How to Identify iPhone Apps That May Contain Location-Tracking Ads
Earlier this year, 404 Media published another article about the location-tracking industry that surreptitiously gathers and resells our location data (for earlier coverage, see “Exposé Reveals Ongoing Smartphone Location Tracking Threats,” 23 October 2024). This piece highlighted another reason why allowing private companies to collect such information is concerning—one of the major players in the field was hacked. Gravy Analytics, the parent company of Venntel, which sold smartphone location data to the US government, reportedly lost “a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements.”
Despite the FTC later prohibiting both companies from collecting, using, and selling sensitive location data of Americans, all that data is reportedly now available for purchase. Among those compromised files was a list of over 12,000 iOS and Android apps that may have been—and may still be—exploited by data brokers to collect users’ location data. These apps do not contain malicious code; instead, they are part of the real-time bidding advertising ecosystem. When advertisers bid to place ads within apps, all firms participating in the bidding—including data brokers—are granted access to information about your device, including data that can be used to infer location.
Even browsing through a list of over 12,000 apps, many of which are for Android, feels overwhelming, let alone manually comparing all the apps on your iPhone to the master list. Fortunately, there is an automated way to determine which apps on our iPhones were involved, knowingly or not, in this location data collection scheme.
- Download Apple Configurator from the Mac App Store.
- Connect your iPhone to your Mac using a USB cable.
- If prompted, allow the iPhone to connect and install a driver update.
- Open Apple Configurator and select your iPhone.
- Choose Actions > Export > Info, select Device Information, and then select Installed Apps.
- Apple Configurator then lets you save a three-column CSV file. I’ll leave it as an exercise for the reader to delete the UDID and Seller columns and remove each app’s parenthetical version number. I used Modern CSV with a grep search to find and delete a string consisting of a space and any text in parentheses, but you could also do that in BBEdit or other apps. (Yes, I really do have 484 apps on my iPhone.)
- Download this text file with all 12,325 apps identified in the data breach to spare you the effort of copying data from the public Google Sheet shared by 404 Media.
- Once you have the list of apps on your iPhone and the text file of all the apps in the Gravy Analytics breach, run this command in Terminal to identify the apps that appear in both. To customize it with your filenames, use the arrow keys and delete key to remove
file1.txtand then drag one of the files in; repeat the navigation with the arrow keys and character deletion forfile2.txtbefore dragging in the second file. Press Return when you’re ready.comm -12 <(sort file1.txt | uniq) <(sort file2.txt | uniq) - The results appear instantly. Only three of my 484 apps appear in the Gravy Analytics list: Citymapper, Tumblr, and Wattpad. I must have downloaded Citymapper long ago for some trip, I don’t use the Tumblr app, and I don’t even remember what Wattpad is. It was an easy decision to delete them.
Given that I hadn’t launched any of those apps in years, I don’t think I was particularly vulnerable to having my location data sucked up as part of the real-time bidding process. Nevertheless, this experience will make me even more cautious about downloading apps that display ads.
If you go through this process, please share the apps it identifies. Some people have come up with alternative approaches that include Apple apps, which Configurator does not, and then match those apps against what I believe are Android apps in the full list. There’s no reason to worry about Apple apps in this regard.
Just to be clear, this only applies if you granted location access to the app. (Right?) I see a lot of games on my personal list. (Though the
commcommand you gave returned no results – I imported both lists into a spreadsheet and used a VLOOKUP.)But a) I would never grant location access to a game (no, I never played Pokemon Go), and b) I use 1Blocker’s firewall/local VPN tracker blocker so I rarely see ads, so theoretically all of that is being blocked at that level.
Tip: if you are using csh or tcsh you will get a redirect error with this command.
comm -12 <(sort file1.txt | uniq) <(sort file2.txt | uniq)Missing name for redirect.No error when using sh, bash, or zsh.
I had zero matches.
I didn’t want to install Configurator so here’s the process I used. Note that my CTRL-click is the same as ‘right click’.
When I made the comparison I was surprised to see three Apple apps that I have show up in the list (Calculator, Calendar, Weather). Of course, those could be Android apps with the same name as the apps on my iPhone, because I don’t think I’ve ever seen ads in the Apple versions of these three apps.
Adam, thank you for this!
Using zsh, my results were:
Last login: Thu Mar 13 19:04:56 on console
stanford@Williams-MacBook-Air-2 ~ % comm -12 <(sort /Users/stanford/Desktop/file1.csv t | uniq) <(sort /Users/stanford/Desktop/file2.txt t | uniq)
sort: No such file or directory
sort: No such file or directory
stanford@Williams-MacBook-Air-2 ~ %
I’m pleased!
As I understand it, no, not necessarily. The problem is that the real-time bidding process will share information about your device, like IP address, device IDs, nearby Wi-Fi networks and Bluetooth beacons, and more, that can be combined with other data to infer your location.
To my mind, any app that displays ads is potentially a conduit for this sort of privacy abuse.
Looks like you have typos in there—the extraneous letter t appears after each filename, and that’s causing the errors you see. Just rerun the command (press up arrow) and edit out those extra characters and try again.
Clever! I agree that the Apple apps you’re seeing are there purely because of Android equivalents.
I was dreading what I might find with my 250 apps, but … nothing. Yea!
Thanks for posting the links and detailed instructions, Adam.
Thanks for the clear instructions. My results: Citymapper and Trivia Crack
When I open Apple Configurator, it asks me to sign in: “Your managed Apple Account must have the Device Enrollment Manager role.” What am I missing?
Uh, Adam, thanks, hadn’t noticed! Thought I was being cleared.
Will give that another shot! :-)
interesting. I did get some hits:
The last one is/was my electricity company. I hadn’t launched that app for years and I see that they are now saying uninstall the app and used the “enhanced web app”. I imagine enhanced with tracking.
I think the only app I didn’t want to remove was Badland, which was fun, though hadn’t played that for a long time. The others can go.
Thanks Adam.
r
397 apps. No matches. Nice morning exercise…
You must have device management enabled for some reason, and it’s set to disable access to Configurator. Do you have any profiles installed? This is not my area of expertise, but it seems odd an everyday Mac would have MDM. If it’s a work Mac that your employer manages, then yeah, it won’t let you do that.
No profiles, and I can’t recall ever setting MDM (General/Device Management is empty). How do I turn it off if it doesn’t show up?!
An alternate way of getting a list of apps is available to users of iMazing who don’t mind a little regex:
\(.*(Note there is supposed to be space before the backslash)Thanks. Unfortunately, that requires a $50 payment.
I’ve never quite figured out iMazing…much of what it can do is doable by iOS itself (this is one exception though!).
I’ve always heard “Where there’s a will, there’s a way.” For some odd reason, Preview would not allow text-grabbing from PNG screenshots of the listing of apps from Settings/Apps. So I took the screenshots of my apps, page by page; sent them to my iMac; opened them in Preview; then selected the text, ⌘C, ⌘N. For some equally odd reason, now Preview would allow me to select the text! ⌘C the text, switch to BBEdit, ⌘V, and voilà!
Well, I certainly got a surprise. Apple Apps were in my list! Adam did not report any Apple apps, though he surely had them on his device. Here is my result list:
The first three and the last one on my results don’t have any advertising; AFAICT Music has only Apple ads. The generically named apps are not duplicates of Apple apps; a search (swipe down from middle of home screen) reveals that I have no calculator, calendar, or messages apps (I do get several hits for ‘weather,’ but they’re not named just “Weather”). Are my results unusual?
My only app listed was letterboxd, the app I use to track movies that I watch. Weird - it doesn’t even shop up in the Settings / Privacy / Location Services. Maybe it’s just the Android version that has the problem?
Whatever; it’s easy enough to uninstall and just use the web site when I need to update it.
Out of 154 apps, three were flagged: 7 Little Words, Bricks n Balls, Candy Crush Saga. The first two get used maybe once a year. But I have to admit I’m a bit of a Candy Crush addict.
You sure they’re not Android apps with the same names?
No, I’m not. But others are not reporting those four apps, so I’m left wondering why my comparison did report them.
I used iMazing to export my apps (tools, export info - then copy the app list and paste into a text file, and PowerShell to nuke everything including and after the first (.
comm -12 <(sort ~/Downloads/Applist.txt | uniq) <(sort ~/Downloads/BadApps.txt | uniq)
Hangman
MyFitnessPal
PAC-MAN
Solitaire
So, I’ve got four.
Hangman is from JamSoft and has no App Privacy info. Easy to delete.
I don’t actually have “PAC-MAN” – I have “PAC-MAN Moving Stickers”, from Bandai Namco. Again, no App Privacy info. Easy to delete even though it’s probably not actually a match. Figuring out HOW to delete it was more of a challenge (Messages, start a new message, click the + next to the message text input box, select stickers, scroll all the way to the right of the sticker apps list, click edit, click Edit on the Manage Sticker Apps page, then click the red - (delete) button next to the sticker app in the “ONLY IN STICKERS” section).
“Solitaire” is actually the Solebon Solitaire game from Solebon LLC, which has an App Privacy statement (User Content, Identifiers, Diagnostics collected but not linked). Probably safe, and I’ll keep it. I’m guessing that “Solitaire” will match a number of apps.
MyFitnessPal is the one that will be challenging - I use that for calorie tracking. They capture Identifiers and Usage Data, and there’s quite a bit linked (Health & Fitness, User Content, Usage Data, Contact Info, Identifiers, Diagnostics), although Diagnostics are also not linked (so I’m guessing two kinds of diagnostics).
Going to need to look into it further - I may need to look for an alternative.
7 Little Words
Clipbox
Mahjong
Solitaire
Tumblr
Voice Recorder
Like someone else mentioned, Apple “Calculator” was in my results, but I’ve ignored that.
I know I used the iMazing method to export apps, and Apple’s stock apps do not get exported using this method. I’m guessing that the Configurator method does not as well. However, if you scraped the names of apps from the App Library, that would explain it - the stock apps show up there.
That sounds reasonable to me. Mystery solved, thanks!
The only app that matched for me is “Calculator” which is not the Apple one, but an older HP/RPN calcuator that I use. I’m a bit suprised since the app is really basic - just a clone of an HP48 calculator, and does not show any ads. So maybe it’s an Android or other app with the same name that it’s matching?
No idea, I’m afraid! MDM stuff is hard to figure out unless you work in an environment where it’s used. Perhaps try asking Perplexity.
As @ddmiller suggested, Configurator does not export any Apple app names in its list. My very strong suspicion is that the generically named apps are merely matching with Android apps in the Gravy Analytics list.
It’s not so much about Location Services as whether or not it displays ads. The ads can share other information that will leak your location.
Unfortunately, I can’t use either method because my 2011 iMac is maxed out at MacOS 10.13.6 and my 2015 MacBook Pro is maxed out at MacOS 12.7.6. Apple Configutor requires MacOS 14 and iPhone Mirroring requires MacOS 15.
Edit: I went back through the above responses and found I have two that have been reported here:
Citymapper & Solitaire (both aren’t used that often however.)
Edit 2: Can I just use the list of non-Apple apps that are in Settings on my iPhone? I only have 146
Edit 3: OK just checked my apps listed in Settings on my iPhone against the list and I found the following additional apps:
AOL
Docs-To-Go
Flight Tracker +
MPG
Opera Mini
Speedtest by Ookla
I had an issue with the Apple Configurator export having CRLF line endings when the file provided by Adam had LF line endings – thus even when there was overlap, the “comm” method didn’t match. I had to remove the CRs using “td” and then I saw that Letterboxd showed up.
Just browsing through the list, I’m surprised to see the Opera browser there. Kinda ironic when it’s supposed to have a built-in ad and tracker blocker.
Many thanks Adam! I found two culprits on my iPhone and iPad:
Both now are gone and will not be missed.
My results:
Likewise, for my 181 apps. Quel relief.
Thanks, Adam. Another very interesting and helpful post!
I listed my installed apps using iMazing, extracted the names using Shottr into a TextEdit file and successfully ran your Terminal command.
AutoScout24
Citymapper
MPG
Sudoku
WetterOnline
For an exercise I used Vlookup in Numbers and got the same result.
Will dearly miss WetterOnline and CityMapper.
Am I correct in thinking that if an App is tracking you, you see the little arrow up at the top right side? Or is that NOT an indicator of tracking?
That arrow icon means an app is using location services (that is, it is requesting your location), but it doesn’t mean the app is sending your location to a server somewhere (let alone what the server is doing with that location).
For instance, if you have an off-line navigation app, it will be constantly reading your location, but will only be using it to determine what part of the map to display.
Or it could send the coordinates to a server for legitimate purposes. For instance Apple Maps sends your location to a server in order to compute the best route to your destination, and in order to download the map segments it needs to display. But the server does not (assuming you believe Apple) retain this data for purposes beyond the requirements of the Maps app.
Similarly, if an AirTag is detected over Bluetooth, it will send your location to the AirTag tracking server, but (assuming you believe Apple) that location is only retained for the purpose of tracking the tag, not for tracking you.
Or it could be a scammy app (like everything from Google and Meta), that sends a detailed history of your location to a server, so it can track everywhere you go, in order to target advertising to you. And probably many other purposes, including selling it to anybody who wants to pay for it.
Trying to keep up with Adam with my 462 apps…my list only had two on it:
Citymapper
File Explorer
Thanks for the info and instructions. I’m down to 460 apps now :)
No matches with my puny 86 mainstream apps. (Reducing gradually)
I used FileMaker to match the two lists after having cleaned them up in BBEdit with GREP:
space\(.*\n replace with \n to remove the app version numbers.
Apple Configurator is fun!
Thanks Adam!
Of my 350 apps the following showed up:
2048
Calculator
Calculator₊
Snake VS Block
Solitaire
Wattpad (@ace I recall using this to read some serials many years ago)
Interestingly, the Calculator+ app from Impala Studios prompted me with the following when I went to delete it:
Update: I deleted it anyway
After checking my purchase history I also found out that the original name for apps you download can change over time, I guess when you let them update? The other “Calculator” app that I removed was called “MyScript Calculator - Handwriting calculator” when I installed it back in 2013. I guess I learned something extra today!
Hi Adam, thanks for this very useful article. I tried to use the supplied Terminal command, but that didn’t work. I found another one - very short - that did:
fgrep -f A B
For me a long list turned up, among which many apps I use a lot. Many are very popular in the Netherlands.
Marktplaats (trading second hand stuff)
myTunerRadio
WeatherRadar
HelloWeather
NPORadio1
9292 (one of the oldest public transport app)
xCalendar
Solitaire+
NPORadio5
WeatherPro
AbbotHallArtGallery
Citymapper
NPORadio2
Chess
Wordfeud (very popular)
Radio
RadioFrance (very good music on their FIP-channel)
Radios
So that’s 18 apps from a total of 413 (I use a lot of apps).
One question: how do I distinguish iOS from android apps in the list of corrupted apps?
Best, Johan Olie
Alas, there’s no way to distinguish the iOS apps from Android apps in the big list. My assumption was that if you had a match, it was probably going to be real, since I saw no reason the Android version of an app would serve ads differently than the iOS version.
Thanks Adam!
Best regards,
Johan Olie
808 apps!
2048
Citymapper
Letterboxd
MyFitnessPal
Tumblr
The grep string I used in BBEdit to strip extraneous info:
Find: \s(([0-9_].*)\n
Replace: \n
255 Apps - one match: Chess
I also used Filemaker along with your GREP – space\(.*\n replace with \n – in BBEdit.
Thanks Adam and Dilettante.
I managed this at last. I do little programming so I struggled with some of the steps. I deleted the extra columns in Numbers and the version numbers with regex in SubEthaEdit.
The comm command did not work in Terminal! I found a comment here that pointed to using bash which I found in iTerm.
No matches! I knew there should be because Citymapper was in both txt files. A comment here suggested line endings was the problem so I used TextSoap to fix. (what is td?)
i7:Downloads jovike$ comm -12 <(sort breach.txt | uniq ) <(sort iPhoneapps.txt | uniq)
Chess
Citymapper
Cut the Rope
Minesweeper
Scrabble
Teeny Tiny Town
UpNote