A massive breach revealed last week exposed location data from apps on millions of iPhones and Android phones. But at least iPhone users have better protection against exposure through a simple action they can take against app tracking, a new report noted Monday.
Gravy Analytics, one of the world’s largest location data brokers, disclosed the big data breach last week. Leaked data points came from smartphone apps ranging from popular mobile games like Candy Crush to dating apps and pregnancy-tracking applications. While investigations into the breach continue, experts point out that iPhones and iPads have a pretty simple way of avoiding exposure in the first place.
iPhone and iPad users’ advantage in major Gravy Analytics location-data breach
The breach occurred when hackers gained unauthorized access to Gravy Analytics’ Amazon Web Services cloud storage environment, potentially compromising several terabytes of consumer data, according to TechCrunch and others. The location data broker, which claims to track more than a billion devices globally each day, discovered the breach on January 4 after receiving communication from the hackers.
The scope of the breach is substantial. Hackers already published a sample dataset containing more than 30 million location data points. Security researchers analyzing the leaked data have found sensitive locations including the White House, Kremlin, Vatican and military bases worldwide.
The data can be used to track individuals’ movements with remarkable precision. For example, security experts demonstrated they could use the data to follow one person’s journey from New York to their home in Tennessee.
The incident drew attention to the complex web of data collection in the mobile advertising industry. Gravy Analytics obtains much of its location data through a process called real-time bidding. In it, advertisers compete in millisecond-long auctions to display ads on users’ devices. During these auctions, bidders can access various device information, including location data, IP addresses and other technical details. Then they can combine that “bidstream” data with other sources to create detailed profiles of individuals’ movements and behaviors.
iPhone users’ advantage
But the breach highlighted a crucial privacy advantage for iPhone and iPad users, as TechCrunch pointed out. While both Android and iOS devices offer privacy-protection features, Apple’s operating system provides a more straightforward and comprehensive approach to preventing location tracking.
iPhone users can completely opt out of app tracking through a single setting. Or they can address it on a per-app basis by making apps request permission. Opting out effectively anonymizes individual devices by making them indistinguishable from others. The feature, accessible through the Tracking options in Settings, offers a significant layer of protection against the kind of data collection that was exposed in the breach. Read more about how to use the feature and see what Apple suggests.
For consumers concerned about their privacy, experts recommend using ad blockers and mobile content blockers to prevent advertising surveillance. While both Android and iPhone users can take steps to protect their privacy, iPhone’s unified tracking prevention feature provides a more robust solution. Android users are advised to regularly reset their advertising IDs and carefully manage their location-sharing permissions to minimize their data footprint.
FTC recently acted against Gravy Analytics
The breach comes at a particularly challenging time for Gravy Analytics, as it follows recent regulatory action by the Federal Trade Commission. Just weeks before the breach, the FTC banned the company and its subsidiary Venntel from collecting and selling Americans’ location data without explicit consumer consent. The FTC’s order specifically addressed concerns about the company tracking individuals at sensitive locations such as healthcare clinics and military installations.
Security experts, including Baptiste Robert, CEO of digital security firm Predicta Lab, warned about the serious implications of this breach. Robert demonstrated how someone could use the leaked data to identify military personnel by cross-referencing location data with known military facilities. Additionally, privacy advocates raised concerns about the dataset’s potential to expose LGBTQ+ individuals in countries that criminalize homosexuality.
In response to the breach, Gravy Analytics parent company Unacast filed notices with data protection authorities in Norway and the United Kingdom. The company’s website and several associated domains went offline after the incident. Investigations continue to determine the full extent of the data compromise.
