Hello community, I need advice. Is there anyone out there who could help me better understanding how trackers work?
A tracker is a piece of code that attempts to call home (servers) to send back to a server information about the user, the device or its location.
A tracker comes usually with an app. But the same tracker could come as well with another app. Right?
Let’s assume, 2 different apps come with the same tracker (i.e. ‘Google Firebase Analytics’), both apps are installed on the device. When the tracker attempts to call home, I cannot differentiate anymore whether the information generated comes from App A or App B? Correct?
I am asking, because I would like to understand whether there is a way to determine if one app is less desirable (or privacy unfriendly) than another one. The fact, that one app comes with let’s say 4 trackers and the other one with 5, does not determine (yet) whether those trackers are actually activated, right?
Does that make sense?
Thanks for helping to clarify.
These tracking companies either offer services for app developers to make them integrate them for free, such as showing them information about how users use their apps, offer services that some users find convenient, such as login via Facebook, or they offer them monetary compensation for adding these trackers to their apps.
The trackers usually come in the form of a library that the developer adds to their app. They are usually black boxes of third party code the app interacts with at some key points. The developer has no direct control over what other activities that code engages in. So for example, a naive developer might add the Facebook SDK thinking they just allow users to login with Facebook, but they may not even be aware that the Facebook SDK also calls home every time the app gets launched, or, if the host app has access to photos, may hypothetically send the GPS locations of all photos in the photos library to Meta. Developers also have pretty much no straightforward way to check since they don’t have the source code of the tracking library. That being said, most who integrate them are aware and fully accept that these things are happening.
Each instance of the tracking library in each app usually acts independently. It knows which app it runs inside of, it often also gets user information from the app developer (such as what e-mail address was used for an account inside that app), and it can recognize the device with ad identifiers and fingerprints based on system specs, installed apps and so on. If that is not enough for the tracking company to combine information from different apps (and it almost always is), they can also look at the IP address all these connections come from and combine information that way. Depending on the platform (iOS, Android), rules differ on how much apps can talk to others, but suffice to say there are conditions under which trackers can also communicate with their counterparts inside other apps.
The number of trackers in an app is usually only an indication about how many different companies or services get your data, not necessarily which one is better or worse unless it’s something obvious like one having just Firebase Crashlytics to collect crash reports and the other one talking to 12 different ad companies in 5 different countries.
Trackers are almost always activated. It is very rare that they don’t get busy right away. The only real exception are crash reporting services that really only ever do what they are supposed to when after an actual crash occurred, but that’s pretty rare. Usually their purpose is to collect data to be sold and to be used for advertising.
less is better, zero is best (exceptions might apply)
I’d say the general rule of thumb should be to avoid apps with trackers as they can be considered “privacy unfriendly” per se.
That is why aurora store and app lounge are using the absence or small amount of trackers as indicators for good privacy rating of apps.
In some cases it might be useful to not so much focus on the amount of trackers but on whether the tracker provides a function of the app that I might not be willing to go without (and block all others…)
If an app contains trackers, those trackers will simply do their job (unless they are blocked which might break functions).
(let’s also not forget that websites use trackers…)
Thanks so much @nanabanaman for the detailed explanations, thanks @obacht. To a large extent your replies confirm what I was assuming.
What I am trying to understand is, whether I could make recommendations to a user in (dis)favor of an app and according to the number of trackers/the tracker activity. Or if this is rather not possible to generalise this
I know that App Lounge provides an app rating - I don’t know exactly how this works, but I assume it takes into consideration the numbers of (known) trackers that the app contains and maybe weighting certain trackers more than others. But this mechanism cannot be more than an approximation on the way deciding weather an app is respecting my privacy or not so much).
But would I be able - once an app is installed and I can observe it working - to make a more qualified decision whether an app A is harming more my privacy than an app B? Or is the mechanism that App Lounge applies with its rating the most useful and effective that I could do (without know its exact functioning of course).
With other words (to take a random example): Should I prefer installing Here WeGo Maps (privacy rating 8/10, 1 tracker) to Sygic GPS Maps (privacy rating 5/10, 4 trackers)? Or are there other aspects that I could observe/measure once an app is installed and running?
And: Does it make a difference whether I use an app actively, or it matters only that the app is actually installed?
If you want to observe what apps do (better: to where they try to connect) you can monitor the outgoing “traffic” via apps that utilize the vpn interface of the android system, like e.g. netguard or rethinkDNS or by other more sophisticated means.
If you choose apps with trackers anyway you might simply choose the one you like the best from a user perspective (that still does not include too many trackers) and then block the trackers not needed for function… (try eOS Advanced Privacy trackers blocker or rethinkDNS or personalDNSfilter or blokada or others)
Yes, some apps will connect outwards as soon as installed and they will do even when not in use
the more detail you want the more you have to dive in…
that´s why I like simple rules of thumb
Thanks @obacht. Very useful.
The reason why I am asking: I have quite some people in my surroundings that use /e/. Most of the are just users but no sawwys. For now, when they look at the Advanced Privacy widget, they see a lot of trackers are blocked. But they acknowledge there are many (blocked) attempts to contact the outside. But it seems there is not an easy way to “retranslate” to them from what apps those attempts are coming from. Many users may see (ideally) the app rating once they install an app with App Lounge but it is difficult for them to related those attempts to concrete apps. But creating this link would be helpful in order to make them better understand what apps they better remove for their phones.
For the moment /e/ is lacking a kind of tool to make ‘suspicious’ app behavior tangible to average users.
I’d like to suggest an improvement but for now I am not (yet) able to outline this.
not sure if that hits your point and yes, the Advanced Privacy GUI could be more sophisticated … but I find it actually quite easy to identify which app´s trackers are being blocked or not:
→ Advanced Privacy
→ if wanted: activate the “tracker blocker” feature (that´s independant from fake location or hide my IP)
→ go to “manage app tracker”
→ find the list of apps (there´s even a shortcut from the AP-widget to get exactly here → widget: lower right “Ansicht >”)
→ click the specific app
→ see the trackers that are blocked (or least found)…
(the terms/wording in the GUI might differ…)
(I agree that the wording in that GUI is not always 100% clear and self explaining (least not in German) and I do not like that browser app(s) collect the trackers from all the websites that were visited without further options for management, so … once the list of tracker from the browser gets longer it gets more and more difficult to tell which tracker belongs to which site… )