How smartphones build a dossier on you

We break down the most covert mechanism of smartphone surveillance using real-life examples.

How smartphones actually track you

You’ve probably heard the rumor — our smartphones are always listening. But the truth is, they don’t need to. The information shared with data brokers by virtually every app on your smartphone — from games to weather apps  is more than enough to create a detailed profile on you. For a long time, “online tracking” had meant that search engines, ad systems, and advertisers all knew which websites you visited. But since smartphones appeared on the scene, the situation has become much worse: now advertisers know where you go physically and how often. So, how do they do it?

Every time any mobile app prepares to show an ad, a lightning-fast auction takes place to determine which specific ad you’ll see based on the data sent from your smartphone. And although you only see the winning ad, all the participants in the auction receive data about the potential viewer — that is, you. A recent experiment showed just how many companies receive this information, how detailed it is, and how ineffective built-in smartphone features like “Do Not Track” and “Opt Out of Personalized Ads” are at protecting users. Nevertheless, we still recommend some protection methods!

What data do advertisers receive?

Every mobile app is built differently, but most start “leaking” data to ad networks even before displaying any ads. In the experiment mentioned earlier, a mobile game immediately sent an extensive array of data to the Unity Ads network upon launch:

  • Information about the smartphone, including OS version, battery level, brightness and volume settings, and available memory
  • Data about the network operator
  • Type of internet connection
  • Full IP address of the device
  • Vendor code (the game developer’s identifier)
  • Unique user code (IFV) — an identifier linked to the game developer and used by an ad system
  • Another unique user code (IDFA/AAID) — an ad identifier shared by all apps on the smartphone
  • Current location
  • Consent for ad tracking (yes/no)

Interestingly, the location is transmitted even if the service is disabled on the smartphone. It’s approximate though, calculated based on the IP address. However, with publicly available databases matching physical and internet addresses, this approximation can be surprisingly accurate — down to the city district or even the building. If location services are enabled and allowed for the app, precise location data is transmitted.

In the same experiment, the consent for ad tracking was marked as “User Agreed”, even though the experiment’s author did not provide such consent.

Who gets the data, and how often?

The data stream is sent to all ad platforms integrated into the app. There are often several such platforms, and a complex algorithm determines which one will be used to show the ad. However, some data is shared with all connected networks — even those that aren’t currently showing ads. In addition to the above-mentioned Unity (whose ad platform generates 66% of revenue for developers using this game engine), other major platforms include those of Facebook, Microsoft, Google, Apple, Amazon, and dozens of specialized companies like ironSource.

Next, the ad network currently displaying ads in the app sends a large set of user-data to a real-time bidding system (RTB). Here, various advertisers analyze the data and bid to display their ads, all at lightning-fast speeds. You view the winning ad, but information about your location, combined with the exact time, IP address, and all other data, is shared with every auction participant. According to the experiment’s author, this data is collected by hundreds of obscure firms, some of which may be shell companies owned by intelligence agencies.

This video from the experiment shows how connections to ad servers were made dozens of times per second, and even Facebook received data despite the fact that no Meta apps were installed on the experimenter’s smartphone.

The illusion of anonymity

Ad-network owners love to claim that they use anonymous and depersonalized data for ad targeting. In reality, advertising systems go to great lengths to accurately identify users across different apps and devices.

In the data set mentioned above, two different user codes are listed: IFV and IDFA/AAID (IDFA for Apple, AAID for Android). A separate IFV is assigned to your device by each app developer. If you have three games from the same developer, each of these games will send the same IFV when showing ads. Meanwhile, apps from other developers will send their own IFVs. The IDFA/AAID, on the other hand, is a unique advertising identifier assigned to the entire smartphone. If you’ve agreed to “ad personalization” in your phone’s settings, all games and apps on your device will use the same IDFA/AAID.

If you disable ad personalization, or decline consent, the IDFA/AAID is replaced with zeros. But IFVs will continue to be sent. By combining the data transmitted with each ad display, advertising networks can piece together a detailed dossier on “anonymous” users, linking their activity across different apps through these identifiers. And as soon as the user enters their email address, phone number, payment details, or home address anywhere — such as when making an online purchase — the anonymous identifier can be linked to this personal information.

As we discussed in our article on the Gravy Analytics data leak, location data is so valuable that some companies posing as ad brokers are created solely to collect it. Thanks to IFV — especially IDFA/AAID — it’s possible to map out the movements of “Mr. X” and often de-anonymize him using just this data.

Sometimes, complex movement analysis isn’t even necessary. Databases linking ad identifiers to full names, home addresses, emails, and other highly personal details can be simply sold by unscrupulous brokers. In such cases, detailed personal data and a comprehensive location history form a complete dossier on the user.

How to protect yourself from ad tracking

In practice, neither strict laws like the GDPR nor built-in privacy settings provide complete protection against the tracking methods described above. Simply pressing a button in an app to disable ad personalization is not even a half-measure — it’s more like a tenth of a measure. The fact is, this only removes one identifier from the telemetry data, while the rest of your data is still sent to advertisers.

Cases like the Gravy Analytics data leak and the scandal involving the Datastream data broker demonstrate the scale of the problem. The ad-tracking industry is enormous, and exploits most any apps — not just games. Moreover, location data is purchased by a wide range of entities — from advertising firms to intelligence agencies. Sometimes, hackers obtain this information for free if a data broker fails to adequately protect their databases. To minimize the exposure of your data to such leaks, you’ll need to take some significant precautions:

  • Only allow location access for apps that genuinely need it for their primary function (e.g., navigation apps, maps, or taxi services). For example, delivery services or banking apps don’t actually need your location to function — let alone games or shopping apps. You can always manually enter a delivery address.
  • In general, grant apps the minimum permissions necessary. Do not allow them to track your activity in other apps, and do not grant full access to your photo gallery. Malware has been developed that can analyze photo data using AI, and unscrupulous app developers could potentially do the same. Additionally, all photos taken on your smartphone include geotags by default, among other information.
  • Configure a secure DNS service with ad-filtering functionality on your smartphone. This will block a significant amount of advertising telemetry.
  • Try to use apps that don’t contain ads. These are typically either FOSS (Free Open Source Software) apps or paid applications.
  • On iOS, disable the use of the advertising identifier. On Android, delete or reset it at least once a month (unfortunately, it cannot be completely disabled). Remember, these actions reduce the amount of information collected about you but don’t entirely eliminate tracking.
  • Where possible, avoid using “Sign in with Google” or other similar services in apps. Try to use apps without creating an account. This makes it harder for advertisers to collate your activity across different apps and services into a unified advertising profile.
  • Minimize the number of apps you have on your smartphone, and regularly delete unused apps — they can still track you even if you’re not actively using them.
  • Use robust security solutions on all your devices, such as Kaspersky Premium. This helps protect you from more aggressive apps, whose advertising modules can be as malicious as spyware.
  • In the Kaspersky settings in your smartphone, activate the Anti-Banner and Private Browsing options on iOS, or Safe Browsing on Android. This makes it significantly more difficult to track you.

If smartphone surveillance doesn’t concern you yet, here are some chilling stories about who is spying on us and how:

Tips
Sign up to receive our headlines in your inbox
  • For all other countries