Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple, Google to ban location tracking firm that sold data to US military

Apple and Google will take steps to ban location data broker X-Mode from their platforms after revelations of the company's ties to military contractors.

X-Mode obtains location data from apps on the App Store and Google Play Store and sells that information to contractors associated with the U.S. military and national security industry.

According to The Wall Street Journal, both Apple and Google told developers that they must remove X-Mode software development kits (SDK) and location trackers from their apps.

For Google, developers have seven days, while Apple is reportedly giving app makers two weeks. In the case of the Google Play Store, if developers don't comply with the order to remove X-Mode code from within their apps, their platforms could be banned.

Both tech giants disclosed their decision to rid their app stores of X-Mode software to Sen. Ron Wyden (D-OR), who is carrying out an investigation of the sale of location data to government agencies.

Back in November, Motherboard reported that X-Mode obtained location data from apps on the App Store, including those specifically targeting Muslims. From there, some of the data ends up in the hands of U.S. military contractors.

At the time of the report, X-Mode code — which it pays developers to embed within apps — was discovered in about 400 apps. Some of the developers who used the code in their apps were unaware of the military connections.

In a review of the App Store carried out by Apple and provided to Sen. Wyden's office, about 100 apps made by 30 developers contained X-Mode SDKs. Apple told developers that X-Mode violated its terms of service by "surreptitiously" building user profiles based on collected data.

Technically, consumers opt in to the location tracking by granting app permissions and accepting app terms of service.

In response to The Journal, X-Mode said it was "re-evaluating" its government contracts, but added that those contracts prevented third parties from linking device location data to personally identifiable information like a name or address.

News of the location data harvesting comes amid a push by Apple to strengthen the privacy of its iOS platform. Going forward, Apple will require developers to let users know what type of data they collect and how it is used. A feature coming in iOS 14 will also make a specific type of tracker made for the advertising industry explicitly opt in.



4 Comments

CloudTalkin 5 Years · 916 comments

In response to The Journal, X-Mode said it was "re-evaluating" its government contracts, but added that those contracts prevented third parties from linking device location data to personally identifiable information like a name or address.

This BS rings so hollow, anyone spewing it should be punched in the face repeatedly.  It's entirely too well known that personally identifiable info like name and address isn't even close to being necessary to identify an individual.  It's pablum for the tech illiterate.  

It's good that they're both getting rid of X-Mode, but there are still many more data brokers out their hoovering up and selling as much data as fast as they can before they get caught.  When they get caught they'll trot out that same tired BS about not linking blah blah blah.


bloggerblog 16 Years · 2520 comments

This of course raises many questions. How’s it even possible that this passed both Google’s and Apple’s app approval process? I was under the impression that iOS was secure and apps go through thorough checking before they’re approved. How can more than a hundred apps slip through using the same malicious api. The unidentifiable part is total BS. If it’s unidentifiable then why focus on a single race or religion. I hope this instance is followed by a massive lawsuit against Google and Apple.

CloudTalkin 5 Years · 916 comments

This of course raises many questions. How’s it even possible that this passed both Google’s and Apple’s app approval process? I was under the impression that iOS was secure and apps go through thorough checking before they’re approved. How can more than a hundred apps slip through using the same malicious api. The unidentifiable part is total BS. If it’s unidentifiable then why focus on a single race or religion. I hope this instance is followed by a massive lawsuit against Google and Apple.

You may be misunderstanding the situation. The API isn't malicious, in and of itself.  It collects location data like many other API's.  So there's nothing slipping through and nothing to catch.  The problem occurs after the fact when X-Mode sells that collected data to other parties like defense contractors.  There are a number of SDK's that devs use to make the job of app development easier.  Unfortunately, they rarely know what every component of that SDK does, and worse they have no idea what companies like X-Mode do with the data harvested via their dev kits.

Lawsuit for what?  Not being omniscient regarding the activities of a company that chose to subvert a normal software function.

Rayz2016 8 Years · 6957 comments

This of course raises many questions. How’s it even possible that this passed both Google’s and Apple’s app approval process? I was under the impression that iOS was secure and apps go through thorough checking before they’re approved. How can more than a hundred apps slip through using the same malicious api. The unidentifiable part is total BS. If it’s unidentifiable then why focus on a single race or religion. I hope this instance is followed by a massive lawsuit against Google and Apple.
You may be misunderstanding the situation. The API isn't malicious, in and of itself.  It collects location data like many other API's.  So there's nothing slipping through and nothing to catch.  The problem occurs after the fact when X-Mode sells that collected data to other parties like defense contractors.  There are a number of SDK's that devs use to make the job of app development easier.  Unfortunately, they rarely know what every component of that SDK does, and worse they have no idea what companies like X-Mode do with the data harvested via their dev kits.

Lawsuit for what?  Not being omniscient regarding the activities of a company that chose to subvert a normal software function.

Nicely schooled. 👏🏾