New thunderclouds on Facebook, the social network giant is accused of tracking non-users via Android apps.

According to a report presented by Privacy International yesterday at 35C3 hacking conference held in Germany, the list of Android apps that send tracking and personal information back to Facebook includes dozens of apps including Kayak, Yelp, and Shazam,

“Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools. App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system.” reads the report published by Privacy International.

“Using the free and open source software tool called “ mitmproxy “, an interactive HTTPS proxy, Privacy International has analyzed the data that a number of Android apps transmit to Facebook through the Facebook SDK.”

Experts at Privacy International analyzed 34 Android apps and found that at least 61 percent of them transfer data to Facebook the moment a user opens the app. Data are sent to Facebook whether people have a Facebook account or not, or whether they are logged into Facebook or not.

Some of the apps routinely send the social network data that is very detailed and sometimes sensitive

The Android apps share info on the device being used, the language and time zone settings, they also send to Facebook other sensitive data, including a women’s period.

“If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion.” continues the report.

“For example, an individual who has installed the following apps that we have tested, “Qibla Connect” (a Muslim prayer app), “Period Tracker Clue” (a period tracker), “Indeed” (a job search app), “My Talking Tom” (a children’s’ app), could be potentially profiled as likely female, likely Muslim, likely job seeker, likely parent.”

Facebook, Privacy International explained that hundreds of firms collect users’ data, Google and Facebook are the second ones.

The report includes a detailed analysis of each app the experts tested.

Analysis of individual apps can be found on the Privacy International website.

Privacy International researchers criticized the Facebook SDK for Android and data are shared with Facebook without user consent.

Facebook denied any accusation and replied to the report highlighting that developers were responsible for configuring the apps to share or not share data.

“Facebook places a legal and contractual obligation on the developer who they see as the data controller to get the consent that it is required from users before sharing data with Facebook by the SDK,” said Frederike Kaltheuner, researcher with Privacy International.

Facebook pointed out that most developers used the SDK’s default settings, which is to share the data.

“The question [for developers] is, do you really need to integrate the SDK, and if you integrate, can you do it selectively,” Kaltheuner added. “You shouldn’t assume that the default implementation is compliance. And, whenever you do implemented it be very fair and transparent to users about how exactly you’re collecting data.”

“Without any further transparency from Facebook, it is impossible to know for certain, how the data that we have described in this report is being used. This is particularity the case since Facebook has been less than transparent about the ways in which it uses data of non-Facebook users in the past.” concludes the report.

“Our findings also raise a number of legal questions.”

Pierluigi Paganini

(SecurityAffairs – hacking, privacy)

Share this...

Linkedin Reddit Pinterest

Share On