In a significant privacy breach, thousands of widely-used mobile applications—including Candy Crush, Tinder, and MyFitnessPal—have been implicated in unauthorized location data harvesting, Wired is reporting.
This breach, which stems from hacked files belonging to a prominent location data firm Gravy Analytics, exposes how the advertising ecosystem is exploited to collect users’ precise movements without their consent or knowledge.
The compromised data encompasses a vast array of apps across both Android and iOS platforms. Beyond popular games and dating services, the list includes period trackers, religious prayer apps, fitness applications, and even virtual private network (VPN) services. Notably, many app developers were unaware of this covert data collection.
This large-scale data harvesting operates via real-time bidding (RTB) within the online advertising industry. In RTB, advertisers bid to display ads to users in real-time. However, this process inadvertently allows data brokers to intercept and collect users’ location information. By participating in the RTB process, these brokers can access sensitive data without embedding specific tracking code into the apps.
The unauthorized collection of location data poses significant privacy risks. Sensitive information about individuals’ daily routines, religious practices, health status, and personal relationships can be inferred from their location history.
In response to these practices, the Federal Trade Commission (FTC) has taken action against data brokers involved in unlawful data collection. In December 2024, the FTC filed a complaint against Gravy Analytics and its subsidiary Venntel for collecting and selling user location data without consent.
Several app developers and companies have denied any knowledge of or involvement with Gravy Analytics. For instance, Tinder stated that it has no relationship with Gravy Analytics and no evidence that data was obtained from its app. Similarly, Muslim Pro, a popular prayer app, expressed unawareness of Gravy’s activities.
Despite these assertions, the pervasive nature of RTB makes it difficult for app developers to fully control or even be aware of how user data is exploited within the advertising ecosystem.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
