A popular analytics platform has been secretly installing root certificates on mobile devices so it can suck up users’ data from its 20 or more ad-blocker and virtual private network (VPN) mobile apps, according to a BuzzFeed News investigation.

Both Google and Apple have hosed down their app stores to cleanse them of at least some of the apps from the company, Sensor Tower, which is used by developers, venture capitalists, publishers, and others to track the popularity, usage trends, and revenue of apps – analytics that you can sample in its Twitter postings.

The apps, which have more than 35 million downloads, neither let users know about their connection to Sensor Tower nor reveal that their data is being gobbled up by its products.

Some of the apps are no longer available, but BuzzFeed News said it recently traced a handful of apps in the Google Play store to Sensor Tower, including Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus. Two of the apps – Adblock Focus and Luna VPN – were also available in Apple’s App Store. After BuzzFeed News contacted Apple, the company removed Adblock Focus. Similarly, Google removed Mobile Data after getting a heads-up. Both companies have said that their investigations are ongoing.

BuzzFeed News says that it managed to hunt down the apps’ owner after discovering code authored by developers who work for Sensor Tower. One clue was an online résumé belonging to a Sensor Tower developer that says he built “Android apps to power the Sensor Tower analytics platform.” His GitHub username shows up in the code of multiple apps. Another Sensor Tower developer says, on his personal site, that he’s…

Working on awesome top secret iOS Projects.

So much for trying to block ads

After they’re installed, the VPN and ad-blocker apps prompt users to install a root certificate so that the certificate issuer can access all traffic and data passing through a phone. Sensor Tower says it only collects “anonymised” usage and analytics data that it integrates into its products.

If that sounds like a consolation, think again: a recent study showed that it’s even easier to identify people from their anonymised data than was previously assumed. That’s saying a lot, given that we’ve known for years that surprisingly accurate inferences can be made about shoppers, even from their extremely vague purchasing data.

Randy Nelson, Sensor Tower’s head of mobile insights, told BuzzFeed News that the company kept its ownership of the apps hush-hush “for competitive reasons.” He says that Sensor Tower is now taking steps to make its connection to the apps “perfectly clear.”

Nelson said that the “vast majority” of the apps cited in the investigation are now defunct, while a few are “in the process of sunsetting.”

Sure, many are now defunct – mostly because their policy violations got them yanked. Apple removed a dozen from its App Store, an Apple spokesperson said. The company removed Adblock Focus after BuzzFeed got in touch and said that as of Monday, it was still investigating Luna VPN.

Installation of root certificate privileges is restricted by both Google and Apple, given the security risks they pose. BuzzFeed News says that Sensor Tower’s apps bypass the root restrictions by prompting users to install a certificate through an external website after an app is downloaded.

There’s no such thing as a free lunch

This riddle has been posed, and answered, in the past: When is a VPN not private?

Usually, when you’re not paying for it.

Granted, maybe that’s not true all the time – Opera, for example, brought back its free VPN service to its Android browser a year ago.

But we’ve seen “free” VPNs make money off users in other ways. In the case of Hotspot Shield, that meant being required to look at ads or having at least some of your personal data – location, browsing habits, purchasing history, etc. – collected and sold to third parties for marketing. In August 2017, such practices led to a complaint being issued against the company with the US Federal Trade Commission (FTC) over “unfair and deceptive trade practices”.

As well, in May 2019, the US Department of Homeland Security (DHS) warned that foreign adversaries are interested in exploiting VPN services. In other words, foreign spies might be hiding in your VPN.

We’ve said it before, and we’ll say it again. In the words of Naked Security’s Paul Ducklin, there’s nothing magical about VPNs:

A VPN doesn’t magically improve security. All it really does is to make your VPN provider into your new ISP – your “first hop” on the internet. That first hop is the one place where a single provider gets to see all your traffic, whether it’s encrypted or not. You need to trust your VPN provider. A lot.

Swap the phrase “ad-blocker app” or “any supposedly free app at all” for “VPN,” and the equation resolves, once again, to “beware.”


Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner