Sensor Tower allegedly harvested user data via mobile VPNs, ad blockers

What do you do when the very things that are supposed to protect you turn out to be the very things that harm you? What can you do when those things come from a company that, until today, may have been cited multiple times for its rich and deep data? Those are the questions that may be facing users, developers, and platform makers in light of news that Sensor Tower, one of the more popular analytics platform especially for mobile ecosystems, has been using rather shady methods to get that data it is so proud of.

You will often see Sensor Tower's name and its data mentioned in reports about everything from mobile app store statistics to game revenues. As such, it's understandably proud of how its data has been used as references because of their wide reach and deep insights. Unfortunately, the company may have employed questionable means to get there.

BuzzFeed reports that it was able to trace Sensor Tower's mark on over a dozen Android and iOS apps, none of which are published under its name. Company head of mobile insights Randy Nelson doesn't deny that and, in fact, cites market competition as the reason for masking its ownership of the apps. He also insists that Sensor Tower doesn't collect sensitive data or personally identifiable information (PII) but stops short of admitting the methods it used to get even anonymized data.

Many of these apps associated with the company take the form of VPNs and Ad Blockers, tools used to protect user privacy. Through sleight of hand, however, these apps get users to install root certificates that bypass Android's and iOS' usual security measures in order to access the data and its traffic to and from the phone. Such methods are not only against app store policies but also expose users to hacking by creating the equivalent of a backdoor.

Nelson says that Sensor Tower takes app store policies seriously but those apps linked to it have already been kicked out of Google Play Store and the iOS App Store. Neither Google nor Apple has given any comment other than they're investigating the matter on their own.