Android users’ location tracked by ‘snooping beacon’ technology in apps - despite it being banned by Google

The X-Mode SDK was found in 199 dating, messaging, and religious and prayer apps despite a ban implemented in 2020

Adam Smith
Friday 01 October 2021 13:18 BST
Comments
(Getty Images)
Leer en Español

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Hundreds of Android apps sent user location data to a data broker that had been banned from the Google Play Store since December 2020.

Close to 200 messaging apps, video and file converters, dating sites, and religious and prayer apps downloaded tens of millions of times had X-Mode installed. Despite the ban, only ten per cent of these apps have been removed from Google Play.

The tracker caused controversy after Vice’s Motherboard reported that the United States military was buying the granular movement data of users of a a Muslim prayer and Quran app that had more than 98 million downloads worldwide. The US military has reportedly used location data to target drone strikes.

Alongside X-Mode’s location SDK (Source Development Kit, a package of code that provides functionality for app developers) called “io.xmode”, the researchers from ExpressVPN’s Digital Security Lab found an additional SDK called “io.mysdk”.

SDKs – which could include mapping software, Bluetooth compatibility, or graphics and emojis - are difficult for Apple and Google to track because they are bundled into the app’s code before they reach the app store, and smartphone users are not made aware of their presence when they are being installed.

The five providers found in io.mysdk are “location-snooping beacons” which include “Placed (a subsidiary of Foursquare), Sense360, Wireless Registry (aka SignalFrame), BeaconsInSpace (aka Fysical), and OneAudience”. The researchers go to say that at least seven apps targeting Muslim audiences contain X-Mode.

Some of these beacons have been used to reportedly determine the real-world location of millions of devices, are in legal battles over privacy violations, and are “prominent players in location surveillance”, the researchers say.

“Static analysis on Apple iOS apps is limited by logistical barriers and uncertain legal status”, the researchers say, meaning they cannot examine X-Code on iPhones as easily, but point out that Android has a 73 per cent market share globally.

In response to the investigation, X-Mode’s chief executive Josh Anton told TechCrunch: “The ban on X-Mode’s SDK has broader ecosystem implications considering X-Mode collected similar mobile app data as most advertising SDKs. Apple and Google have set the precedent that they can determine private enterprises’ ability to collect and use mobile app data even when a majority of our publishers had secondary consent for the collection and use of location data”

He continued: “We’ve recently sent a letter to Apple and Google to understand how we can best resolve this issue together so that we can both continue to use location data to save lives and continue to power the tech communities’ ability to build location-based products. We believe it’s important to ensure that Apple and Google hold X-Mode to the same standard they hold upon themselves when it comes to the collection and use of location data.”

Google did not respond to a request for comment from The Independent before time of publication.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in