Some VPN apps and ad blockers have been spying on users' phones

Some of Sensor Tower's apps
Some of Sensor Tower's apps (Image credit: BuzzFeed News)

What you need to know

  • Sensor Tower, a data analytics company, has been using an assortment of free VPNs and ad-blocking apps to collect user data.
  • The identified apps have more than 35 million downloads in total.
  • Both Google and Apple have removed some of these apps from their app stores since the revelations.

A new report from BuzzFeed News reveals that up to 20 VPNs and ad-blocking apps on both the Play Store and the iOS App Store were secretly spying on their users. All of these apps belong to one company: Sensor Tower, an analytics firm used by different stakeholders to assess the app revenue, performance, and more.

The apps have a total of 35 million combined downloads, making these revelations particularly troubling. Some of the apps identified by report include Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus, all of which were recently available on the Play Store. The iOS App Store, meanwhile, hosted at least the latter two.

None of the apps revealed their affiliation with Sensor Tower or their data collection practices. When confronted with this shady behavior, the company's head of mobile insights, Randy Nelson, defended the lack of transparency by referring to "competitive reasons."

"When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense — especially considering our history as a startup," he said, referring to the company's supposed origins as an ad blocker, even though he was unable to provide any evidence of the claim to BuzzFeed.

"...a small file that lets its issuer access all traffic and data passing through a phone."

"Our apps do not track, request, or store any sensitive user data such as passwords, usernames, etc., from users or other apps on a user's device, including web browsers," Nelson said. He also clarified that the data collected by Sensor Tower is anonymized.

Far worse than the lack of transparency, though, is how the apps actually work. Once installed on a phone, the apps ask users to install a root certificate, which allows Sensor Tower to monitor "all traffic and data passing through a phone." Note the use of the word 'all,' meaning it's likely not just the data that's passing through Sensor Tower's VPN servers, for example.

Since both Google and Apple block root privileges by default, Sensor Tower's apps circumvent these restrictions by prompting users to download the root certificate by routing them to an external website.

Nelson further adds that "the vast majority of these apps listed are now defunct (inactive) and a few are in the process of sunsetting," without clarifying that, as BuzzFeed discovered, most of the apps were actually removed by the app stores due to policy violations, and not because Sensor Tower had suddenly decided against its obviously questionable tactics.

Best Ad Blockers for Chrome in 2020

We test and review VPN services in the context of legal recreational uses. For example:

1. Accessing a service from another country (subject to the terms and conditions of that service).

2. Protecting your online security and strengthening your online privacy when abroad.

We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

Muhammad Jarir Kanji