Multiple Free VPNs, Ad-Blocker Apps Found Harvesting User Data
You might not be familiar with Sensor Tower, but this mobile analytics and marketing firm has become popular with developers and investors. Regardless of your familiarity with Sensor Tower, you may have been feeding it data about your online habits without knowing. According to a Buzzfeed News report, Sensor Tower has released multiple free VPN and ad-blocking apps on Android and iOS that snoop on user data. These apps have been downloaded more than 35 million times.
Sensor Tower has reportedly owned about 20 iOS and Android apps since 2015. Most recently, the Play Store hosted Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus. Meanwhile, Apple’s App Store had Adblock Focus and Luna VPN. These apps did not disclose their connection to Sensor Tower, but they do ask users to install a root certificate for Sensor Tower that allows the company to monitor all the traffic going through a device.
The company claims it only collects anonymized usage statistics — something it tells users when they first start using the apps. However, developers and privacy advocates know “anonymized” data is often anything but anonymous. You’re trusting a company that won’t even put its name on apps to only collect “safe” data when it has full access to your online activity. Signal Tower claims it doesn’t disclose its ownership of those apps for “competitive reasons.” Buzzfeed made the connection by examining the apps’ code and finding evidence that all were built by Sensor Tower developers.
Sensor Tower’s app catalog has shrunk over the past several years because of policy violations. The company has thus far avoided scrutiny thanks to the numerous developer accounts it uses to hide its involvement. As of this week, Apple has removed Adblock Focus, and Google has nuked Mobile Data. Both companies are continuing to investigate, and it seems likely the rest of Sensor Tower’s apps will soon go kaput. Google and Apple both prohibit the use of root certificates in apps because of the privacy risk to users. Signal Tower only got away with it for this long because the apps prompt users to install the certificates via a third-party website.
If you’re using any of the apps above, it’s a good idea to uninstall them now. If any of them tricked you into installing a root certificate, you ought to remove that as well. In iOS, that’s under Settings > General > Profile. The location varies on Android devices, but it’s usually in Settings > Security > Trusted Credentials. In the future, just don’t install free VPNs.
- Protect Your Privacy With the 5 Best VPNs
- PCMag: Best VPN Services for 2020
- Avast’s Free Antivirus Harvests All Your Clicks, Sells Them to Third-Parties