TripAdvisor, MyFitnessPal among 21 popular apps secretly share users’ data with Facebook
- Once the apps are installed on a user’s device, it initiates the Facebook Software Development Kit (SDK) in the background.
- The apps shared data like Google Advertising IDs, genders, interests, religion, health, routines and behaviors of users.
At least 21 out of 34 popular apps have been found collecting and sharing sensitive data with Facebook without users’ permission. To make it worse, these apps were even sharing the data of those users who do not have a Facebook account.
Which apps are involved?
Privacy International, a UK-based campaign group, conducted a review of 34 popular Android apps and found that at least 21 apps - 61 percent - were collecting personal information from users as soon as they opened an account.
These apps include the name of MyFitnessPal, Duolingo, Family Location GPS Tracker, Kayak, Muslim Pro, MyTalkingTom, Shazam, Period Tracker Clue, Spotify, Yelp, TripAdvisor, Qibla Connect, VK, and Turbo Cleaner.
Once the apps are installed on a user’s device, it initiates the Facebook Software Development Kit (SDK) in the background. This lets the Facebook know the name of the app being used by the user along with other details such as the number of times it was opened by the user, the device information, and the screen resolution.
Type of data shared
The apps were found sharing a variety of details with Facebook. This includes Google Advertising IDs, genders, interests, religion, health, routines and behaviors of users.
"For example, an individual who has installed the following apps that we have tested, Qibla Connect (a Muslim prayer app), Period Tracker Clue (a period tracker), Indeed (a job search app), My Talking Tom (a children’s app), could be potentially profiled as likely female, likely Muslim, likely jobseeker, likely parent," said Privacy International, the Daily Mail reported.
The report highlighted that some apps such as Kayak were sending users’ travel details which includes departure/arrival dates, city and airport names as well as the class of tickets.
In a response to Privacy International, Facebook has said that it did not add the option to disable the transmission of the ‘SDK initialized’ data before June. However, it has now removed such signals from the SDK.
“Following the June change to our SDK, we also removed the signal that the SDK was initialized for developers that disabled automatic event logging,” Facebook told Privacy International in an email, Mashable India reported.
Facebook is also planning to implement a suite of changes to address Privacy International’s privacy-related concern.