Follow

"We found that at least 61 percent of apps we tested automatically transfer data to Facebook the moment a user opens the app. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not."

😱😱😱

Investigating Apps interactions with Facebook on Android | Privacy International

privacyinternational.org/campa

@Argus Is there a way on android to block the transfers? Eg. A set of ip addresses?

@Argus @aral On the other hand, Android has built-in iptables firewall which can be administered from commandline just as on Linux or with easy interfaces like AFWall+ (or for non-rooted devices through a virtual Virtual Private Network (a local VPN to self, to block all non-firewalled traffic, thus "virtual VPN")).

At least for for rooted Android devices one can also block hostnames via the hosts-file (/system/etc/hosts is a redirect (symlink) for /etc/hosts) just as on any non-closed UNIX(-like) system and even on Windows. I've seen apps that claim to be able to manage the hosts-file even without root on Android, but I have not tested any of those.

@Argus Easy solution: Stop using Facebook and block all the IPs it owns on your firewall. :flan_molotov:

@pertho @Argus @b9AcE Rooting isn't practical for the general public, and for those like me who can't risk bricking my cell and can't find any way to do so on our particular tablet brands. I'd like to see references to non-rooted options other than VPN, preferably FOSS and free, though I'm willing to pay a reasonable charge if I knew the provider wasn't dealing behind my back, as PI has reported with some.

I swear, FOSS Linux on devices is the only way to go, IMHO.

@technoslick @Argus Android operating system is designed to spy on you. You can't even have a blocklist in /etc/hosts on Android; it gets ignored.

I don't think Linux is secure enough for mobile devices as it has a very polluted ecosystem now (see: Systemd)

@pertho @Argus using a distro that relies on systemd...possibly. I'm migrating over to MX Linux--systemd free. But the real issue is the difficulty in getting a Linux build to replace the built-in Android o/s. Not all devices are easily rooted or can be.

@pertho @Argus How is that easy? Want to take a guess at the number of IP addresses, fb use?

@sigaard @Argus Sure, I use this:

whois -h whois.radb.net '!gAS32934' | tr ' ' ', '

@Argus If you use Adaway (or something similar) you can block requests to a lot of facebook domains easily :)

@io @Argus Exactly. How would a user know without finding such results?

@Argus

This has been a thing for awhile. Does the report mention what the companies get in return for sending all the data to Facebook? Is it just a money thing?

@Argus I notice the FB SDK collects the phone's advertising_id plus a static FB "anon_id".

Assuming the anon_id stays the same per app (or per phone?) this allows FB to work around users who reset their advertising ids and keep tracking them as the same user

@Argus for some reason im particularly disappointed in Clue, they always seemed like a trustworthy app to me

@Argus

Wow. That makes me want to DNS black hole Facebook's domains.

@Argus what? Am I missing something or is the sample size of thirty apps?

@Argus I'm not too experienced reading academic papers so I might be missing a critical point, but I read the full report and I'm sceptical. The report only lists 33 apps, all of which are free and most include social elements or FB logins. I don't think that's a good representative of the market. Besides, they don't specify what kind of data is being tracked. Like I just said, it could be a simple login.

1/?

@Argus I didn't try many of these apps, but Spotify lets you create in-house accounts or log in with FB, and they don't specify how that influences the output.

The report cites another investigation from Oxford University from 2014, which indicates that the percentage is actually 40%.

2/3

@Argus I don't know much about what being an Android developer was like back then, but if I'm not mistaken Google has simplified logging in with Google accounts since then, making a competitive alternative. Maybe FB's scandals made a difference too, I'm talking out of my ass here.

Anyways, I'm sending Privacy International an e-mail just to check

3/3

@Argus
Wonder if this includes apps that say "no ads" in the store :blobthinking:

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!

We adhere to an adapted version of the TootCat Code of Conduct and follow the Toot Café list of blocked instances. Ash is the admin and is supported by Fuzzface as a moderator.

Hosting costs are largely covered by our generous supporters on Patreon – thanks for all the help!