Analytics platform Sensor Tower has been secretly collecting data from users through VPN and ad-blocking apps on iOS and Android, a new report from BuzzFeed News says. The apps would prompt users to install root certificates through Safari, bypassing Apple’s restrictions.
The report details that since 2015, Sensor Tower has owned at least 20 applications for iOS and Android. One of them, Adblock Focus, was recently available on the App Store until BuzzFeed News contacted Apple. Another, called Luna VPN is still available, but Apple says it is continuing to investigate the app. An Apple spokesperson confirmed that a dozen of past Sensor Tower applications were removed from the App Store due to violations.
Interestingly, none of the applications have been tied to Sensor Tower on the App Store, instead they were listed under other company names. BuzzFeed News discovered the ties to Sensor Tower after realizing the apps “contain code authored by developers who work for the company.”
Speaking to BuzzFeed News, Randy Nelson, Sensor Tower’s head of mobile insights, explained that the “vast majority” of the apps are “defunct and a few are in the process of sunsetting.” Of course, he did not willingly acknowledge that the apps are defunct because they were removed for policy violations.
Nelson also defended the data collected by the apps, which have been downloaded over 35 million times.
“Our apps do not track, request, or store any sensitive user data such as passwords, usernames, etc., from users or other apps on a user’s device, including web browsers,” Nelson said.
Luna VPN prompts users to install a root certificate by offering the ability to block YouTube ads. Apple restricts root certificate privileges in third-party applications, but Sensor Tower bypassed this by having the user install the certificate in Safari:
Luna VPN, for example, shows a notification that offers the ability to block ads on YouTube if a user adds the Adblock extension, another SensorTower product. This kick-starts a process that results in a root certificate installation.
You can read the full BuzzFeed News report here.