Feb 03, 2025 19:00:00

Even if you disable location information on your smartphone, location information is still leaked via in-app ads

Even if you disable location services in your device settings, your location may still be identified through the data collected to serve you personalized ads based on your preferences and behavior. A cybersecurity expert explains how this works.

Everyone knows your location

https://timsh.org/tracking-myself-down-through-in-app-ads/

Tim, who runs the security blog 'tim.sh,' reset his old iPhone 11 completely to factory settings and obtained a new Apple ID. He installed only one game app on the clean slate to investigate what information was obtained. The game chosen as the sample was ' Stack .'

As a result, it turns out that a large amount of data is acquired immediately after the app is launched.

One of the most striking pieces of data was data related to '

Unity Ads '. There were over 200 different pieces of data sent to Unity Ads, but what was particularly noteworthy was the fact that location-related data such as country code, IP address, latitude and longitude was sent. In addition, information such as screen brightness, storage capacity, current volume, and whether or not headphones were being used was also obtained.

Regarding this, Tim speculates, 'I'm not sure why storage capacity data is needed, but for example, there's no point in advertising an app that takes up 1GB of storage to a user who only has 500MB of storage, so I think it's used to prevent such ads from being displayed.'

In addition, Tim's smartphone was sending IP addresses and timestamps to Facebook's servers, but Tim did not have Facebook installed and did not link his Apple ID to his Facebook account, so he did not know why the data was being sent.

'There are rumors that Uber adjusts the fare depending on the battery level of the user's smartphone. I don't know if that's true, but the fact that this kind of data is actually available and that advertisers can access it is important to know,' Tim said.

As for IP addresses, it doesn't seem like a big deal if they're only collected by one app, but the problem is that information collected from multiple apps is linked together to create one huge database, Tim points out.

The data collected by Stack included requests to the iOS device's unique advertising identifier 'IDFA' and Stack's developer-specific identifier 'IFV (IDFV)'. The IDFA is not collected unless the user gives permission, but the IFV cannot be opted out.

'Because the requests contain so much data, advertising companies will likely find loopholes that allow cross-app tracking without requiring the IDFA,' Timm said.

One of the data recipients of Stack was an advertising company called Moloco . Tim commented, 'Moloco aggregates a lot of data, and it seems that anyone who becomes an advertising partner can access the data.'

In the course of his research, Tim also discovered a data marketplace called Datarade , and picked out the top-ranked trader , RedMob . RedMob offers data at an abnormally high price of $120,000 per year, but the data contains important personal information such as email addresses and addresses, and has even made them publicly available in sample data.

Tim summarized, 'By linking your advertising ID with RedMob data, we can identify personal information such as your name, address, and phone number. Location information can be improved by simply using the app and moving around a little. This is the current state of data trading that is happening all over the world, and even if each small piece of data collection seems legal, the bigger picture is ugly.'