Popular Crypto App Found to Have Ties to Data Tracking Company: Report

Android versions of popular cryptocurrency app Bitcoin Ticker Widget and a seeming clone of Steemit, Steemit Earn Money, included software development kit (SDK) tools that extract extensive data on users in the past and are potentially linked to location tracking code from X-Mode a notorious data tracking company, according to a new report from Express VPN Digital Security Lab. Two other personal finance apps also have been found to contain these data trackers.  

“We wanted to say to consumers: ‘This is a huge problem; you may not be aware of it,’” said Sean O’Brien, principal researcher at ExpressVPN Digital Security Lab. “Even though these apps aren’t all huge brands, these apps have been downloaded 1.7 billion times, collectively, and millions of times for each individual app. They’re running on people’s phones in their pockets. People are using them for dating and social and finances but they’re not fully aware of the amount of data that’s being scooped up.”

Scooping personal data

While there are many companies that buy and sell access to location data harvested from unsuspecting people’s phones, X-Mode has come under scrutiny after its ties to government contractors and the military were revealed. 

In November 2020, Vice reported X-Mode was getting detailed location data back from multiple Muslim prayer apps, then selling that data “to contractors, and by extension, the military.” 

Read more: From SIM-Swaps to Home-Invasion Threats, Ledger Leak Has Cascading Consequences

This new report, a far more extensive inquiry into this issue, found X-Mode code was in 44% of the 450 apps they analyzed, and those apps had been downloaded at least a billion times. 

“These apps are global and include health as well as weather apps, games and makeup photo filters,’ reads the report. 

“They’re running on people’s phones in their pockets. People are using them for dating and social and finances but they’re not fully aware of the amount of data that’s being scooped up.”

While Steemit Earn Money has only been downloaded about 100 times, Bitcoin Ticker Widget has been downloaded over 1 million times. 

In December, Apple and Google told developers to remove X-Mode from their apps or be banned from their app stores, but by the end of January, the report found, many apps have not yet complied, which was confirmed by TechCrunch in at least one case. 

Overall, the study examined 450 Android apps for data trackers. 

X-Mode’s SDKs and data brokers

SDKs are foundational tools that make it quicker and easier for developers to make apps. That being said, those tools can contain code that isn’t necessary to the core function of an app. This extra code can track location, extract data and generally relay information back to the creator of the SDK. That information can then be shared or sold to be used for a variety of purposes. 

When users download an app and accepts its terms of service and privacy policy, they may be inadvertently opting into these forms of data collection, even if they’re not told exactly whose hands the data may end up in. These sorts of practices are common in the world of targeting advertising but, as has been previously documented, data can also end up in the hands of law enforcement (even without a warrant), bounty hunters and others. 

Read more: How a Lawsuit Against the IRS Is Trying to Expand Privacy for Crypto Users

“Inside the X-Mode SDK, are code references to five data providers,” said O’Brien. “These are other entities that people loosely called ‘data brokers.’ Sometimes they’re doing actual selling of data and sometimes they’re not. While it’s somewhat complex, these five entities are basically well-known brands in this location surveillance space.”

“What seems to be occurring because of what’s in the code is that these data providers have some sort of business relationship with X-mode, either current or prior,” said O’Brien. “And if they are enabled in these apps, then those providers are also getting some information from the app that has the X-mode SDK.”

OneAudience, Opensignal and location data tracking

OneAudience, included in both Bitcoin Ticker Widget and Steemit Earn Money, was one “data broker” tracker referenced in X-Mode’s code as part of the SDK. It was the subject of a ban and lawsuit by Facebook over data privacy violations because of data OneAudience’s SDK was collecting. 

In February 2020 Twitter and Facebook claimed that “OneAudience had been harvesting private data, such as people’s names, genders, emails, usernames and potentially people’s last tweets” to such an extent that it has been compared to the Cambridge Analytica scandal. The SDK was shut down at the end of 2019. 

Another data tracker, Opensignal, primarily functions as a WiFi mapper, through which users’ locations can be determined. 

In its lawsuit against OneAudience, according to Recode, Facebook argued that “OneAudience also paid apps to harvest users’ Google and Twitter information when they logged into one of the compromised apps using their Google or Twitter account information.”

Read more: This Elusive Malware Has Been Targeting Crypto Wallets for a Year

OneAudience, when shutting down the SDK that was the subject of the lawsuit, said, “We were advised that personal information from hundreds of mobile IDs may have been passed to our OneAudience platform. This data was never intended to be collected, never added to our database and never used.”

Opensignal’s business model, on the other hand, is primarily dependent upon its Wi-Fi mapping use case. 

“‘The question is, how much of the Wi-Fi data are they scooping?”’ asked O’Brien. 

In its privacy policy, Opensignal states it gathers geolocation data, “network type, network operator, cellular and WiFi signal strength and quality, and the identifiers of connected cell towers and WiFi routers.”

OneAudience did not respond to a request for comment. Opensignal, in response to a request for comment, directed readers to its Data Privacy Charter. 

A ‘rich amount’ of personal data

Stepping back and looking at the report and network traffic from these apps, O’Brien has two big takeaways when it comes to the impact on your data privacy. 

“Usually the data is not being handled very well,” he said. “And there’s a rich amount of data that can be used as an identifier for a person that’s going through the pipe, even if location is the only named reason the data is being scooped up.”

If you choose to keep using the apps like Bitcoin Ticker Widget and Steemit Earn Money, there are ways to limit their data-tracking capabilities. O’Brien said users should go into settings and check permissions for the app, especially location permissions, and revoke them. 

“That may mean the app becomes less functional or displays nagging screens asking for permission,” he said. “Otherwise, unfortunately, the only other step is removing the app. If you’re a California or [European Union] resident, there may be some other steps to take regarding requesting information to be deleted or at least requesting a copy of the information they have.”



Tagged : / / / / /

MEW now provides access to 2000 DeFi and NFT DApps on mobile

Ethereum wallet and interface MyEtherWallet, or MEW, has brought decentralized applications to its 1.3 million monthly users through a new “DApps Browser” feature in the MEW mobile app.

The collaboration with DApp analytics site DappRadar opens the door for MEW users to access more than 2,000 Ethereum based decentralized applications including DeFi and NFT based protocols directly from their smartphone.

Through the DApps Browser, users can browse, search for and interact with DeDApps like UniSwap, SushiSwap and Balancer to access financial services such as loans, asset swaps, and staking. They can also track their DeFi portfolios of loans and deposits.

The wallet software enables secure access, with the private key never leaving the device’s secure encrypted storage, and never shared with the DApp.

Users can also access other decentralized wallet apps including Status and Trust Wallet. While the three apps have been downloaded more than six million times combined, DappRadar reports January only saw 72,000 daily active users, leaving plenty of room for growth from MEW’s large user base.

Users can browse and search for specific DApps, and later this year it is expected that iOS users will be able to view rankings and metrics for 2000 DApps that are normally only visible through web browsers within the MEW app. These metrics are likely to include daily, weekly, and monthly active users, total value locked, and trading volumes. MEW’s Founder and CEO Kosala Hemachandra said:

“Our dedication to bringing DApps to all of our users, no matter how they choose to access them, reflects our belief that wallets can, and should, become the hub where the entire Ethereum DApp ecosystem comes together.”

The new features also enable users to access the growing non-fungible token, or NFT, sector. Although still very young, the sector grew by 10x in January to more than $33 million in value with this figure expected to rise significantly in 2021. Some NFT artworks are now selling for hundreds of thousands of dollars.

DeFi protocols accounted for 95% of the $270 billion DApp transaction volume in 2020.

Earlier this week, DAppradar identified that although Ethereum is still the top dog when it comes to active users, rising transaction fees and scalability issues are increasing the attractiveness of alternate blockchains. Fees associated with some of the more complex DeFi protocols have topped $1,000 at peak times

However, with venture capital firm Outlier Ventures reported this week that developer activity appears to be waning on older “Ethereum killer” networks in favour of Ethereum-based DeFi protocols such as Aave and Balancer.