The bandwidth costs of third-party tracking services on mobile apps

Mobile operators offer data plans with volume caps to control network congestion and also for profit. The presence of such data caps forces many mobile users to control and limit their browsing and mobile habits to make sure that they do not exceed their data allowance.

In October 2015, a New York Times article measured the bandwidth and performance costs of online advertising on 50 websites. The article revealed that “more than half of all data in those websites came from ads and other content filtered by ad blockers”. For a mobile subscriber, it implies that a large fraction of their traffic is generated simply for tracking them.

What about mobile apps? How much data does an Android app generate for tracking users, app activity or printing ads?

In our previous blogpost, we talked about how Haystack can help you to identify the presence of third-party trackers on your mobile apps. The large number of trackers that we have found on our mobile apps has motivated us to measure the portion of traffic that each app generates for tracking and advertising purposes.

In total, we analyzed more than 1,700 mobile apps. The figure below shows the distribution of the percentage of app’s traffic going to such third-parties.

Histogram tracking traffic for tracking purposes per app

The results may vary depending on how our ICSI Haystack users interact with their apps. However, the ratio of app’s traffic dedicated to tracking is much higher than what we initially expected: on average, 24% of app’s traffic is associated with third-party tracking and advertising services. This networking activity not only impacts on user’s data plans but also on the battery life of the devices.

If we look in detail at the distribution, we can see that 40% of the apps dedicate at least 10% of their traffic on tracking and advertising while more than 10% of mobile apps have at least 90% of their traffic associated with such activities. If it weren’t for user tracking and advertising, many mobile apps could operate completely offline!

The table below lists some of the apps for which tracking activity and ads account for at least 98% of their total traffic. The apps listed below have user ratings higher than 3.5/5 stars and millions of users.

App Name App Category App Audience Google Play Installs Rating % of traffic
Tottoko Dungeon Role Game Everyone 50K-100K 3.9 100%
Busuu – Easy Language Learning Education Everyone, 10+ 10M-50M 4.3 100%
Piano Tiles 2 (Don’t Tap…2) Arcade Everyone 100M-500M 4.7 99%
Drippler – Android Tips & Apps News & Magazines Everyone 5M-10M 4.5 99%
Tap Titans Role Playing Everyone, 10+ 10M-50M 4.7 99%
Headspace – meditation Health & Fitness Everyone 1M-5M 4.4 99%
Top Developer
Kung Fu Panda: BattleOfDestiny
Game Everyone 1M-5M 3.7 99%
Darklings Arcade Everyone 100K-500K 4.0 99%
Cooking Fever Arcade Everyone 10M-50M 4.4 99%
BestFriends – Puzzle Adventure Casual Everyone 10M-50M 4.6 99%
A Dark Dragon AD Role Game Everyone, 10+ 100K-500K 4.3 99%
Square Trade Shopping Everyone 10K-50K 3.6 99%
Jungle Cubes Puzzle Everyone 500K-1M 4.3 99%

If we look at the type of apps and their targeted audience, we can see that many of them are games rated as suitable for children. These apps connect to third-party services like Facebook Graph — Facebook’s analytics and ad network –, tools for user-engagement and A/B testing like HelpShift or Optimizely, tools to promote app installs like Chartboost, analytics services like mobileapptracking (part of Tune), and mobile-game specific tracking services and gaming ad-networks like Unity3D.

According to EU legislation, no tracking activity should take place on apps for children without parental consent. For some of the children games that we’ve manually tried, we have not seen any activity or information on Google Play aiming to inform the parents — or the user — about any tracking activity. Even in the USA, the FTC recently charged InMobi with a nearly 1M USD settlement for tracking children without parental consent. We will further investigate that interesting topic in future blogposts.

We’re currently working to enable new features on the Haystack app that would help you to keep control of your network data consumption and privacy. In the meantime, our current user-interface reports how much of the data generated by your app goes to third-party trackers and ad networks:

ICSI Haystack profile for the Hailo app

Stay tuned!

Exposing indirect privacy leaks on mobile apps

Today, we have been informed that the ICSI Haystack Project has been awarded with one of the prestigious Data Transparency Lab 2016 grants. If you are not familiar with the Data Transparency Lab efforts, the DTL is a community of technologists, researchers, policymakers and industry representatives working to advance online personal data transparency through scientific research and design. The initiative is led by Mozilla, Telefonica, and ODI.

Our DTL research proposal aims to illuminate the presence of indirect privacy leaks in mobile apps. A typical privacy-aware user checks the app’s permission list at the time of installing a new Android app from Google Play. Some users may still agree to share part of their personal information with the app developer even when they consider an app permission harmful for their privacy. However, what most users do not know, is that the app developer may not be the only organization collecting their personal information.

As in the browser context, mobile apps can leak user personal information to third parties such as ad networks and analytics services without user awareness and consent. While these services are valuable to app developers, they may track users and collect a vast amount of personal information about them by piggybacking on the permissions requested by the app developer and granted by the user. Google Play does not require the app developer to inform users about the presence of tracking services in Android apps.

Mobile users, and even regulators, lack of tools to understand how mobile apps operate behind the scenes and the organizations collecting user data. Our research and development efforts in the ICSI Haystack project seek to illuminate this dark space with the hope of helping users to stay in control of their online privacy and rise societal awareness.

To that end, we created an interactive map of tracking services on Android apps: the ICSI Panopticon. The image below contains a screenshot of the interactive map.

ICSI Haystack Panopticon Screenshot

The ICSI Haystack Panopticon contains records for more than 1,500 Android apps and it is built upon the data collected from the users of our ICSI Haystack Privacy Monitor app. If you’re one of the, we would like to thank you for your help. If not, we strongly invite you to install the app and contribute to extend our catalogue of Android apps. Note that we collect the data by crowdsourcing means in a completely anonymized way: we do not collect any personal information about our users as we describe in our privacy policy .

Our analysis revealed that 70% of our monitored mobile apps connect at least with one tracking service. A significant fraction of apps even connect to more than 10 tracking services simultaneously. We invite you to play with the Panopticon and identify the organizations collecting your personal information when you use a given app by yourself. As you will notice, there is a strong power law distribution as a few organizations dominate this ecosystem: Crashlytics and Flurry (both owned by Yahoo), Google Analytics, AdJust, AppsFlyer, Mixpanel and Facebook Analytics. Interestingly, many of these services are cross-platform so that they can track you not only in your mobile apps but also in the browser.

We’re working hard to release new app features to help you to better protect your online privacy. We are taking inspiration from Ghostery’s and Privacy Badger browser extensions to enable data flow blockage in an easy-to-use way. Stay tuned!