As BuzzFeed reports, users installing one of these apps were prompted to install a root certificate –Apple and Google restrict root certificate privileges due to the security risk to users. Sensor Tower’s apps bypass the restrictions by prompting users to install a certificate through an external website after an app is downloaded. Its apps had been downloaded 35 million times.
According to Sensor Tower — which owns 20 of these apps — it only collects anonymized usage and analytics data, which is integrated into its products. Speaking to BuzzFeed, Sensor Tower’s head of mobile insights Randy Nelson said the company’s apps do not collect sensitive data or personally identifiable information, and that “the vast majority of these apps listed are now defunct and a few are in the process of sunsetting.” Nelson also said that Sensor Tower chose not to disclose its ownership of the apps “for competitive reasons.”
A list of the apps. Only Luna VPN remains in the App Store as of now. Luna, Adblock, and Free and Unlimited VPN are still in the Play Store. Apple and Google continue to investigate. pic.twitter.com/CQ6jNinA1x
— Craig Silverman (@CraigSilverman) March 9, 2020
After being contacted by BuzzFeed News, Apple and Google removed a number of affected apps from their respective stores, with both saying they are now investigating the issue. BuzzFeed reports that 13 Sensor Tower apps were previously removed from the iOS App Store due to policy violations, but it’s not clear if these are the same “defunct” apps Nelson is referring to.
Tracking user activity is the cornerstone of the app economy, and it’s not unusual for developers to present data-monitoring functions as user safeguards — Facebook’s info-leeching Onavo VPN app is a prime example. However, Sensor Tower’s case serves to highlight how this practice is largely misunderstood by users, and indeed, the loopholes companies are prepared to exploit in a bid to get their hands on your valuable data.