Sensor Tower, a popular analytics platform for tech developers and investors, has been secretly collecting data from millions of people who have installed popular VPN and ad-blocking apps for Android and iOS, a BuzzFeed News investigation has found. These apps, which don’t disclose their connection to the company or reveal that they feed user data to Sensor Tower’s products, have more than 35 million downloads.
Since 2015, Sensor Tower has owned at least 20 Android and iOS apps. Four of these — Free and Unlimited VPN, Luna VPN, Mobile Data, and Adblock Focus — were recently available in the Google Play store. Adblock Focus and Luna VPN were in Apple's App Store. Apple removed Adblock Focus and Google removed Mobile Data after being contacted by BuzzFeed News. The companies said they continue to investigate.
Once installed, Sensor Tower's apps prompt users to install a root certificate, a small file that lets its issuer access all traffic and data passing through a phone. The company told BuzzFeed News it only collects anonymized usage and analytics data, which is integrated into its products. Sensor Tower’s app intelligence platform is used by developers, venture capitalists, publishers, and others to track the popularity, usage trends, and revenue of apps.
Armando Orozco, an Android analyst for Malwarebytes, said giving root privileges to an app exposes a user to significant risk.
“Your typical user is going to go through this and think, Oh, I‘m blocking ads, and not really be aware of how invasive this could be,” he said.
Randy Nelson, Sensor Tower’s head of mobile insights, said the company did not disclose ownership of the apps for competitive reasons.
“When you consider the relationship between these types of apps and an analytics company, it makes a lot of sense — especially considering our history as a startup,” he said, adding that the company originally started with the goal of building an ad blocker. (He was unable to provide media coverage or other evidence of this early focus.)
Nelson said the company’s apps do not collect sensitive data or personally identifiable information and that “the vast majority of these apps listed are now defunct (inactive) and a few are in the process of sunsetting.”
In most cases, the apps are no longer available because they were removed due to policy violations. A dozen of the Sensor Tower apps were previously removed from the iOS App Store due to violations, according to an Apple spokesperson. After being contacted by BuzzFeed News, Apple removed Adblock Focus and said it is continuing to investigate Luna VPN.
Google is investigating the apps but did not comment by deadline.
“We take the app stores’ guidelines very seriously and make a concerted effort to comply with them, along with any changes to these rules that occur from time to time,” Nelson said.
Apple and Google restrict root certificate privileges due to the security risk to users. Sensor Tower’s apps bypass the restrictions by prompting users to install a certificate through an external website after an app is downloaded.
Luna VPN, for example, shows a notification that offers the ability to block ads on YouTube if a user adds the Adblock extension, another SensorTower product. This kick-starts a process that results in a root certificate installation.
“Our apps do not track, request, or store any sensitive user data such as passwords, usernames, etc., from users or other apps on a user’s device, including web browsers,” Nelson said.
BuzzFeed News connected the apps to Sensor Tower by discovering they contain code authored by developers who work for the company. The online résumé of one Sensor Tower developer, whose GitHub username is in the code of multiple apps, said he built "Android apps to power the Sensor Tower analytics platform." The personal website of another Sensor Tower developer said he’s “Working on awesome top secret iOS Projects.”