Security News > 2021 > February > Location tracking report: X-Mode SDK use much more widespread than first thought
Apps that tracked and sold people's whereabouts were more prevalent than perhaps first thought.
A report out today has identified 450 Android apps downloaded 1.7 billion times that used SDKs to track the location of smartphones.
New research conducted by Sean O'Brien at ExpressVPN, assisted by the Paris-based Defensive Lab Agency, detected location tracking SDKs in 450 Android apps at the end of January, all downloaded nearly two billion times, and 44 per cent of which used the now-banned X-Mode code at some point.
The conclusion of the ExpressVPN report is that "We identified evidence of the ubiquity of location tracking SDKs in a wide range of consumer apps." This raises many questions, and although it happily references press articles on such matters as police, military, and intelligence services abusing location data, the report does not present direct evidence of this, nor attempt to work out which apps have hidden or unreasonable behavior beyond the inclusion of the banned X-Mode libraries.
Google has complicated the issue around location permissions by requiring apps that scan for Bluetooth devices also to have access to full Location Services, and that Google's Location Services have to be running; this is justified on the grounds that it makes users more aware that location may be revealed via Bluetooth, but also means that users give broader location permissions to apps than they may wish, simply to get them working at all.
The ExpressVPN report states that despite Google's ban on the use of X-Mode code in apps, "Our investigation found that X-Mode maintains a strong presence on Google Play. We identified 199 apps with X-Mode tracker SDKs in them, collectively downloaded at least 1 billion times. 90 per cent of these apps continue to be listed in Google Play after the ban."
News URL
https://go.theregister.com/feed/www.theregister.com/2021/02/03/location_tracking_report_xmode_sdk/