Facebook can tell all Android users when they open certain apps and for how long they use them. In addition, some apps may transmit much more detailed information. That’s because of the use of the sdk for app developers.
It does not matter whether people are logged in to Facebook or not, according to a report by the British privacy organization Privacy International. If an app can’t forward a Facebook ID, it uses Google’s Android Advertising ID (AAID). The notification, a call to graph.facebook.com, makes it clear that a user opens an app and other calls make it clear when users close the app. This happens with many apps, including Spotify, Tripadvisor, Skyscanner and Duolingo.
In many cases, apps send data the moment users open the app. Many of those apps offer the option to log in via Facebook, but whether users do that does not matter for the data collection. By now it seems that there is a function to postpone the first api call to comply with European privacy legislation AVG. Many developers are not using that feature yet and may be violating the GDPR.
Some apps transmit more data. For example, the Kayak app lets users know which searches users are conducting, such as which city they want to fly from and which destination they have searched. The data can be combined using the Facebook ID or AAID, which allows Facebook to know which apps have been opened with the Facebook SDK. In this way, it can build a profile of data and interests.
An employee of Privacy International has also made a data request to Facebook based on his email address and AAID, but has not received any data from the social media company. Facebook does not explain this, but seems to have difficulty with data requests from users without a Facebook account.
It is unknown how many Android apps use Facebook’s SDK. Only apps that use it send data to the American company. The researchers sorted out apps that referenced Facebook in the apk file, making the study not representative of all Android apps.
For the study, Privacy International used a Nexus 5 with LineageOS based on Android 8.1. That was not the latest version at the time of testing, because that is Android 9.0 Pie. The researchers used mitmproxy to intercept data on a laptop running Debian 10. The test of 34 apps took place between August and December this year. Some apps have been tested multiple times. It is unknown whether and how Facebook used the data collected in this way.