23.01.2025 16:00:00
Дата публикации
Popular mobile apps including Subway Surfers, Candy Crush, and Tinder have been caught collecting user geolocation data at scale. Hackers broke into major data broker Gravy Analytics and discovered that thousands of apps were collecting geolocation data, often without the knowledge of users or developers.
The hack revealed that Gravy Analytics was receiving data through advertising ecosystems rather than embedded app codes.
The list of affected apps included MyFitnessPal, Grindr, Temple Run, as well as prayer apps and VPN services. The data includes IP addresses used to determine the location of devices.
Gravy Analytics, through its subsidiary Venntel, not only works with private clients but also with US government agencies, selling the collected data to them.
“This is the first time we have evidence that one of the largest data brokers, selling data to both commercial and government clients, is getting its data through ad bidding rather than code embedded in apps,” said Zach Edwards, an analyst at Silent Push who has studied the location data industry.
What’s particularly troubling is that the data is being collected without the knowledge of users and often the app developers themselves. The hackers found that the list included Android and iOS apps, including pregnancy trackers and religious apps.
Tinder and Grindr have already issued statements denying any connection to Gravy Analytics. But the case once again highlights the need for stricter global privacy regulations.
The US Federal Trade Commission previously banned Mobilewalla from using ad auction data for third-party purposes.
Gravy Analytics has been criticized before, but the scale of data leaks through ad networks is unprecedented.
It’s important for users to limit apps’ access to geolocation and use ad blockers. However, such measures can only partially reduce the risks.
The situation with Gravy Analytics highlights the vulnerability of mobile applications and the global nature of the problem.
The hack revealed that Gravy Analytics was receiving data through advertising ecosystems rather than embedded app codes.
The list of affected apps included MyFitnessPal, Grindr, Temple Run, as well as prayer apps and VPN services. The data includes IP addresses used to determine the location of devices.
Gravy Analytics, through its subsidiary Venntel, not only works with private clients but also with US government agencies, selling the collected data to them.
“This is the first time we have evidence that one of the largest data brokers, selling data to both commercial and government clients, is getting its data through ad bidding rather than code embedded in apps,” said Zach Edwards, an analyst at Silent Push who has studied the location data industry.
What’s particularly troubling is that the data is being collected without the knowledge of users and often the app developers themselves. The hackers found that the list included Android and iOS apps, including pregnancy trackers and religious apps.
Tinder and Grindr have already issued statements denying any connection to Gravy Analytics. But the case once again highlights the need for stricter global privacy regulations.
The US Federal Trade Commission previously banned Mobilewalla from using ad auction data for third-party purposes.
Gravy Analytics has been criticized before, but the scale of data leaks through ad networks is unprecedented.
It’s important for users to limit apps’ access to geolocation and use ad blockers. However, such measures can only partially reduce the risks.
The situation with Gravy Analytics highlights the vulnerability of mobile applications and the global nature of the problem.
(the text translation was done automatically)
