Candy Crush, Tinder, MyFitnessPal: Apps hijacked to spy on location

Original Article ↗ Hacker News Discussion ↗

Headline, culpability, and what’s actually new

  • Several commenters call the headline “hijacked” misleading: apps integrated tracking code deliberately and are accomplices, not victims.
  • The genuinely new point (for many) is that losing bidders in real‑time ad auctions also receive rich data from bid requests.

How location and identifiers are collected

  • Much of the dataset appears to use IP-based geolocation, not GPS; some argue this is less “direct” collection but still problematic.
  • Where fine‑grained GPS exists, users generally granted permissions via the OS; others note apps may fall back to IP geolocation when permission is denied.
  • Discussion of background app refresh on iOS/Android: plausible vector to regularly send identifiers to ad servers that then geolocate via IP.
  • Some suspect Google Mobile Services and ad SDKs can access more data than the host app’s explicit permissions suggest; whether this effectively bypasses permissions is debated and “unclear.”

Real‑time bidding and data firehose

  • RTB sends device/IP/location and context to many ad platforms for each impression; even non‑winning bidders can harvest data.
  • People note specialized firms exist mainly to “lose” auctions but keep the data, which violates ad platform terms but is reportedly underenforced.
  • Others add nuance: major exchanges throttle how many bid requests a low‑spend buyer sees; you don’t always get 100% of traffic.

Accuracy and granularity of location

  • IP geolocation accuracy varies widely by country, city, and ISP. Examples range from 30‑mile error to within a ZIP code or a neighborhood.
  • Even coarse data can reveal patterns: home/work, vacations, regular visits.

Mitigations and practical responses

  • Technical countermeasures mentioned:
    • Disabling background app refresh.
    • DNS‑level blocking (NextDNS, AdGuard), VPN with network‑wide adblock, on‑device blockers like 1Blocker.
  • Some users script checks against the leaked app list and migrate to alternatives (e.g., AntennaPod) or paid, ad‑free versions.

Advertising, capitalism, and consent

  • Long subthread debates whether advertising is inherently harmful vs. a neutral “vector” captured by greed.
  • Themes: manipulation without consent, psychological harm, distortion of markets vs. arguments that information and non‑surveillance ads can be legitimate.

Legal, regulatory, and societal context

  • FTC actions against location brokers are cited; in Europe such practices are described as largely illegal under GDPR.
  • Some note many people still dismiss privacy concerns with “nothing to hide,” making systemic change harder.