Investigating Apps interactions with Facebook on Android

Privacy International has been investigating the proliferation of data tracking, brokerage and exchange between many tech companies, both as their primary business as well as value added services. 

Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools. App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. Using the free and open source software tool called "mitmproxy", an interactive HTTPS proxy, Privacy International has analyzed the data that a number of Android apps transmit to Facebook through the Facebook SDK.

Key findings (December, 2018)

  • We found that at least 61 percent of apps we tested automatically transfer data to Facebook the moment a user opens the app. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not.
  • We also found that some apps routinely send Facebook data that is incredibly detailed and sometimes sensitive. Again, this concerns data of people who are either logged out of Facebook or who do not have a Facebook account.

Update (March, 2019)

  • We have retested all apps.
  • A number of apps no longer transfer personal data to Facebook the moment a users opens the app.
  • However, many apps still exhibit the same behaviour we described in our original report. These apps automatically transfer personal data to Facebook the moment a user opens the app, before people are able to agree or consent. This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not.
  • We have released our testing environment. You can find it here.

 


Report:

The full report from December, including our legal analysis, our full methodology and company responses can be found here

Our updated finding from March 2019 - "Guess what? Facebook still tracks you on Android apps (even if you don't have a Facebook account)"

A video presentation of the finding of this report can be found here, as presented at 35th Chaos Computer Congress (35C3)

 


Documentation:

Below is the accompanying documentation for the report, including the analysis of each app and the data transmitted to and from Facebook

The name can either be partial or full