New Research: Popular Thanksgiving Recipe Apps Steal Mounds of Personal Data
Par Mozilla | 22 novembre 2021
Eight popular Android recipe apps are surreptitiously collecting and sharing intimate user data
Android users are opted into this tracking by default, unlike iPhone users
(PORTLAND, OR, U.S. | MONDAY, NOVEMBER 22, 2021) -- Some of the most popular Android recipe apps are bringing along uninvited guests this Thanksgiving: a hoard of third-party trackers that secretly scoop up and share users’ personal data.
New research from Mozilla, titled “Uninvited Guests: Popular Android recipe apps are loaded with trackers,” reveals that eight popular recipe apps are aggressively collecting and then sharing users’ personal data with advertising and marketing companies. Among the eight are apps created by the BBC and the Food Network.
Some of the apps investigated collect an extraordinary amount of personal data, like users’ precise latitude and longitude; their clicks, scrolls, views, and other behaviors; and minutiae like battery level, whether or not headphones are plugged in, and whether or not the phone is jailbroken.
This data is then shared with advertising and marketing companies. Some companies are instantly recognizable names, like Facebook, Google, and Amazon; others are less-known companies like Braze and Branch.
Says Becca Ricks, Senior Researcher at Mozilla: “Cookies, beacons, pixels, and other tracking technologies are nearly impossible to avoid on the internet. But our investigation into these Android apps reveals that third-party tracking on mobile apps can balloon out of control.”
Ricks continues: “Some of the recipe apps we analyzed were so loaded with advertising trackers, they seemed to exist just for the purpose of tracking ads and mining user data, rather than to dispense cooking advice.”
“Some of the recipe apps we analyzed were so loaded with advertising trackers, they seemed to exist just for the purpose of tracking ads and mining user data."
Becca Ricks, Senior Researcher, Mozilla
To conduct the research, Ricks used a factory-reset Samsung device and a new Google account to install and use each app. To observe the app data flowing in and out of the phone, she used open-source tool mitmproxy.
This aggressive tracking is playing out amid a roiling feud between Android and Apple over privacy and user control. Apple now requires users to opt in to third-party tracking through its new App Tracking Transparency feature in iOS 14.5. (However, enforcement of that feature is another story, as recent research has shown.)
Meanwhile, Google’s Android has only promised that users will have the ability to opt out — meaning uninvited guests and aggressive tracking will continue to be the default.
Top findings include:
- All of the eight apps investigated were sharing data with advertising and marketing companies. The most data-hungry apps were Recipes Home, Allrecipes, and Food Network Kitchen.
- The most common third party ad trackers were Facebook and Google DoubleClick. The ad trackers MoPub, Branch, Kochava, Tapjoy, and Vungle in particular collected a lot of device data. The most common analytics trackers were AppsFlyer, Apptentive, Google Analytics, and Adjust.
- At least 6 of the apps were sharing ad IDs with advertising/marketing companies. In many cases, this included: advertising IDs, precise location data (latitude/longitude), and device data (model, make, OS version, etc). A number also were sharing behavioral data — app clicks, scrolls, and views — with advertisers.