Mapstr: the address sharing app that leaks your name and geolocation

Applications that access your location deserve special attention

Published by Pixel de Tracking on March 1, 2020

Apps that access your location: a major privacy risk

If tracking via companies you've never heard of is widespread on the web, it is possible to limit it:

  • Via a browser with protective measures such as Safari, Firefox or Brave
  • Via an ad blocker like uBlock Origin
  • By blocking third-party cookies, or deleting cookies regularly
  • Using private browsing

In apps, it is much harder: the options exist, but they are difficult to set up (see installing a specialized VPN on iOS). Apple and then Google opened Pandora's box with their respective App Stores, allowing app developers to access highly personal data (geolocation, microphone, contacts, etc.).

This access is very often legitimate (Instagram needs access to your camera to work, Google Maps is more useful if it can access your location, etc.) and you can also choose whether to allow an app to access a category of data (for example, geolocation). But you are probably unaware that this information can be transmitted to third-party companies (via SDKs, code from third-party companies installed directly in the app, equivalent to third-party JavaScript code in web apps).

Your location is highly sensitive data: knowing it makes it possible to reconstruct your life, where you sleep, where you work, your movements, and so on. On this subject, read this excellent New York Times investigation, based on a massive data leak (12 million Americans, including Donald Trump) from a personal data broker.

An example with Mapstr, an address sharing app

Wanting to check how the apps I use respect my privacy, I looked at the requests sent by the Mapstr app on my iPhone. Mapstr is a French app that lets me save good restaurant and bar addresses on a map, and also access recommendations from my friends.

First of all, auditing requests sent by an app is not as simple as doing it in a desktop browser. I therefore had to use Charles Proxy, a paid app (€9.99) that acts as an internal VPN to intercept requests sent by your smartphone. Here is the protocol I followed:

  • Close the various background applications
  • Launch the Charles Proxy app and enable tracking
  • Launch Mapstr and browse the app
  • Then export the log of your session if you want to study it more comfortably on your computer (the desktop Charles Proxy app is free in its basic version)
  • Look at the domains of the requests sent, it's informative

tracking_mapstr

Several surprises:

  • Mapstr sends many requests to Facebook (without my location). Facebook offers many services to apps, so it is difficult to know which service Mapstr uses (here are the different methods offered by Facebook's Graph API), but it seems that Mapstr uses Facebook Analytics: I see "activities" and "user_properties" events going through. My Mapstr browsing enriches the information Facebook holds about me (even though, in this case, I do not have a Facebook account). Problem: I never consented to Facebook tracking me on Mapstr.
  • Mapstr sends my location to Kapten and Citymapper. Why? By digging into the app, I can ask Mapstr for directions to an address; Mapstr will then show how long the trip takes by Uber, Kapten, or via Citymapper and Google Maps. Problem: Mapstr sends my location to these companies without me asking for directions; it could wait a little. That said, it seems that no identifier was sent in these requests, so the information leak is limited (especially since I have installed these apps).
  • More seriously, Mapstr sends a lot of information, including my location, my name and my email address, to Amplitude. My most personal data is therefore sent, together with my name, to an American company with which I have no relationship. What benefit does Mapstr get from this? Amplitude is an analytics solution, which does not need my name, my email, or my location to work properly.

Note that I had previously indicated in the iOS settings that I wanted limited advertising tracking (but Mapstr does not take this into account).

limited_advertising_tracking

To transmit all this personal data, Mapstr needs my consent, which it seems to have forgotten.

Consent management on Mapstr

When you install the Mapstr app, you are greeted with this screen:

Home_Mapstr

In very small print, you can read: "By registering you accept our Terms of Use". Obviously no one is going to click on it, but it does say this:

Mapstr reserves the right to collect various directly and indirectly identifying data, in particular through cookies, in order to improve the customer experience and usability of the application and the Services, perform statistical analyses, and personalize the Services.

This is about analytics and personal data. But Mapstr does not specify that it sends this personal data to a third party (Amplitude), nor that it also sends your location.

Once you have created an account, you can access the privacy policy, written in English. It states that:

  • Mapstr uses your data, among other things, for statistical purposes ("to carry out statistics") and to improve its app ("to improve our service").
  • The legal basis is acceptance of the famous Terms of Use.
  • The collected data listed is as follows: "your name, surname, possibly your Facebook username, profile picture, friends’ name, as well as your language and country." In reality, you transmit many other pieces of information to Mapstr and Amplitude, including your location (but also your mobile carrier, your smartphone model, etc.).
  • Who receives your data? Here again Mapstr is very vague, and still does not indicate that it transmits certain personal information to third parties: "We do not resell your personal data. The business model of the Mapstr application is by no means based on the sale of your personal data to third parties. In this respect, the only persons authorized to use your data are Hulab employees as part of your use of the Mapstr application"
  • Is your data transferred outside the European Union? Here the lie is clear: Mapstr says it does not transmit your data outside the European Union: "None of your data is transferred outside the European Union and our servers are located within the territory of the EU." Facebook and Intercom are American companies.

Is this negligence on the part of Mapstr? This is likely, but in the absence of sanctions from the CNIL, the pressure to respect the privacy of Internet users is low. What happens to other apps that need your geolocation?

Another test with Citymapper

Following the Mapstr test, I wanted to see how Citymapper managed my personal data, since I regularly use the app for getting around. Via Charles Proxy, here are the domains of the requests sent:

citymapper_queries

Several trackers are still present:

  • Crashlytics monitors bugs and app crashes; this tool belongs to Google (which bought it from Twitter)
  • Google, for its Google Maps service
  • Amplitude, the analytics tool already seen at Mapstr
  • Mixpanel is an analytics tool similar to Amplitude
  • Flurry is another analytics tool, which belongs to Yahoo (and therefore Verizon)

These companies also track you when you use Citymapper, without your consent. However, when we look at the details of the requests sent (in particular to Amplitude), Citymapper does not send your location, your name or your email address. Annoying "detail": Citymapper sends an "In Drunk Mode" event to Mixpanel and Amplitude (they apparently display the go-home button larger if you have had too much to drink):

Citymapper_Mixpanel_Drunk_mode The event sent to Mixpanel, the personal identifiers were removed, and I'm not drunk.

How do they do it? Maybe it is just based on the time, but it is not reassuring to send this information to third-party companies.