Sara Morrison: how SDKs, hidden trackers in your phone, work

In a good article on Recode, Sara Morrison made a useful overview on trackers hidden in smartphone SDKs.

Some highlights:

Your phone is the ideal tool for advertisers and data brokers, both as a means of collecting your information and serving you ads based on it. This is usually done through software development kits, or SDKs, which these companies provide to app developers for free in exchange for the information they can collect from them, or a cut of the ads they can sell through them. When you turn on location services for a weather app so it can give you a localized forecast, you may be sending your location data back to someone else.

How an SDK track users:

SDKs themselves are not trackers, but they are the means through which most tracking through mobile apps occurs. Simply put, an SDK is a package of tools that helps an app function in some way. Apple and Android offer operating system SDKs so developers can build their apps for their respective devices, and third parties offer SDKs that allow developers to add certain features to those apps quickly and with minimal effort.

For instance, if a developer wants to let users sign into an app with their Facebook accounts, they’d want Facebook’s Login SDK [1]. If their app needs maps or map data, they could use Google’s Map SDK [2]. Without SDKs, developers would have to build those things entirely from scratch. That’s time-consuming and could be beyond a small developer’s abilities or budgets. SDKs may also help apps communicate with third parties through what is called an application programming interface, or API. Using the Facebook Login SDK as an example again, the SDK helps the developer build and implement the sign-in feature in their app, while the API allows the app and Facebook to communicate with each other so the sign-in can happen.

Here’s where the tracking comes in. The data your device’s app sends to a third party can be used to build a profile of the app’s user, which advertisers can then use for targeted ads. You likely don’t even know what data is leaving your device, how it can be used to track you, or where it’s going. Location data gets the most attention because it feels the most invasive (as the New York Times put it, “Your apps know where you were last night, and they’re not keeping it secret” [3]), but there are plenty of other ways [4] to track you or make inferences about who you are to target ads to you. Companies want to put their SDKs in as many apps as possible in order to collect as much information from as many people as possible. Even developers may not know (or care) when and how their users’ privacy is being invaded.

I suggest to read the whole article on Recode [5].


References

  1. Facebook Login for the Web with the JavaScript SDK
  2. Overview | Maps SDK for iOS | Google Developers
  3. Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret – The New York Times
  4. Android Apps May Be Snooping on You More Than You Realize
  5. How SDKs, hidden trackers in your phone, work – Vox

Related posts

  1. How secure and privacy-oriented is iOS?
  2. Vulnerable webapps and VMs for penetration testing practice: my own list
  3. Weekly Tech Roundup #13
  4. Weekly Privacy Roundup #12
  5. Weekly Tech Roundup #11