Apps Can Track Your Every Move Even After Uninstalling Them in iOS and Android

Discussion in 'HardForum Tech News' started by cageymaru, Oct 22, 2018.

  1. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,457
    Joined:
    Apr 10, 2003
    The intentions of app developers are difficult to gauge sometimes. They can invent wonderful software that makes you wonder how you ever lived without it, or they can create privacy nightmares at the same time. Adjust, AppsFlyer, MoEngage, Localytics, and CleverTap are app developers that offer uninstall trackers that remind you of long uninstalled apps. They will remind you of a new updates to T-Mobile, Spotify, Yelp and more as they pester you with notifications as to why you should reinstall those apps ASAP!

    They can remind you over and over again as you visit websites because they exploit the push notification services built into iOS and Android. The push notifications were meant to let you know that you have a new email or update without bothering you. The creators of the uninstall tracker apps say that they are meant to gauge user reaction to app updates and changes. They can do this because users gave their permission to freely use their data long ago. Apple and Google had no comment when asked if this was the intended usage of push notifications.

    Developers have always been able to use so-called silent push notifications to ping installed apps at regular intervals without alerting the user--to refresh an inbox or social media feed while the app is running in the background, for example. But if the app doesn't ping the developer back, the app is logged as uninstalled, and the uninstall tracking tools add those changes to the file associated with the given mobile device's unique advertising ID, details that make it easy to identify just who's holding the phone and advertise the app to them wherever they go.
     
  2. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,710
    Joined:
    Oct 29, 2000
    So, it sounds to me like the following is going on:

    1.) They know who you are (because they collected your data in the past)

    2.) They know you have stopped using their app because of this push exploit

    3.) They want you back, so they are now targeting your unique and I'd with targeted ads to get you back


    I hate this, but it is nowhere near as bad as I first suspected when I read the headline.
     
  3. scojer

    scojer 2[H]4U

    Messages:
    3,893
    Joined:
    Jun 13, 2009
    Tools like this are making us a soociety that will Obey, consume, reproduce, and conform.
     
  4. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,457
    Joined:
    Apr 10, 2003
    Say that you had an app that was reported as a security risk. You as an intelligent and informed consumer uninstall it. But now with the new uninstall tracking technology, they can still track your every move. They can read your gyro data to find out what time that you pick up your phone to leave the house. They can still track every nuance of your life just like their app was doing before when it was installed on your phone. But now you don't know about it; other than some annoying advertising that keeps trying to get you to install it again.

    I think that is pretty darn sinister and unwanted.
     
  5. Darth Ender

    Darth Ender Limp Gawd

    Messages:
    130
    Joined:
    Oct 11, 2018
    They can't do anything with your phone data in that way.

    My understanding is that the push notification doesn't get a response. So they use their stored info on you regarding your advertising ID to then harass you with "uninstall trackers" that are basically advertising scripts they have distributed in their ad networks on normal webpages and other apps to re-install the app that you uninstalled.

    If you uninstall an app, there's nothing left on the phone from that app to continue to do the developer's bidding. The OS doesn't just hand over info to any random push notifciation that comes it's way. They are operating off of the non-response and previously stored info. That's it.
     
  6. McCartney

    McCartney Gawd

    Messages:
    861
    Joined:
    Mar 6, 2006
    so apps are clay aiken-ing us?

    big surprise

    "if i was invisible...
    i'd just watch you in your room"


    is now

    "i am invisible...
    and i just watch you in your room"

    ;)


    edit: it used to be "bono, you are the record"
    now it's: "people, you are the product!"
     
    Last edited: Oct 22, 2018
  7. Ocellaris

    Ocellaris Ginger @le, an alcoholic's best friend.

    Messages:
    18,776
    Joined:
    Jan 1, 2008
    ...and this is one of the many reason why people block ads.

    Also note on iOS you can reset you tracking identifier at any time with a couple of clicks.

    E545279F-5274-4594-829B-30D89ADA01EB.png
     
    Armenius, whatevs and DocNo like this.
  8. pendragon1

    pendragon1 [H]ardForum Junkie

    Messages:
    12,358
    Joined:
    Oct 7, 2000
    was alex jones right again?
     
  9. cageymaru

    cageymaru [H]ard as it Gets

    Messages:
    19,457
    Joined:
    Apr 10, 2003
    But if the app doesn’t ping the developer back, the app is logged as uninstalled, and the uninstall tracking tools add those changes to the file associated with the given mobile device’s unique advertising ID, details that make it easy to identify just who’s holding the phone and advertise the app to them wherever they go.

    So it can determine who is holding the phone and obviously has access to the gyro and GPS to be able to tell that it has been moved. It can send notifications. But you're saying that it is just an ad for the app and they can't access more with the uninstall tracking apps still installed on the system?

    Some providers say these tracking tools are meant to measure user reaction to app updates and other changes. Jude McColgan, chief executive officer of Boston’s Localytics, says he hasn’t seen clients use the technology to target former users with ads. Ehren Maedge, vice president for marketing and sales at MoEngage Inc. in San Francisco, says it’s up to the app makers not to do so.

    Note it is not up to the consumer to choose advertising or not. When you signed over your rights for access to Spotify, they immediately shared it with all of their partners that make the app run. So you shared your data with numerous companies. Way more than just "Spotify."


    But I hope you're right. Uninstalling the main app just gives the uninstall tracking apps access to your system for life so that they can annoy the hell out of you with advertising.
     
    lostin3d likes this.
  10. Darth Ender

    Darth Ender Limp Gawd

    Messages:
    130
    Joined:
    Oct 11, 2018
    The author of this story is making some implications ....and it sounds like something literal.

    The developer can't tell who is holding the phone via some kind of account info that they receive from this push notification. No data is replied to the developer when they ping the phone. What they do know is who's account was associated with the advertising id that was registered to their previously installed app. So they know if they ping the id, and no response is given, then that user is using the device. The same way they would know a particular user is using the device when the app is still installed and responds. So you can imply that information from the non-response in almost the same way as you'd be able to know from an actual response if the app had still been installed. You can glean only the info you'd be able to know from not receiving any info directly at all.

    Ping and get no error, you may be able to tell that the ID is still valid and active but your app associated with this ID is not installed ( so you still know everything you collected about that ID + that they uninstalled your app).
    Ping and get an error, you know that this ID is not valid because the user either cancelled their google account or changed their ID some other way (so you basically have to hope to associate this old data with a new ID if you can collect that info and match up enough fields with a new ID)
    Ping and get a response, you know they still have your app installed on this ID.

    Also, this is not a tracking app that exists on the user's device. Uninstall trackers exist on the webpage and other apps and is a term being used to describe code that reacts to the non-response of a push notification and uses that info to make a decision. The article makes it sound like these are residual apps on your phone or living in your browser cache. That's not what they are. They're regular ad tracking code that exists everywhere you browse ...it's just coded to react to your status of having something uninstalled ...as noted by the app developer's push notification code not getting a response from you.


    Just note, most app developers dont rock their own advertising trafficking and tracking setup. They're using a much bigger company that is way more difficult to block out completely anyway. Like google, facebook or amazon. So even if you uninstall the app, the ad network is still directly talking to your device via one of the dozen other apps that are still installed and associated with that advertiser. This is less about advertising privacy and more about app developers harassing ex-users of particular apps into either using that app or using some other app that developer is pushing.
     
    Armenius, Spidey329 and cageymaru like this.
  11. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    27,710
    Joined:
    Oct 29, 2000

    The way I read it, once you uninstall all push uninstall tracker does is tell them you have uninstalled the app. From that point forward they can get no further information directly from your phone.

    They do still have your "anonymous" advertising id and can track some information about you collected by other apps and services via the advertising ID and can spam you to try to get you to reinstall it, again, via customized ads via that ID.
     
  12. lostin3d

    lostin3d [H]ard|Gawd

    Messages:
    1,961
    Joined:
    Oct 13, 2016
    On either side of the fence it's not looking to good regardless of what the devs can do. I really agree with the author that both Apple and Google need to step up on this.
     
  13. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,440
    Joined:
    Jul 11, 2005
    I suspect this is just an iOS thing, since you really don't get access to the system. While I doubt this is happening on Android, due to my familiarity with Linux, it'd be great if we knew for sure.
     
  14. DocNo

    DocNo Gawd

    Messages:
    654
    Joined:
    Apr 23, 2012
    Something I used to do with major updates. Time to do it again!
     
  15. Spidey329

    Spidey329 [H]ardForum Junkie

    Messages:
    8,677
    Joined:
    Dec 15, 2003
    It's web based. You could do it with a website that uses push notifications (so annoying that random sites request this). Windows, Linux, Mac .. if there's a tracking-ID and push notification for a web or native app enabled at some point (thus registering the ID), you could try and associate those data sets.

    Essentially it's just a tool that uses a non-reply error from a push notification for a known app to determine that app has been uninstalled. It then targets the ad-ID associated with the prior install with specific ads trying to get you to reinstall it.

    The article headline (on Bloomberg) makes it sound nefarious, but it's just a really long way to say it's targeted advertising.
     
  16. whatevs

    whatevs Limp Gawd

    Messages:
    199
    Joined:
    Jun 23, 2017
    Google's version of Android has had ability to reset the phones advertising ID for many versions.
    In newer versions it moved to Settings->Google->Ads->"Reset advertising ID". I think before that it was under the separate Google settings app(which is now what the launcher app is called). Before that, it was still somewhere.
     
  17. kju1

    kju1 2[H]4U

    Messages:
    3,031
    Joined:
    Mar 27, 2002
    Yes this is basically a tracking cookie on steroids. Far far from "every" move...

    Nowhere in the article did it say anything about having access to your phone after you installed the app. That is not something the phone OS permits.

    What it did say was they make a note of when the App stops reporting to them and keep your mobile advertising ID (which can be reset) and mark it for enhanced advertising.

    So no there is no way for them to track every nuance of your life or to access the various sensors in the phone.
     
    Armenius likes this.
  18. Patton187

    Patton187 Gawd

    Messages:
    670
    Joined:
    Feb 12, 2012
    As much as I like the convenience, sometimes I wish we could freeze technology at approximately 2006 or so levels.
     
  19. steakman1971

    steakman1971 2[H]4U

    Messages:
    2,433
    Joined:
    Nov 22, 2005
    I rarely download new apps. When I do, they generally do not get access to GPS or push notification unless it is something I know needs one or the other.
    We should not blindly trust any of the apps out there. Hell, even big names are blatantly spying on us. They aren't even trying to hide the fact.
     
  20. WetMacula

    WetMacula Gawd

    Messages:
    533
    Joined:
    Feb 18, 2011
    scojer likes this.
  21. xaustinx

    xaustinx [H]Lite

    Messages:
    70
    Joined:
    Aug 4, 2004
    It's funny you mention that, I was going to say that this sounds like an andriod thing, bebcause ontop of iOS keeping everything in a walled garden, every app also operates only within it's own sandbox, and isn't able to cross-communicate outside of the api's provided by apple. On top of that, specifically push notification tokens are only good until the next app or ios update. Device tokens change around every 2 years or whenever you hit the "reset advertiser id" button. All apps using APNS (apple push notification service) are required to re-register/checkto re-register with the push notification network each time the app launches because they could change for many reasons. Once an app is uninstalled, iOS send APNS a de-register command to remove that apps ability to *EVER* send your device another pushnotification. it's pretty much just invalidates the token used for that app with your device... it sounds like this tracking software is abusing the APNS registry check function combined with other normal tracking technologies to just get a little bit more information about the user and their device.
    As many people have pointed out, just reset the ad-identifier token... This isn't exactly the doom/gloom scenario it's being portrayed as. It's just annoying advertisers being annoying, and i suspect apple and google will implement further checks to ensure this type of abuse doesn't occur in the future.
     
  22. StoleMyOwnCar

    StoleMyOwnCar 2[H]4U

    Messages:
    2,147
    Joined:
    Sep 30, 2013
    I just use Brave browser, so I haven't really seen any of this...
     
  23. viscountalpha

    viscountalpha 2[H]4U

    Messages:
    2,548
    Joined:
    Oct 16, 2011
    Have you watched any of the show The prisoner? It's scary.
     
    scojer likes this.
  24. scojer

    scojer 2[H]4U

    Messages:
    3,893
    Joined:
    Jun 13, 2009
    I have not but it's on my radar now.
     
  25. Wiffle

    Wiffle Limp Gawd

    Messages:
    293
    Joined:
    Oct 2, 2011
    Remember when you thought it was cool to download that pouring beer glass app and impress all your friends with your new smartphone...

    ...Well its back, and it wants 5$ to change the flavor of beer, and it will let you know every other page browse, after opening fasocialismbook, when you restart your phone, and at 2 am in the morning after DST adjusts...

    ...not so cool anymore... is it?