New Report Finds that Facebook SDK Automatically Pulls Data from Many Popular Android Apps

Facebook is on the wrong side of a privacy discussion, again. Privacy International recently published research indicating that almost half of Android apps have the ability to share data with Facebook, ranking Facebook second in third-party tracking on the Google Play store (Google being first). Accordingly, Privacy International chose 34 popular Android apps and analyzed their sharing with Facebook through the Facebook SDK. The most alarming result commands attention:

"We found that at least 61 percent of apps we tested automatically transfer data to Facebook the moment a user opens the app," the report concluded. "This happens whether people have a Facebook account or not, or whether they are logged into Facebook or not."

Privacy International analyzed some of the most popular Android apps with user bases between 10 and 500 million. Apps tested span genres and include companies like Dropbox, Tripadvisor, Spotify, Candy Crush, Kayak, Yelp, WeChat, King James Bible, Opera, and more. The apps were tested between August 2018 and December 2018.

The automatic transmission of data reported first occurs when the app communicates with the Facebook SDK after initialization. The first data transmitted is events data such as "App installed" or "SDK initialized". This basic data reveals that a specific user is using an app every time the user opens the app. This data is transmitted to Facebook along with a unique identifier, typically used for advertising purposes. Once this data is paired, and them combined with data gathered from the many apps automatically sharing data with Facebook:

"[D]ata from different apps can paint a fine-grained and intimate picture of people's activities, interests, behaviors and routines, some of which can reveal special category data, including information about people's health or religion."

In addition to the automatically transmitted events and identifier data, Privacy International also found that many apps by default share more sensitive data (e.g. searches, travel plans, number of children, tickets purchased, etc.).

The legality of Facebook's SDK Integration is certainly in question. Facebook has historically put the burden of user permission on the app developer. However, prior to v4.34 of the Facebook SDK (released June 2018), developers could not turn off the events-based automatic sharing. Starting with v4.34, developers have a "delay" option by which they can disable most automatic event data sharing.

Be sure to read the next Privacy article: Apple to Devs: Stop Recording User Interactions