Popular VPN and ad-blocking apps made by Sensor Tower are ‘secretly harvesting data from millions of iOS and Android users’, report claims
- US firm Sensor Tower has allegedly been harvesting data from users of its apps
- It allegedly bypasses root certificate privilege restrictions set by Apple, Google
- These VPN and ad-blockers collectively have more than 35 million downloads
An analytics firm that owns at least 20 apps on the App Store and Google Play Store has been harvesting millions of people’s data, according to media reports.
San Francisco-based analytics firm Sensor Tower has been taking personally identifiable information from users of VPN and ad-blocking apps that the company owns, reports BuzzFeed.
These apps – which don’t reveal any connection to Sensor Tower, nor that they feed user data to the firm – collectively have more than 35 million downloads.
Sensor Tower has owned at least 20 Android and iOS, including Adblock Focus, for removing unwanted ads, and Luna VPN for ‘private browsing’ on Android and iOS.
It’s unknown what the personally identifiable information relates to specifically.
In a statement to MailOnline, Sensor Tower denied the claims in the report.
Sensor Tower has owned at least 20 Android and iOS apps, including Luna VPN – ‘the #1 rated VPN on mobile’
One installed, Sensor Tower’s apps prompt its user to install a root certificate, which gives its issuer – a certificate authority, in this case Sensor Tower – access traffic and data that passes through a phone.
Armando Orozco, an Android analyst for Malwarebytes, told BuzzFeed that giving root privileges to an app exposes a user to significant risk.
‘Your typical user is going to go through this and think, “Oh, I‘m blocking ads”, and not really be aware of how invasive this could be,’ he said.
Sensor Tower allegedly bypasses root certificate privilege restrictions set by Apple and Google in the interest of the user.
Sensor Tower does this by prompting users to install a certificate through an external website after one of its apps is downloaded, the report claims.
For example, smartphone users who have just downloaded Luna VPN can block ads on YouTube if they add an Adblock extension – another Sensor Tower product – and this results in a root certificate installation, it says.
A dozen of the Sensor Tower apps were previously removed from the iOS App Store due to ‘violations’, an Apple spokesperson told BuzzFeed.
This includes Adblock Focus, while another, Mobile Data, was removed from the Google Play store, it claims.
In a statement to MailOnline, Sensor Tower denied the suggestion that it collects or stores personally identifiable information.
‘Based on the way our apps are designed, such data is separated before we could possibly view or interact with it, and all we see are ad creatives being served to users,’ said Randy Nelson, head of mobile insights at Sensor Tower.
‘What we do store is extremely high level, aggregated advertising data that may demonstrate trends that we share with customers.’
Nelson said that the firm’s privacy policy follows best practices and makes its ‘data use clear’.
‘We want to reiterate that our apps do not collect any PII, and therefore it cannot be shared with any other entity, Sensor Tower or otherwise.’
‘We’ve made this very clear in our privacy policy, which users actively opt into during the apps’ onboarding processes after being shown an unambiguous disclaimer detailing what data is shared with us.
‘As a routine matter, and as our business evolves, we’ll always take a privacy-centric approach to new features to help ensure that any PII remains uncollected and is fully safeguarded.’