobile app developers seven days and two weeks respectively to jettison the X-Mode SDK, a software library the developers had integrated into their apps in exchange for payment – "$10K or more a month," the data biz claims.

Illustration of location tracking in a city

Location tracking report: X-Mode SDK use much more widespread than first thought


X-Mode maintains that it does not collect personally identifiable information such as names or email addresses, even though location data can help identify someone. It promises "automated privacy compliance" with the California Consumer Privacy Act and Europe's GDPR laws, which doesn't appear to have swayed Apple or Google from disallowing the technology.

Or rather disallowing the technology in theory. In late January, ExpressVPN, in conjunction with Paris-based Defensive Lab Agency, published a report identifying 450 Android apps, with 1.7bn downloads between them, that had incorporated the location-harvesting SDK, and claiming that hundreds were still available at the end of last month.

When we reported on the findings earlier this week, Google told us that all Android apps with X-Mode's code had been removed.

But ExpressVPN told us that 25 privacy-violating apps remained and provided The Register with a list that we then presented to Google for verification. The VPN biz suggested that its initial report helped hasten Google's removal of the non-compliant apps but also said that 25 out of 199 it had analyzed identified still contained X-Mode.

The majority of these were city guide apps, which present themselves as aids to travelers and would not raise eyebrows when seeking permission to use location data.

"We note that the remaining apps containing X-Mode have been downloaded more than 12 million times from Google Play, that older versions of apps containing X-Mode still persist on consumer smartphones and alternative app stores for Android, and, most importantly, that the privacy problems posed by location surveillance are not limited to X-Mode," said Sean O'Brien, principal researcher for ExpressVPN Digital Security Lab. ®

More about


Send us news

Other stories you might like