Assessing Mobile App Privacy

Bringing greater transparency to stealth tracking by mobile apps popular in Jersey. Posted 28 January 2019

Today is Data protection day here in Europe which is a perfect opportunity to publish a blog post assessing mobile applications which target Jersey users.

For these tests, I am using an online scanning utility from a French non-profit organisation named Exodus Privacy. They provide an excellent online tool (and mobile app) which can be used to remotely download and inspect mobile apps.

Throughout this post I test Android apps because of its dominant market share, however iOS users should expect near-identical tracking in the iOS versions of these apps. Users of iPhones and iPads are viewed by marketers as a more affluent demographic and their data sells for a higher price. If anything, you can expect greater tracking and targeting efforts.

Love Jersey

Love Jersey v3.5.5, zero trackers

First up is Love Jersey, an eGov project app launched by the Department for Infrastructure (DfI) for users to report problems such as potholes or fly-tipping. From a privacy perspective, this is a fine start for eGov as it contains zero trackers. You can view the third-party test results here. It does need camera and location access, however this is necessary for the intended use and should be acceptable to most users. I can recommend this app.

Obsolete certs = security fail

If you prefer to skip the app and use the website instead, I have some bad news. This scheme was launched less than two years ago, however the eGov webpage for reporting problems online appears to already be abandoned and is no longer secure. Visitors using a modern web browser will see prominent warnings instead of the “Love Jersey” website, and should not use the website until this security issue is resolved.

Active Jersey

Active Jersey v3.46, three trackers

Active Jersey is a local physical fitness membership scheme, and you can sign up for personal training, rehabilitation, swim classes, and much more. It’s a great idea but their app contains three separate trackers from Facebook. This is particularly concerning because if you’ve ever logged in to Facebook on your mobile they have your unique mobile Advertising ID.

This mobile app quietly transmits sensitive user data about you to Facebook, whether you have a Facebook account or not. For more information on this topic please see this BuzzFeed News article.

If you want to skip the app and book online you can do so at active.je, however the website also contains multiple third-party trackers and fails to disclose this as required. After a brief search of their website, I was unable to locate their Privacy Policy.

Privacy minded users should probably stick to ringing their local facility to make bookings.

PayByPhone

PayByPhone v3.2.0.7289, ELEVEN trackers

This app enables users to pay for parking using their mobile. That is convenient but you are trading a significant amount of privacy and personal data for that convenience. This app contains the most trackers I have ever seen, eleven different tracking packages from Facebook, Google, and numerous other data brokers!

The inbuilt trackers for this app record everything you are doing and describe how they can even track you across different devices. If you like being relentlessly tracked by some of the creepiest companies on the internet, this app is for you.

Privacy minded users, stick to using Pay Cards for now. I don’t like them either, but the alternative is worse.

Yoti - your digital identity

Yoti v2.15.1, five trackers

This is a relatively new “Digital ID” app so you should expect that the application developers can identify you, that’s the point after all.

What you may not have expected are five different third-party trackers. One of these trackers offers to “Tie each user to the ads they interact with”.

Privacy minded users, just keep using a photo ID as before. These work perfectly well, never run out of charge, and do not constantly phone home to advertising companies. That’s a feature, not a bug.