{"id":53096,"date":"2025-02-27T04:25:19","date_gmt":"2025-02-27T09:25:19","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=53096"},"modified":"2025-02-27T04:25:19","modified_gmt":"2025-02-27T09:25:19","slug":"disable-mobile-app-ad-tracking","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/disable-mobile-app-ad-tracking\/53096\/","title":{"rendered":"How smartphones build a dossier on you"},"content":{"rendered":"<p>You\u2019ve probably heard the rumor \u2014 our smartphones are always listening. But the truth is, they don\u2019t need to. The information shared with data brokers by virtually every app on your smartphone \u2014 from games to weather apps\u00a0 is more than enough to create a detailed profile on you. For a long time, \u201conline tracking\u201d had meant that search engines, ad systems, and advertisers all knew which <em>websites<\/em> you visited. But since smartphones appeared on the scene, the situation has become much worse: now advertisers know where you go <em>physically<\/em> and how often. So, how do they do it?<\/p>\n<p>Every time any mobile app prepares to show an ad, a lightning-fast auction takes place to determine which specific ad you\u2019ll see based on the data sent from your smartphone. And although you only see the winning ad, <em>all<\/em> the participants in the auction receive data about the potential viewer \u2014 that is, you. A <a href=\"https:\/\/timsh.org\/tracking-myself-down-through-in-app-ads\/\" target=\"_blank\" rel=\"nofollow noopener\">recent experiment<\/a> showed just how many companies receive this information, how detailed it is, and how ineffective built-in smartphone features like \u201cDo Not Track\u201d and \u201cOpt Out of Personalized Ads\u201d are at protecting users. Nevertheless, we still recommend some <a href=\"https:\/\/www.kaspersky.com\/home-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_blo_lnk_sm-team______\" target=\"_blank\" rel=\"noopener nofollow\">protection methods<\/a>!<\/p>\n<h2>What data do advertisers receive?<\/h2>\n<p>Every mobile app is built differently, but most start \u201cleaking\u201d data to ad networks even before displaying any ads. In the experiment mentioned earlier, a mobile game immediately sent an extensive array of data to the Unity Ads network upon launch:<\/p>\n<ul>\n<li>Information about the smartphone, including OS version, battery level, brightness and volume settings, and available memory<\/li>\n<li>Data about the network operator<\/li>\n<li>Type of internet connection<\/li>\n<li>Full IP address of the device<\/li>\n<li>Vendor code (the game developer\u2019s identifier)<\/li>\n<li><strong>Unique user code<\/strong> (IFV) \u2014 an identifier linked to the game developer and used by an ad system<\/li>\n<li>Another <strong>unique user code<\/strong> (IDFA\/AAID) \u2014 an ad identifier shared by all apps on the smartphone<\/li>\n<li><strong>Current location<\/strong><\/li>\n<li>Consent for ad tracking (yes\/no)<\/li>\n<\/ul>\n<p>Interestingly, the location is transmitted even if the service is disabled on the smartphone. It\u2019s approximate though, calculated based on the IP address. However, with publicly available databases matching physical and internet addresses, this approximation can be surprisingly accurate \u2014 down to the city district or even the building. If location services are enabled and allowed for the app, precise location data is transmitted.<\/p>\n<p>In the same experiment, the consent for ad tracking was marked as \u201cUser Agreed\u201d, even though the experiment\u2019s author did not provide such consent.<\/p>\n<h2>Who gets the data, and how often?<\/h2>\n<p>The data stream is sent to all ad platforms integrated into the app. There are often several such platforms, and a complex algorithm determines which one will be used to show the ad. However, some data is shared with all connected networks \u2014 even those that aren\u2019t currently showing ads. In addition to the above-mentioned Unity (whose ad platform generates <a href=\"https:\/\/investors.unity.com\/news\/news-details\/2025\/Unity-Reports-Fourth-Quarter-and-Fiscal-Year-2024-Financial-Results\/default.aspx\" target=\"_blank\" rel=\"nofollow noopener\">66% of revenue<\/a> for developers using this game engine), other major platforms include those of Facebook, Microsoft, Google, Apple, Amazon, and dozens of specialized companies like ironSource.<\/p>\n<p>Next, the ad network currently displaying ads in the app sends a large set of user-data to a real-time bidding system (RTB). Here, various advertisers analyze the data and bid to display their ads, all at lightning-fast speeds. You view the winning ad, but information about your location, combined with the exact time, IP address, and all other data, is shared with <em>every auction participant<\/em>. According to the experiment\u2019s author, this data is collected by hundreds of obscure firms, some of which may be <a href=\"https:\/\/www.kaspersky.com\/blog\/disable-rtb-ad-tracking-law-enforcement-spy-agencies\/51019\/\" target=\"_blank\" rel=\"noopener nofollow\">shell companies owned by intelligence agencies<\/a>.<\/p>\n<p>This <a href=\"https:\/\/timsh.org\/content\/media\/2025\/01\/Screen-Recording-2025-01-19-at-00.02.51.mp4\" target=\"_blank\" rel=\"nofollow noopener\">video<\/a> from the experiment shows how connections to ad servers were made dozens of times per second, and even Facebook received data despite the fact that no Meta apps were installed on the experimenter\u2019s smartphone.<\/p>\n<h2>The illusion of anonymity<\/h2>\n<p>Ad-network owners love to claim that they use anonymous and depersonalized data for ad targeting. In reality, advertising systems go to great lengths to accurately identify users across different apps and devices.<\/p>\n<p>In the data set mentioned above, two different user codes are listed: IFV and IDFA\/AAID (IDFA for Apple, AAID for Android). A separate IFV is assigned to your device by each app developer. If you have three games from the same developer, each of these games will send the same IFV when showing ads. Meanwhile, apps from other developers will send their own IFVs. The IDFA\/AAID, on the other hand, is a unique advertising identifier assigned to the entire smartphone. If you\u2019ve agreed to \u201cad personalization\u201d in your phone\u2019s settings, all games and apps on your device will use the same IDFA\/AAID.<\/p>\n<p>If you disable ad personalization, or decline consent, the IDFA\/AAID is replaced with zeros. But IFVs will continue to be sent. By combining the data transmitted with each ad display, advertising networks can piece together a detailed dossier on \u201canonymous\u201d users, linking their activity across different apps through these identifiers. And as soon as the user enters their email address, phone number, payment details, or home address anywhere \u2014 such as when making an online purchase \u2014 the anonymous identifier can be linked to this personal information.<\/p>\n<p>As we discussed in our <a href=\"https:\/\/www.kaspersky.com\/blog\/geolocation-data-broker-leak\/53050\/\" target=\"_blank\" rel=\"noopener nofollow\">article on the Gravy Analytics data leak<\/a>, location data is so valuable that some companies posing as ad brokers are created solely to collect it. Thanks to IFV \u2014 especially IDFA\/AAID \u2014 it\u2019s possible to map out the movements of \u201cMr. X\u201d and often de-anonymize him using just this data.<\/p>\n<p>Sometimes, complex movement analysis isn\u2019t even necessary. Databases linking ad identifiers to full names, home addresses, emails, and other highly personal details can be simply sold by unscrupulous brokers. In such cases, detailed personal data and a comprehensive location history form a complete dossier on the user.<\/p>\n<h2>How to protect yourself from ad tracking<\/h2>\n<p>In practice, neither strict laws like the <a href=\"https:\/\/en.wikipedia.org\/wiki\/General_Data_Protection_Regulation\" target=\"_blank\" rel=\"nofollow noopener\">GDPR<\/a> nor built-in privacy settings provide complete protection against the tracking methods described above. Simply pressing a button in an app to disable ad personalization is not even a half-measure \u2014 it\u2019s more like a tenth of a measure. The fact is, this only removes <em>one<\/em> identifier from the telemetry data, while the rest of your data is still sent to advertisers.<\/p>\n<p>Cases like the <a href=\"https:\/\/www.kaspersky.com\/blog\/geolocation-data-broker-leak\/53050\/\" target=\"_blank\" rel=\"noopener nofollow\">Gravy Analytics data leak<\/a> and the <a href=\"https:\/\/www.wired.com\/story\/rtb-location-data-us-military\/\" target=\"_blank\" rel=\"nofollow noopener\">scandal involving the Datastream data broker<\/a> demonstrate the scale of the problem. The ad-tracking industry is enormous, and exploits most any apps \u2014 not just games. Moreover, location data is purchased by a wide range of entities \u2014 from advertising firms to <a href=\"https:\/\/www.kaspersky.com\/blog\/disable-rtb-ad-tracking-law-enforcement-spy-agencies\/51019\/\" target=\"_blank\" rel=\"noopener nofollow\">intelligence agencies<\/a>. Sometimes, <a href=\"https:\/\/www.kaspersky.com\/blog\/geolocation-data-broker-leak\/53050\/\" target=\"_blank\" rel=\"noopener nofollow\">hackers obtain this information for free<\/a> if a data broker fails to adequately protect their databases. To minimize the exposure of your data to such leaks, you\u2019ll need to take some significant precautions:<\/p>\n<ul>\n<li>Only allow location access for apps that genuinely need it for their primary function (e.g., navigation apps, maps, or taxi services). For example, delivery services or banking apps don\u2019t actually need your location to function \u2014 let alone games or shopping apps. You can always manually enter a delivery address.<\/li>\n<li>In general, grant apps the minimum permissions necessary. Do not allow them to track your activity in other apps, and do not grant full access to your photo gallery. Malware has been developed that can <a href=\"https:\/\/www.kaspersky.com\/blog\/ios-android-ocr-stealer-sparkcat\/52980\/\" target=\"_blank\" rel=\"noopener nofollow\">analyze photo data using AI<\/a>, and unscrupulous app developers could potentially do the same. Additionally, all photos taken on your smartphone include geotags by default, among other information.<\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/secure-dns-private-dns-benefits\/47209\/\" target=\"_blank\" rel=\"noopener nofollow\">Configure a secure DNS service with ad-filtering functionality<\/a> on your smartphone. This will block a significant amount of advertising telemetry.<\/li>\n<li>Try to use apps that don\u2019t contain ads. These are typically either FOSS (Free Open Source Software) apps or paid applications.<\/li>\n<li>On iOS, <a href=\"https:\/\/www.kaspersky.com\/blog\/apptracking-transparency-in-ios-ipados-tvos-14-5\/39690\/\" target=\"_blank\" rel=\"noopener nofollow\">disable the use of the advertising identifier<\/a>. On Android, <a href=\"https:\/\/support.google.com\/googleplay\/android-developer\/answer\/6048248?hl=ru\" target=\"_blank\" rel=\"nofollow noopener\">delete or reset it at least once a month<\/a> (unfortunately, it cannot be completely disabled). Remember, these actions reduce the amount of information collected about you but don\u2019t entirely eliminate tracking.<\/li>\n<li>Where possible, avoid using \u201cSign in with Google\u201d or other similar services in apps. Try to use apps without creating an account. This makes it harder for advertisers to collate your activity across different apps and services into a unified advertising profile.<\/li>\n<li>Minimize the number of apps you have on your smartphone, and regularly delete unused apps \u2014 they can still track you even if you\u2019re not actively using them.<\/li>\n<li>Use robust security solutions on all your devices, such as <a href=\"https:\/\/www.kaspersky.com\/premium?icid=gl_bb2023-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Premium<\/a>. This helps protect you from more aggressive apps, whose advertising modules can be <a href=\"https:\/\/www.kaspersky.com\/blog\/whats-the-deal-with-adware-on-android\/3013\/\" target=\"_blank\" rel=\"noopener nofollow\">as malicious as spyware<\/a>.<\/li>\n<li>In the <a href=\"https:\/\/www.kaspersky.com\/home-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2c_blo_lnk_sm-team______\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky<\/a>\u00a0settings in your smartphone, activate the <strong>Anti-Banner<\/strong> and <strong>Private Browsing<\/strong> options on iOS, or <strong>Safe Browsing<\/strong> on Android. This makes it significantly more difficult to track you.<\/li>\n<\/ul>\n<blockquote><p>If smartphone surveillance doesn\u2019t concern you yet, here are some chilling stories about who is spying on us and how:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/geolocation-data-broker-leak\/53050\/\" target=\"_blank\" rel=\"noopener nofollow\">Who are geolocation data brokers and what happens when they \u201cleak\u201d<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/android-device-identifiers\/31755\/\" target=\"_blank\" rel=\"noopener nofollow\">How advertisers learn which apps you use<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/running-apps-privacy-settings-part1-common\/52403\/\" target=\"_blank\" rel=\"noopener nofollow\">Running without being tracked: privacy in running apps<\/a><\/li>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/car-manufacturers-silently-sell-user-telematics-data\/51245\/\" target=\"_blank\" rel=\"noopener nofollow\">I know how you drove last summer<\/a><\/li>\n<li>and <a href=\"https:\/\/www.kaspersky.com\/blog\/tag\/tracking\/\" target=\"_blank\" rel=\"noopener nofollow\">many more similar stories<\/a>\u2026<\/li>\n<\/ul>\n<\/blockquote>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>We break down the most covert mechanism of smartphone surveillance using real-life examples.<\/p>\n","protected":false},"author":2722,"featured_media":53097,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[810,105,14,282,22,1250,26,43,768,321,131,812],"class_list":{"0":"post-53096","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-ads","9":"tag-android","10":"tag-apple","11":"tag-cybersecurity","12":"tag-google","13":"tag-ios","14":"tag-iphone","15":"tag-privacy","16":"tag-surveillance","17":"tag-technology","18":"tag-tips","19":"tag-tracking"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/disable-mobile-app-ad-tracking\/53096\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/disable-mobile-app-ad-tracking\/28625\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/disable-mobile-app-ad-tracking\/23865\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/disable-mobile-app-ad-tracking\/12303\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/disable-mobile-app-ad-tracking\/28742\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/disable-mobile-app-ad-tracking\/27976\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/disable-mobile-app-ad-tracking\/30795\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/disable-mobile-app-ad-tracking\/29490\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/disable-mobile-app-ad-tracking\/39138\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/disable-mobile-app-ad-tracking\/13196\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/disable-mobile-app-ad-tracking\/22619\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/disable-mobile-app-ad-tracking\/23468\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/disable-mobile-app-ad-tracking\/31984\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/disable-mobile-app-ad-tracking\/28866\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/disable-mobile-app-ad-tracking\/34691\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/disable-mobile-app-ad-tracking\/34321\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/privacy\/","name":"privacy"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53096","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=53096"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53096\/revisions"}],"predecessor-version":[{"id":53102,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53096\/revisions\/53102"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/53097"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=53096"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=53096"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=53096"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}