Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Facebook tracks non-users via Android Apps

New thunderclouds on Facebook, the social network giant is accused of tracking non-users via Android apps. According to a report presented by Privacy International yesterday at 35C3 hacking conference held in Germany, the list of Android apps that send tracking and personal information back to Facebook includes dozens of apps including Kayak, Yelp, and Shazam, “Facebook routinely tracks users, non-users […]

Facebook Android apps

New thunderclouds on Facebook, the social network giant is accused of tracking non-users via Android apps.

According to a report presented by Privacy International yesterday at 35C3 hacking conference held in Germany, the list of Android apps that send tracking and personal information back to Facebook includes dozens of apps including KayakYelp, and Shazam,

“Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools. App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system.” reads the report published by Privacy International.

“Using the free and open source software tool called “mitmproxy“, an interactive HTTPS proxy, Privacy International has analyzed the data that a number of Android apps transmit to Facebook through the Facebook SDK.”

Experts at Privacy International analyzed 34 Android apps and found that at least 61 percent of them transfer data to Facebook the moment a user opens the app. Data are sent to Facebook whether people have a Facebook account or not, or whether they are logged into Facebook or not.

Some of the apps routinely send the social network data that is very detailed and sometimes sensitive

The Android apps share info on the device being used, the language and time zone settings, they also send to Facebook other sensitive data, including a women’s period.

If combined, data from different apps can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion.” continues the report.

“For example, an individual who has installed the following apps that we have tested, “Qibla Connect” (a Muslim prayer app), “Period Tracker Clue” (a period tracker), “Indeed” (a job search app), “My Talking Tom” (a children’s’ app), could be potentially profiled as likely female, likely Muslim, likely job seeker, likely parent.”

Facebook, Privacy International explained that hundreds of firms collect users’ data, Google and Facebook are the second ones.

The report includes a detailed analysis of each app the experts tested.

Analysis of individual apps can be found on the Privacy International website.

Privacy International researchers criticized the Facebook SDK for Android and data are shared with Facebook without user consent.

Facebook denied any accusation and replied to the report highlighting that developers were responsible for configuring the apps to share or not share data.

“Facebook places a legal and contractual obligation on the developer who they see as the data controller to get the consent that it is required from users before sharing data with Facebook by the SDK,” said Frederike Kaltheuner, researcher with Privacy International.

Facebook pointed out that most developers used the SDK’s default settings, which is to share the data.

“The question [for developers] is, do you really need to integrate the SDK, and if you integrate, can you do it selectively,” Kaltheuner added. “You shouldn’t assume that the default implementation is compliance. And, whenever you do implemented it be very fair and transparent to users about how exactly you’re collecting data.”

Facebook Android apps

“Without any further transparency from Facebook, it is impossible to know for certain, how the data that we have described in this report is being used. This is particularity the case since Facebook has been less than transparent about the ways in which it uses data of non-Facebook users in the past.” concludes the report.

“Our findings also raise a number of legal questions.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, privacy)

[adrotate banner=”5″] [adrotate banner=”13″]