How to Identify iPhone Apps That May Contain Location-Tracking Ads

Originally published at: How to Identify iPhone Apps That May Contain Location-Tracking Ads - TidBITS

Earlier this year, 404 Media published another article about the location-tracking industry that surreptitiously gathers and resells our location data (for earlier coverage, see “Exposé Reveals Ongoing Smartphone Location Tracking Threats,” 23 October 2024). This piece highlighted another reason why allowing private companies to collect such information is concerning—one of the major players in the field was hacked. Gravy Analytics, the parent company of Venntel, which sold smartphone location data to the US government, reportedly lost “a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements.”

Despite the FTC later prohibiting both companies from collecting, using, and selling sensitive location data of Americans, all that data is reportedly now available for purchase. Among those compromised files was a list of over 12,000 iOS and Android apps that may have been—and may still be—exploited by data brokers to collect users’ location data. These apps do not contain malicious code; instead, they are part of the real-time bidding advertising ecosystem. When advertisers bid to place ads within apps, all firms participating in the bidding—including data brokers—are granted access to information about your device, including data that can be used to infer location.

Even browsing through a list of over 12,000 apps, many of which are for Android, feels overwhelming, let alone manually comparing all the apps on your iPhone to the master list. Fortunately, there is an automated way to determine which apps on our iPhones were involved, knowingly or not, in this location data collection scheme.

1. Download Apple Configurator from the Mac App Store.
2. Connect your iPhone to your Mac using a USB cable.
3. If prompted, allow the iPhone to connect and install a driver update.
4. Open Apple Configurator and select your iPhone.
5. Choose Actions > Export > Info, select Device Information, and then select Installed Apps.
   
6. Apple Configurator then lets you save a three-column CSV file. I’ll leave it as an exercise for the reader to delete the UDID and Seller columns and remove each app’s parenthetical version number. I used Modern CSV with a grep search to find and delete a string consisting of a space and any text in parentheses, but you could also do that in BBEdit or other apps. (Yes, I really do have 484 apps on my iPhone.)
7. Download this text file with all 12,325 apps identified in the data breach to spare you the effort of copying data from the public Google Sheet shared by 404 Media.
8. Once you have the list of apps on your iPhone and the text file of all the apps in the Gravy Analytics breach, run this command in Terminal to identify the apps that appear in both. To customize it with your filenames, use the arrow keys and delete key to remove file1.txt and then drag one of the files in; repeat the navigation with the arrow keys and character deletion for file2.txt before dragging in the second file. Press Return when you’re ready.comm -12 <(sort file1.txt | uniq) <(sort file2.txt | uniq)
9. The results appear instantly. Only three of my 484 apps appear in the Gravy Analytics list: Citymapper, Tumblr, and Wattpad. I must have downloaded Citymapper long ago for some trip, I don’t use the Tumblr app, and I don’t even remember what Wattpad is. It was an easy decision to delete them.

Given that I hadn’t launched any of those apps in years, I don’t think I was particularly vulnerable to having my location data sucked up as part of the real-time bidding process. Nevertheless, this experience will make me even more cautious about downloading apps that display ads.

If you go through this process, please share the apps it identifies. Some people have come up with alternative approaches that include Apple apps, which Configurator does not, and then match those apps against what I believe are Android apps in the full list. There’s no reason to worry about Apple apps in this regard.

Just to be clear, this only applies if you granted location access to the app. (Right?) I see a lot of games on my personal list. (Though the comm command you gave returned no results – I imported both lists into a spreadsheet and used a VLOOKUP.)

But a) I would never grant location access to a game (no, I never played Pokemon Go), and b) I use 1Blocker’s firewall/local VPN tracker blocker so I rarely see ads, so theoretically all of that is being blocked at that level.

Tip: if you are using csh or tcsh you will get a redirect error with this command.

comm -12 <(sort file1.txt | uniq) <(sort file2.txt | uniq)

Missing name for redirect.

No error when using sh, bash, or zsh.

I had zero matches.

I didn’t want to install Configurator so here’s the process I used. Note that my CTRL-click is the same as ‘right click’.

• Copy the list of breached apps that Adam provided and paste it into a new text file (I use BBEdit). Save it where you can find it.
• On your iPhone go to Settings > General > iPhone Storage.
• Click on ‘Show All’.
• Sort the app list by Name.
• Launch iPhone Mirroring on your Mac (I’m running Sequoia 15.3.1).
• You’ll see the screen of your iPhone on the Mac where you can take screenshots of the listed apps (I used CMD-Shift-4, then drag to select only the app names).
• Take screenshots of your app list starting with ‘A’ so the sequence of screenshots will have the apps in alphabetical order. Maybe it won’t matter what order they are in, I’m not an expert in the ‘comm’ command in Terminal.
• Open your Screenshots folder in Finder.
• Move all screenshots to a new folder (not needed if you don’t have any other screenshots).
• Sort the screenshots by name (or date modified) so the app list will be in alphabetical order.
• Select all the files.
• CTRL-click on one of the files which brings up a pop-up list of contextual menu items.
• Choose Quick Actions > Create PDF.
• Give the created PDF a name you can remember (e.g. App List.pdf).
• Open the App List file with Preview.
• Preview will recognize the text. Click and drag from top to bottom to select all text, then copy and paste into a new plain text file.
• Save the text file where you can find it. Edit it as needed so the app names are correct.
• Follow Adam’s directions to use Terminal to compare this file with your breached apps file.

When I made the comparison I was surprised to see three Apple apps that I have show up in the list (Calculator, Calendar, Weather). Of course, those could be Android apps with the same name as the apps on my iPhone, because I don’t think I’ve ever seen ads in the Apple versions of these three apps.

Adam, thank you for this!

Using zsh, my results were:

Last login: Thu Mar 13 19:04:56 on console
stanford@Williams-MacBook-Air-2 ~ % comm -12 <(sort /Users/stanford/Desktop/file1.csv t | uniq) <(sort /Users/stanford/Desktop/file2.txt t | uniq)
sort: No such file or directory
sort: No such file or directory
stanford@Williams-MacBook-Air-2 ~ %

I’m pleased!

As I understand it, no, not necessarily. The problem is that the real-time bidding process will share information about your device, like IP address, device IDs, nearby Wi-Fi networks and Bluetooth beacons, and more, that can be combined with other data to infer your location.

To my mind, any app that displays ads is potentially a conduit for this sort of privacy abuse.

Looks like you have typos in there—the extraneous letter t appears after each filename, and that’s causing the errors you see. Just rerun the command (press up arrow) and edit out those extra characters and try again.

Clever! I agree that the Apple apps you’re seeing are there purely because of Android equivalents.

I was dreading what I might find with my 250 apps, but … nothing. Yea!

Thanks for posting the links and detailed instructions, Adam.

Thanks for the clear instructions. My results: Citymapper and Trivia Crack

When I open Apple Configurator, it asks me to sign in: “Your managed Apple Account must have the Device Enrollment Manager role.” What am I missing?

Uh, Adam, thanks, hadn’t noticed! Thought I was being cleared.

Will give that another shot! :-)

interesting. I did get some hits:

• 2048
• BADLAND
• Crossy Road
• Cut the Rope
• Vector

The last one is/was my electricity company. I hadn’t launched that app for years and I see that they are now saying uninstall the app and used the “enhanced web app”. I imagine enhanced with tracking.

I think the only app I didn’t want to remove was Badland, which was fun, though hadn’t played that for a long time. The others can go.

Thanks Adam.

r

397 apps. No matches. Nice morning exercise…

You must have device management enabled for some reason, and it’s set to disable access to Configurator. Do you have any profiles installed? This is not my area of expertise, but it seems odd an everyday Mac would have MDM. If it’s a work Mac that your employer manages, then yeah, it won’t let you do that.

No profiles, and I can’t recall ever setting MDM (General/Device Management is empty). How do I turn it off if it doesn’t show up?!

An alternate way of getting a list of apps is available to users of iMazing who don’t mind a little regex:

• In iMazing, connect your phone, then choose Tools/Export Selected Data, check Apps, and choose Export
• The resulting folder will include a Device-Info.txt file which includes a list of apps at the end
• This list has path and version information at the end of each line which can be edited out with regex. I did a Find/Replace in BBEdit using \(.* (Note there is supposed to be space before the backslash)

Thanks. Unfortunately, that requires a $50 payment. I’ve never quite figured out iMazing…much of what it can do is doable by iOS itself (this is one exception though!).

I’ve always heard “Where there’s a will, there’s a way.” For some odd reason, Preview would not allow text-grabbing from PNG screenshots of the listing of apps from Settings/Apps. So I took the screenshots of my apps, page by page; sent them to my iMac; opened them in Preview; then selected the text, ⌘C, ⌘N. For some equally odd reason, now Preview would allow me to select the text! ⌘C the text, switch to BBEdit, ⌘V, and voilà!

Well, I certainly got a surprise. Apple Apps were in my list! Adam did not report any Apple apps, though he surely had them on his device. Here is my result list:

• Calculator
• Calendar
• Messages
• Music
• Solitaire (no surprise)
• Sudoku (also no surprise)
• Weather

The first three and the last one on my results don’t have any advertising; AFAICT Music has only Apple ads. The generically named apps are not duplicates of Apple apps; a search (swipe down from middle of home screen) reveals that I have no calculator, calendar, or messages apps (I do get several hits for ‘weather,’ but they’re not named just “Weather”). Are my results unusual?