According to TechCrunch, X-Mode was paying app developers to track their app users through SDKs. Messaging apps, video and file converters, dating sites and religious apps were all part of the tens of millions of apps that were downloaded to date. Although Google and Apple banned all apps from sharing location information, some were caught still sending data to X-Mode in December. Many of the apps involved did not even inform their users of the data tracking.
The issue was detected by Sean O’Brien, principal researcher at ExpressVPN Digital Security Lab, who found close to 200 Android apps that at some point over the past year contained X-Mode tracking code.
Looking into the matter for Digital Journal is Anurag Kahol, CTO and Cofounder of Bitglass.
Kahol explains why the issue is serious: “It’s unacceptable that almost 200 apps were illegally sharing their users’ data with a third-party organization. App developers hold a responsibility to their users to request explicit consent for data sharing and allow them full control over their private information. With tens of millions of app downloads historically accounted for sharing data with X-Mode, consumers who have been using these apps are at potential risk of physical harm, as their granular locations were shared.”
There are other concernstoo, as Kahol explains: “In addition to violating users’ privacy, refusal to adhere to data privacy regulations like the CCPA could also result in steep compliance fines. Companies must understand the consequences involved with illegal data sharing and begin enabling security solutions that protect their users.”
To address such issues, Kahol recommends: “To maintain compliance, organizations can start by obtaining consent from users, then equip themselves with data loss prevention (DLP), multi-factor authentication (MFA) and user and entity behavior analytics (UEBA) capabilities. By implementing a strong security protocol, companies can maintain visibility and control over data wherever it goes, while also preventing data trackers from accessing users’ private information.”