An analytics firm that owns at least 20 apps on the App Store and Google Play Store has been harvesting millions of people’s data, according to media reports.
San Francisco-based analytics firm Sensor Tower has been taking personally identifiable information from users of VPNs and ad-blocking apps that the company owns, reports BuzzFeed.
These apps – which don’t reveal any connection to Sensor Tower, nor that they feed user data to the firm – collectively have more than 35 million downloads, it says.
Sensor Tower has owned at least 20 Android and iOS, including Adblock Focus, for removing unwanted ads, and Luna VPN for ‘private browsing’ on Android and iOS.
It’s unknown what the personally identifiable information relates to specifically.
In a statement to MailOnline, Sensor Tower denied the claims in the report.
‘Based on the feedback we’ve received, we’re taking immediate steps to make Sensor Tower’s connection to our apps perfectly clear, and adding even more visibility around the data their users share with us,’ said Randy Nelson, head of mobile insights at Sensor Tower, told MailOnline.
One installed, Sensor Tower’s apps prompt its user to install a root certificate, which gives its issuer – a certificate authority, in this case Sensor Tower – access to traffic and data that passes through a phone.
Armando Orozco, an Android analyst for Malwarebytes, told BuzzFeed that giving root privileges to an app exposes a user to significant risk.
‘Your typical user is going to go through this and think, “Oh, I‘m blocking ads”, and not really be aware of how invasive this could be,’ he said.
Sensor Tower allegedly bypasses root certificate privilege restrictions that have been set by Apple and Google in the interest of the user.
Sensor Tower does this by prompting users to install a certificate through an external website after one of its apps is downloaded, the report claims.
For example, smartphone users who have just downloaded Luna VPN can block ads on YouTube if they add an Adblock extension – another Sensor Tower product – and this results in a root certificate installation, it says.
Luna VPN reportedly offers to block adds on YouTube of a way of bypassing root certificate privilege restrictions set by Google and Apple on Android and iOS respectively
A dozen of the Sensor Tower apps were previously removed from the iOS App Store due to ‘violations’, an Apple spokesperson told BuzzFeed.
This includes Adblock Focus, while another, Mobile Data, was removed from the Google Play store, it claims.
In a statement to MailOnline, Sensor Tower denied the suggestion that it collects or stores personally identifiable information.
‘Based on the way our apps are designed, such data is separated before we could possibly view or interact with it, and all we see are ad creatives being served to users,’ said Nelson.
‘What we do store is extremely high level, aggregated advertising data that may demonstrate trends that we share with customers.’
Nelson said that the firm’s privacy policy follows best practices and makes its ‘data use clear’.
‘We want to reiterate that our apps do not collect any personally identifiable information, and therefore it cannot be shared with any other entity, Sensor Tower or otherwise.’
‘We’ve made this very clear in our privacy policy, which users actively opt into during the apps’ onboarding processes after being shown an unambiguous disclaimer detailing what data is shared with us.
‘As a routine matter, and as our business evolves, we’ll always take a privacy-centric approach to new features to help ensure that any personally identifiable information remains uncollected and is fully safeguarded.’