Advertisers are hijacking apps to beat Apple and developers' privacy efforts

A new report claims that popular iPhone apps are being used by advertisers to get your location details, despite Apple's App Tracking Transparency — and even without the app developers' knowledge.

Apple introduced App Tracking Transparency (ATT) with iOS 14 back in 2020, and was so effective at blocking advertisers from harvesting and then selling user data, that it reportedly made Facebook's revenue drop by $12.8 billion in a year. However, a new report claims that advertisers have found other ways to track and monetise user data.

Some widely used apps, including Candy Crush, Tinder, and MyFitnessPal, are allegedly being exploited by rogue actors within the advertising industry to collect sensitive location data on an enormous scale. This has been claimed before, but now 404 Media reports that a hack of location data company Gravy Analytics has revealed evidence of thousands of popular apps being unknowingly utilized to provide mass location data to advertisers.

Gravy Analytics, and its subsidiary Venntel, are chiefly known for providing global location data to U.S. law enforcement. But now it appears that the firms are acquiring this information through this advertising system.

Advertising ecosystem enables covert data collection

It reportedly works by not even attempting to break Apple's ATT, but instead by watching how ads are served to apps. Ads are sold through what's called Real-Time Bidding (RTB), which sees bidding to place ads in apps.

Candy Crush Saga is one app that is claimed to have been targeted

This RTB system generates a constant flow of data as advertisers target users with personalized ads. Unlike traditional methods where app developers might embed tracking code themselves, this approach allows brokers to collect data without the developers' or users' knowledge, because it's taking place outside of the app itself.

So rather than a developer including code to harvest and sell data, the very mechanism of how the online advertising infrastructure itself works are what are being exploited. It means that advertisers are bypassing all the privacy limitations that Apple and developers do — or can — implement.

Advertising ecosystem enables covert data collection

Users can and should still take steps to protect themselves, such as blocking ads, using privacy-focused apps, or opting for ad-free versions to reduce exposure to trackers. However, because of the nature of this data harvesting, no one individual or company can address the sheer scale of the problem.

The Federal Trade Commission (FTC), however, did recently bann Mobilewalla, a similar location-data company, from engaging in RTB data scraping. Consequently, such regulatory actions may pressure other companies, like Gravy Analytics, to change their data practices.

Still, unless the RTB ad platforms are radically changed, users will remain at risk.

The news of this advertising practice comes shortly after Apple publicly reaffirmed its privacy stance, following its settlement of a a lawsuit over the issue.