Hundreds of Android Apps Have Hidden Trackers

Worried that your smartphone apps may be tracking you? You should, according to a new report that found dozens of tracking tools in hundreds of Android apps in the Google Play Store.



There's even an interactive website that lets you check which trackers your favorite Android apps run. A few apps have none; many have only diagnostic trackers; but some have seven or eight trackers, including some that track your physical location and others that share your user behavior with third parties.

Users of iPhones have no reason to gloat, as their apps may have just as many trackers. It's just that the researchers, from Yale University's Privacy Lab and the French nonprofit organization Exodus Privacy, couldn't get permission to analyze iOS apps. 

"Many of the same companies distributing Google Play apps also distribute apps via Apple, and tracker companies openly advertise Software Development Kits (SDKs) compatible with multiple platforms," the Yale report notes.

Apps for CVS Pharmacy, The Weather Channel, Super-Bright LED Flashlight, ESPN, WeatherBug and the rival French newspapers Le Figaro and Le Monde each had seven trackers.

To safeguard your privacy, keep only those apps that you regularly use installed on your smartphone. Delete those apps or games you're done with. Android users should always examine an app's permissions before they install it; if a game wants to take photos or make phone calls, that should raise a red flag.

MORE: Protect Your Computer with This One Simple Trick

Yale Privacy Lab and Exodus Privacy analyzed more than 400 Android apps and found that about 75 percent contained tracking software. (Among those that didn't: apps for AdBlock Plus, 1Password, Apple's Move to iOS, the Brave browser, Kodi, Lego Star Wars Yoda II, Netflix, Signal Private Messenger, Waze, Private Internet Access, the privacy-conscious search engine DuckDuckGo, Dropbox, TunnelBear VPN and Trump International Hotel Las Vegas.)

Quite a few apps, including those for ProtonMail, Telegram Messenger, Twitter and Wikipedia, had only one or two diagnostic trackers such as CrashLytics or HockeyApp, which seem to be designed to transmit the causes of app crashes to developers. Those seem benign to us.

But most apps had at least four trackers, many of them designed to analyze user behavior and target ads. The apps with the most trackers that we could find (we didn't check them all) included those for Imgur and the French radio station NRJ Radio, which each had eight trackers. Apps for CVS Pharmacy, The Weather Channel, Super-Bright LED Flashlight, ESPN, WeatherBug and the rival French newspapers Le Figaro and Le Monde each had seven trackers.

There were some surprises. Users of the CyberGhost VPN service might not be pleased to learn that its Android app includes the Loggly tracker, which appears to collect anonymized user data and share it with third parties. The Firefox browser app includes Google's DoubleClick ad tracker and the LeanPlum marketing platform.

NordVPN includes DoubleClick and TUNE, which tracks user behavior. LastPass includes DoubleClick. The Christian dating service Christian Mingle includes App-Boy, which collects social-media activity and shares it with third parties. The app for Ghostery, a privacy service that provided this study's authors with much of the information about trackers, itself contains Flurry as well as CrashLytics.

On the upside, Candy Crush Saga included only DoubleClick, and Temple Run had only DoubleClick and its Yahoo-owned equivalent Flurry.

In its press release, Yale Privacy Lab said these findings showed the need for "increased transparency into privacy and security practice as it relates to these trackers," adding that all smartphone users "deserve a trusted chain of software development, distribution and installation that does not include unknown or masked third-party code."

Best Identity Protection Services

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.