Applications that geolocate you: a significant risk for privacy
If tracking via companies you've never heard of is widespread on the web, it is possible to limit it:
- Via a browser with protective measures such as Safari, Firefox or Brave
- Via an adblocker like ublock origin
- By blocking third-party cookies, or deleting cookies regularly
- Using private browsing
On applications, it is much more difficult, the options exist but are difficult to implement (cf. installing a specialized VPN on iOS). Apple then Google opened Pandora's box with their respective AppStores, allowing application developers to access very personal data (geolocation, microphone, contacts, etc.).
This access is very often legitimate (Instagram needs access to your camera to function, Google Maps is more useful if it has access to your geolocation, etc.) and you also have the choice to accept or refuse that an application accesses a category of data (example: geolocation). But you are probably unaware that this information can be transmitted to third party companies (via SDKs, third-party company codes installed directly in the application, equivalent of third-party javascript codes in web applications).
Your geolocation is very sensitive data, knowing it allows you to trace your life: knowing where you sleep, where you work, your movements, etc. As such, read this excellent investigation from the New York Times, carried out from a gigantic data leak (12 million Americans including Donald Trump) from a personal data reseller.
An example with Mapstr, an address sharing app
Wanting to check how the applications I use respect my privacy, I looked at the requests sent by theMapstr app on my iPhone. Mapstr is a French application that allows me to save good addresses of restaurants and bars on a map, it also allows me to access good tips from my friends.
First of all, auditing requests sent by an application is not as simple as on a computer browser. So I had to go through Charles Proxy, a paid app (€9.99) which acts as an internal VPN to intercept requests sent by your Smartphone. Here is the protocol followed:
- Close the various background applications
- Launch the Charles Proxy app and enable tracking
- Launch Mapstr and surf the application
- Then export the log of your session if you wish to study it more comfortably on your computer (the Charles Proxy app for computer is free in the basic version)
- Look at the domains of the requests sent, it's informative
Several surprises:
- Mapstr sends many requests to Facebook (without my geolocation). Facebook offers many services to applications, it is difficult to know the service used by Mapstr (here the different methods offered by Facebook's Graph API, it nevertheless seems that Mapstr uses Facebook's Analytics services, I see "activities" and "user_properties" events happening. My Mapstr navigation enriches the information that Facebook holds about me (even if in this case, I do not have a Facebook account). Problem: I never consented to Facebook tracking me on Mapstr.
- Mapstr sends my geolocation to Kapten and Citymapper, why? By digging into the app, I can ask Mapstr for directions to an address, Mapstr will then indicate how long the journey takes by Uber, Kapten or via Citymapper and Google Maps. Problem: Mapstr sends my geolocation to these companies without me asking for directions, it could wait a bit. However, it seems that no identifier was passed in these requests, so the information leak is limited (especially since I have installed these applications).
- More seriously, Mapstr sends a lot of information including my geolocation, my name and my email address to Amplitude. My most personal data is thus sent with my name to an American company with which I have no connection. What is the benefit of Mapstr? Amplitude is an analytics solution, which does not need my name, my email, nor my geolocation to function properly.
Note that I had previously indicated in the iOS settings that I wanted limited advertising tracking (but Mapstr does not take this into account).
To transmit all this personal data, Mapstr needs my consent, which it seems to have forgotten.
Consent management on Mapstr
When you install the Mapstr app, you are greeted with this screen
In very small letters, you can read: "By registering you accept our Terms of Use". Obviously no one is going to click on it, however we can read this:
Mapstr reserves the right to collect various nominative and non-nominative data, in particular through the collection of cookies, in an effort to improve the customer experience and ergonomics on the application and the Services, statistical analyzes and personalization of the Services.
This is about analytics and personal data. But Mapstr does not specify that it sends this personal data to a third party (Amplitude), and that it also sends them your geolocation.
Once you have created an account, you can access privacy policy, written in English. It is stated that:
- Mapstr uses your data, among other things, for statistical purposes ("to carry out statistics)" and to improve its application ("to improve our service").
- The legal basis is the acceptance of the famous Conditions of Use.
- The collected data listed is as follows: "your name, surname, possibly your Facebook username, profile picture, friends’ name, as well as your language and country."In reality, you transmit numerous other information to Mapstr and Amplitude, including your geolocation (but also your telephone operator, your Smartphone model, etc.).
- Who is the receiver of your data? Here again Mapstr is very vague, still not indicating that it transmits certain personal information to third parties: "We do not resell your personal data. The business model of the Mapstr application is by no means based on the sale of your personal data to third parties. In this respect, the only persons authorized to use your data are Hulab employees as part of your use of the Mapstr application"
- Is your data transferred outside the European Union? Here the lie is clear, Mapstr indicates that it does not transmit your data outside the European Union: "None of your data is transferred outside the European Union and our servers are located within the territory of the EU.“Facebook and Intercom are American companies.
Is this negligence on the part of Mapstr? This is likely, but in the absence of sanctions from the CNIL, the pressure to respect the privacy of Internet users is low. What happens to other apps that need your geolocation?
Another test with Citymapper
Following the Mapstr test, I wanted to see how Citymapper managed my personal data, using the app regularly for my travels. Via Charles Proxy, here are the domains of the requests sent
Several tracers are still present:
- Crashlytics allows you to monitor bugs and application crashes, this tool belongs to Google (which bought it from Twitter)
- Google, for its Google Maps service
- Amplitude, the analytics tool already seen at Mapstr
- Mixpanel is an analytics tool similar to Amplitude
- Flurry is another analytics tool, which belongs to Yahoo (and therefore Verizon)
These companies also track you when you use Citymapper, without your consent. However, when we look at the details of the requests sent (in particular to Amplitude), Citymapper does not send your geolocation, your name or your email address. Annoying "detail", Citymapper sends an "In Drunk Mode" event to Mixpanel and Amplitude (they would display the go home button bigger if you've had too much to drink):
The event sent to Mixpanel, the personal identifiers were removed, and I'm not drunk.
How do they do it? Maybe it's just based on the time, but it's not reassuring to send this information to third party companies.