To examine the practices of the location tracking industry, The New York Times tested apps on the Google Android and Apple iOS platforms, and evaluated data from a company that analyzed thousands of mobile apps.
Testing Individual Apps
Reporters tested both the Android and iOS versions of 10 apps: nine that had been flagged by academics researching Android devices or by people in the mobile location industry, as well as The Times’s own app. Tests were done between July and November.
Reporters downloaded and tested each app individually, deleting it before moving on to the next. A technical analysis tool captured all the information sent and received by the phones. Computer security research tools helped reveal many of the transmissions.
Reporters granted permission to collect location data to each app that requested it. The Times recorded all interactions with the app over two five-minute sessions, including pop-up messages and other prompts related to data use when the apps asked for location details.
The Times analyzed the location transmissions from each app by looking for the latitude and longitude where testing was conducted, as well as known Wi-Fi IDs, which can be used to triangulate location. Reporters tallied only the transmissions precise enough to place the device in the correct building.
A Times reporter identified each internet server address that received precise location data, using an online forensics company, DomainTools.
Reporters examined the websites, marketing materials and privacy policies of the companies receiving precise location data. Companies that deal only in services such as fraud prevention were separated out. Reporters then counted the transmissions of precise location data to advertising, marketing and analysis companies.
The Times app did not request precise location data and did not send it. It sent location data to several companies based on an IP address that placed the device elsewhere within the city.
Evaluating App Code
To get a broader look at the use of location-collection technology in apps, The Times used data from MightySignal, a firm that scans the code in thousands of Android and iOS apps.
Frequently, location data companies make packages of code that collect phones’ whereabouts. Developers who add this code to their apps can get paid for location-targeted ads, or earn money for providing the location data, or get free mapping or other services for their apps.
The Times asked MightySignal to look for packages of code made by the more than 25 location-collection companies that the firm tracks. The Times excluded code packages that collect location primarily for mapping, as opposed to the sale or use of the data.
The Times restricted results to apps that MightySignal had scanned within the previous six months. Many little-used apps on Android include location-gathering code, so The Times filtered out apps with fewer than 5,000 downloads. Because Apple does not provide download figures for its apps, the iOS apps were not sorted by user base.
Tallying Location Companies
Times reporters examined each company identified in the testing. Those that said they didn’t handle precise location data at all, despite having received it, were not counted as part of the location-tracking industry. In these cases, apps may have sent the data to multiple companies and relied on the recipients to delete it if they didn’t want it.
The Times also did not count companies that were merely processing the data for the app — for security, for example, or to tell the app maker about its own users.
Many location companies receive data from app makers rather than from the apps themselves, a means of sharing that can’t be detected through testing. So reporters also relied on other sources to identify location companies, including outside analysis of the marketplace, privacy disclosures required under a new European law and interviews with dozens of people affiliated with the industry.
The apps included in the test are listed below, along with comment from the companies. Many other apps share data in similar ways; this list should not be used as a guide to problematic apps. With the exception of one children’s app, each app below collected location data on both Android and iOS when a user gave permission.
The Weather Channel
GasBuddy notified users of its iOS app early in the installation process that data could be used to “analyze industry trends” and advertising. It later added the same language to its Android app.
DC Metro and Bus
The iOS version mentioned that data could be used for advertising. The app’s developer said that companies providing the location-gathering code had indicated that the data was collected anonymously and used only for ads, and that he was reviewing the arrangements.
Tube Map – London Underground
The company, Mapway, did not respond to requests for comment.
The company said it could not discuss any data practices because of nondisclosure agreements.
SnipSnap Coupon App
SnipSnap declined to comment.
Masha and the Bear: Free Animal Games for Kids
The company said that it was stopping the sharing of location from its games. The game collected precise location data only on Android, not on iOS, where it was named Masha and the Bear: Vet Games.
Orignially published in NYT.