A collaborative effort between the Yale Privacy Lab and Exodus Privacy has shed light on dozens of invasive trackers that are embedded within Android applications and record user activity, sometimes without user consent.
The results of this study, published last week, come to show that the practice of collecting user data via third-party tracking code has become rampant among Android app developers and is now on par with what's happening on most of today's popular websites.
The two investigative teams found tracking scripts not only in lesser known Android applications, where one might expect app developers to use such practices to monetize their small userbases, but also inside highly popular apps —such as Uber, Twitter, Tinder, Soundcloud, or Spotify.
The Yale and Exodus investigation resulted in the creation of a dedicated website that now lists all apps using tracking code and a list of trackers, used by these apps.
In total, researchers said they identified 44 trackers embedded in over 300 Android apps. Overall, three-quarters of the 300+ apps Exodus analyzed contained at least one tracking component, with Google's CrashLytics and DoubleClick being the most popular trackers.
While some trackers collected only app crash reports (such as Google's CrashLytics), some of these trackers also collected app usage info and user details, some of which were sensitive in nature.
In addition, Yale and Exodus researchers also point out that most of these tracking providers also provide homolog iOS components, which means the problem most likely affects iOS apps as well.
Exodus released signatures for each tracker, so mobile security vendors can embed them in their security scanners and detect apps that use any of these services.