Profile picture
, 7 tweets, 3 min read
My Authors
Read all threads
For more than a year, 1200+ apps installed on hundreds of millions of iPhones and iPads contained malicious software operated by a shady adtech/data company that spied on users in order to steal ad revenue from competitors, according to security firm Snyk:
snyk.io/blog/sourmint-…
App vendors integrated this software/SDK by Mintegral, a Chinese adtech firm owned by Mobvista, another adtech firm, to earn money through ads.

Many iOS apps are affected, from dating to games, also very popular ones like Helix Jump, Subway Surfers and PicsArt. And their users.
For more than a year, 1200 app vendors: 🙈🙉🙊

Mediation platforms including Twitter's MoPub, who helped embedding Mintegral 🙈🙉🙊

Apple: "no evidence that users have been harmed" 🙈🙉🙊

Industry associations: fighting against any regulation 🙈🙉🙊

forbes.com/sites/johnkoet…
I admit, it's not easy to uncover personal data harvesting and fraudulent activities by apps or embedded third-party code, especially when obfuscated and when it is turning itself off when being examined.

Anyway, you'll never know what is happening on their servers.
When I was examining the apps Cleanmaster and My Talking Tom 2 a year ago together with Forbrukerradet and Mnemonic, both contained the Mintegral SDK, but it didn't trigger any data transmission.

We didn't have the resources to go beyond a 'rooted device + proxy' testing setup.
We observed 10 apps sending 88000+ HTTP requests to 216 hosts owned by at least 135 companies, in many cases breaking EU data protection law.

I think, what we found is only the tip of the iceberg. Many SDKs didn't show any activity during our examination.
It's a systemic problem. I think *the majority* of apps available in Google/Apple's app stores today are violating EU data protection law by transmitting personal data to third parties without a lawful basis in some way, not to mention outright malicious or fraudulent activities.
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Wolfie Christl

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @WolfieChristl see all

Profile picture
Wolfie Christl
@WolfieChristl
When the data industry is talking about sharing 'anonymized' profile data:

They do indeed not share email addresses, for example. But they share hashed versions of it, and they all use THE SAME hash function, and can thus still monitor and act on people across the digital world.
Calling this kind of personal data sharing 'anonymized' is corporate misinformation. A whole industry has been built on this lie.

Many still don't understand that.

Also, the question of whether or not you can reverse the hash is irrelevant, if everyone uses the same function.
Of course, hashed IDs can also be based on phone numbers or other data.

There are more complex versions of this, e.g. hashing the hashes, using temporary IDs and later match it to persistent ones, linking/matching chains of identifiers, using salted hashes for sub-purposes etc.
Read 20 tweets
Profile picture
Wolfie Christl
@WolfieChristl
Remember the debate about eBay port scanning visitors?

Turns out this was about ThreatMetrix, a fraud/identity analytics firm. The CIA was an early investor. Now owned by a massive data broker. FB and thousands of other companies are sending data to them. blog.nem.ec/2020/05/24/eba…
ThreatMetrix is owned by LexisNexis Risk Solutions / RELX.

Together, they claim to have data on hundreds of millions of people including names, addresses, phone numbers, email addresses, insurance records, criminal records and data on 4.5 billion devices.
relx.com/~/media/Files/…
I wrote about LexisNexis in 2016 (crackedlabs.org/dl/Christl_Spi…), about ThreatMetrix in 2017 (crackedlabs.org/dl/CrackedLabs…).

Many companies are harvesting data for marketing and advertising. Data collection for risk/fraud/identity stuff is even more pervasive, secretive and unaccountable.
Read 20 tweets
Profile picture
Wolfie Christl
@WolfieChristl
If you visit 450 pages on 15 major health, education and news sites, 1121 third parties set 891772 cookies. Visiting health sites first maximizes the chance that data brokers can track you across sites.

Excellent study by @idonibrasco, @HNissenbaum et al: news.cornell.edu/stories/2020/0…
Using personal identifiers stored in third-party cookies to monitor, follow and profile people across sites may have an expiration date, but it's more prevalent than ever.

I think, examining cross-context ID in this way, presented at the @FTC's #PrivacyCon today, is very useful.
Observing the same personal identifier (aka pseudonymous cookie ID) across two websites proves that both sites help a third party to recognize a user again, and thus facilitate personal data sharing.

EU data protection authorities must adopt this methodology to gather evidence.
Read 13 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!