Profile picture
Will Strafach @chronic
, 12 tweets, 5 min read Read on Twitter
the way firms respond is very intriguing to me. for example, ASKfm indicates that they do this to improve user experience, yet the public website of one tracker (Huq) even has an earnings calculator and describes how they pay for your data.
in fact Huq is probably the most direct about buying your location data from app developers. cannot get much clearer (huq.io/publishers/). I do not think these payments are addressed at all in responses from any companies.
“we are tracking where you shop using code packaged in this app but no longer use GPS for that” seems, to me, like an extraordinarily strange rebuttal.
this is super funny to me because we list the In Use and Always justifications for the affected version (we indexed all Info.plist filed for corroboration).

quick poll: does anyone think anything here would serve as “clear notice” to users?
if @HomesDotCom believes the code has been deactivated last year, this indicates something far worse: their app has been sending user locations to a third-party firm when the app is opened, without @HomesDotCom themselves being aware.

anyone with Bettercap/Burp can corroborate.
anyway, more to come in the future. just getting started.
some have been confused by the mitigations outlined at the start of guardianapp.com/ios-app-locati… so I will elaborate a bit.
while you cannot prevent things like IP address based tracking or cross-app tracking from same developer (via IDFV), if you use Limit Ad Tracking it will helps mitigate broader cross-app tracking as the trackers will be unable to get your unique “ad ID” (IDFA).
the Wi-Fi SSID idea is due to the ability of an app to obtain the name of the Wi-Fi router you are connected to. some trackers collect this alongside location, so if it is unique enough of a name, you could potentially be tracked even if you later turn off Location/GPS access.
the Bluetooth one may not always be possible, but trackers like Wireless Registry will actually slurp up data about Bluetooth devices around you. I think that is super creepy and turning off Bluetooth when not in use is probably the most surefire way to mitigate.
did not have time to include this in the report, but here is a fun game: install MapQuest app and check out what it sends to 'receiver.lcoe.oath.com' (Oath) throughout all hours of the day.
for those interested, I answered some questions and added additional info here and there throughout this HN thread.

news.ycombinator.com/item?id=179385…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Will Strafach
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!