Investigating Apps interactions with Facebook on Android
We look at how apps are exposing peoples' activities and behaviours to Facebook.
PI has been investigating the proliferation of data tracking, brokerage and exchange between many tech companies, both as their primary business as well as value added services.
PI's analysis consisted of capturing and decrypting data in transit between our own device and Facebooks servers (so called "man-in-the-middle"), we did this using the free and open source 'mitmproxy', an interactive HTTPS proxy. Having captured communications we then analysed the contents of these messages to determine the composition of the data being exchanged. Fortunately the data parsed by the Facebook SDK adheres to JSON formatting conventions and therefore aspects of the data exchange are human readable.
What we found (December 2018)
Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools. App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. Using the free and open source software tool called "mitmproxy", an interactive HTTPS proxy, Privacy International has analyzed the data that a number of Android apps transmit to Facebook through the Facebook SDK.
- We found that at least 61 percent of apps we tested automatically transfer data to Facebook the moment a user opens the app. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not.
- We also found that some apps routinely send Facebook data that is incredibly detailed and sometimes sensitive. Again, this concerns data of people who are either logged out of Facebook or who do not have a Facebook account.
Updated findings (March 2019)
- We have retested all apps.
- A number of apps no longer transfer personal data to Facebook the moment a users opens the app.
- However, many apps still exhibit the same behaviour we described in our original report. These apps automatically transfer personal data to Facebook the moment a user opens the app, before people are able to agree or consent. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not.
- We have released our testing environment. You can find it here.