Published On: Wed, Mar 11th, 2020

Your VPN or ad-blocker app could be collecting your data

The underpinnings of how app store analytics platforms work were unprotected this week by BuzzFeed, that unclosed a network of mobile apps used by renouned analytics organisation Sensor Tower to assemble app data. The association had operated during slightest 20 apps, including VPNs and ad blockers, whose categorical purpose was to collect app use information from finish users in sequence to make estimations about app trends and revenues. Unfortunately, these sorts of information collection apps are not new — nor singular to Sensor Tower’s operation.

Sensor Tower was found to work apps such as Luna VPN, for example, as good as Free and Unlimited VPN, Mobile Data and Adblock Focus, among others. After BuzzFeed reached out, Apple private Adblock Focus and Google private Mobile Data. Others are still being investigated, a news said.

Apps’ collection of use information has been an ongoing emanate opposite a app stores.

Facebook and Google have both operated such apps, not always transparently, and Sensor Tower’s pivotal opposition App Annie continues to do a same today.


For Facebook, a 2013 merger of VPN app builder Onavo for years served as a rival advantage. The trade by a app gave Facebook discernment into that other amicable applications were flourishing in recognition — so Facebook could presumably counterpart their facilities or acquire them outright. When Apple finally booted Onavo from a App Store half a decade later, Facebook simply brought behind a same formula in a new coupling — afterwards called a Facebook Research app. This time, it was a bit some-more pure about a information collection, as a Research app was indeed profitable for a data.

But Apple kicked out that app, too. So Facebook final year launched Study and Viewpoints to serve a marketplace investigate and information collection efforts. These apps are still live today.


Google was also held doing something identical by proceed of a Screenwise Meter app, that invited users 18 and adult (or 13 if partial of a family group) to download a app and attend in a panel. The app’s users authorised Google to collect their app and web use in sell for present cards. But like Facebook, Google’s app used Apple’s Enterprise Certificate module to work — a defilement of Apple slight that saw a app removed, again following media coverage. Screenwise Meter returned to a App Store final year and continues to lane app usage, among other things, with panelists’ consent.

App Annie

App Annie, a organisation that directly competes with Sensor Tower, has acquired mobile information companies and now operates a possess set of apps to lane app use underneath those brands.

In 2014, App Annie bought Distimo, and as of 2016 has run Phone Guardian, a “secure Wi-Fi and VPN” app, underneath a Distimo brand.

The app discloses a attribute with App Annie in a App Store description, though stays deceptive about a loyal purpose:

“Trusted by some-more than 1 million users, App Annie is a heading tellurian provider of mobile opening estimates. In short, we assistance app developers build improved apps. We build a mobile opening estimates by training how people use their devices. We do this with a assistance of this app.”

In 2015, App Annie acquired Mobidia. Since 2017, it has operated real-time information use guard My Data Manager underneath that brand, as well. The App Store outline usually offers a same deceptive disclosure, that means users aren’t expected wakeful of what they’re identical to.


The problem with apps like App Annie’s and Sensor Tower’s is that they’re marketed as charity a sold function, when their genuine purpose for existent is wholly another.

The app companies’ invulnerability is that they do divulge and need agree during onboarding. For example, Sensor Tower apps categorically tell users what is collected and what is not:

App Annie’s app offers a identical disclosure, and takes a additional step of identifying a primogenitor association by name:

App Annie also says a apps can continue to be used even if information pity is incited off.

Despite these opt-ins, finish users might still not know that their VPN app is indeed tied to a most incomparable information collection operation, however anonymized that information might be. After all, App Annie and Sensor Tower aren’t domicile names (unless you’re an app publisher or marketer.)

Apple and Google’s responsibility 

Apple and Google, let’s be fair, are also culpable here.

Of course, Google is some-more pro-data collection given of a inlet of a possess business as an advertising-powered company. (It even marks users in a genuine universe around a Google Maps app.)

Apple, meanwhile, markets itself as a privacy-focused company, so is honourable of increasing scrutiny.

It seems infinite that, following a Onavo scandal, Apple wouldn’t have taken a closer demeanour into a VPN app difficulty to safeguard a apps were agreeable with a manners and pure about a inlet of their businesses. In particular, it seems Apple would have paid tighten courtesy to apps operated by companies in a app store comprehension business, like App Annie and a subsidiaries.

Apple is certainly wakeful of how these companies acquire information — it’s common attention knowledge. Plus, App Annie’s acquisitions were publicly disclosed.

But Apple is conflicted. It wants to strengthen app use and user information (and be known for safeguarding such data) by not providing any broader app store metrics of a own. However, it also knows that app publishers need such information to work competitively on a App Store. So instead of being active about unconditional a App Store for information collection utilities, it stays reactive by pulling name apps when a media puts them on blast, as BuzzFeed’s news has given done. That allows Apple to contend a deceive of innocence.

But pulling user information directly stealthily is usually one proceed to operate. As Facebook and Google have given realized, it’s easier to run these sorts of operations on a App Store if a apps usually say, basically, “this is a information collection app,” and/or offer remuneration for appearance — as do many selling investigate panels. This is a some-more pure attribute from a consumer’s viewpoint too, as they know they’re identical to sell their data.

Meanwhile, Sensor Tower and App Annie aspirant Apptopia says it tested afterwards scrapped a possess ad blocker app around 6 years ago, though claims it never collected information with it. It now favors removing a information directly from a app developer customers.

“We can quietly state that 100% of a exclusive information we collect is from common App Analytics Accounts where app developers proactively and categorically share their information with us, and give us a right to use it for modeling,” settled Apptopia co-founder and COO, Jonathan Kay. “We do not collect any information from mobile panels, third-party apps or even during a user/device level.”

This complement (which is used by a others as well) isn’t indispensably a resolution for finish users endangered about information collection, as it serve obscures a collection and pity process. Generally, consumers don’t know that app developers are pity this data, what information is being shared, or how it’s being utilized. App information of this inlet isn’t on a user turn (meaning it’s not personal data), though it’s still about stating behind to a developer things like installs, daily and monthly users, and revenue, among other things. (Fortunately, Apple allows users to invalidate a pity of some evidence and use information from within iOS Settings.)

Data collection finished by app analytics firms is usually one of many, many ways that apps trickle data, however.

In fact, many apps collect personal information — including information that’s distant some-more supportive than anonymized app use trends — by proceed of their enclosed SDKs (software growth kits). These collection concede apps to share information with countless record companies, including ad networks, information brokers and aggregators, both vast and small. It’s not illegal, and mainstream users substantially don’t know about this either.

Instead, user recognition seems to stand adult by swindling theories, like “Facebook is listening by a microphone,” but realizing that Facebook collects so most information it doesn’t unequivocally need to do so. (Well, solely when it does).

In a arise of BuzzFeed’s reporting, Sensor Tower says it’s “taking evident stairs to make Sensor Tower’s tie to a apps ideally clear, and adding even some-more prominence around a information their users share with us.”

Google isn’t providing an central comment. Apple didn’t respond to requests for comment.

Sensor Tower’s full matter is below:

Our business indication is predicated on high-level, macro app trends. As such, we do not collect or store any privately identifiable information (PII) about users on a servers or elsewhere. In fact, formed on a proceed a apps are designed, such information is distant before we could presumably perspective or correlate with it, and all we see are ad creatives being served to users. What we do store is intensely high level, many-sided promotion information that might denote trends that we share with customers.

Our remoteness slight follows best practices and creates a information use clear. We wish to echo that a apps do not collect any PII, and therefore it can't be common with any other entity, Sensor Tower or otherwise. We’ve done this really pure in a remoteness policy, that users actively opt into during a apps’ onboarding processes after being shown an evident disclaimer detailing what information is common with us. As a slight matter, and as a business evolves, we’ll always take a privacy-centric proceed to new facilities to assistance safeguard that any PII stays uncollected and is entirely safeguarded.

Based on a feedback we’ve received, we’re holding evident stairs to make Sensor Tower’s tie to a apps ideally clear, and adding even some-more prominence around a information their users share with us.

App Annie common a next statement, referencing a base certificate installations mentioned in a BuzzFeed article. (On iOS devices, VPN certificates don’t get full base access, however):

App Annie does not use base certificates during any indicate in a information collection process.

App Annie discloses that when users opt into information collection (and information pity is not imperative to use a apps), information will be common with App Annie for a functions of formulating marketplace research. We usually collect information after users specifically agree to this collection within a apps. We are really transparent, both on a app stores and in a apps themselves and clearly bond App Annie to a mobile apps.


About the Author