A Virginia based government contracting firm called Anomaly Six LLC has been revealed to be inserting a proprietary software development kit (SDK) into over five hundred mobile apps then sharing gathered data with the government. This government tracking system for smartphones is now out in the open thanks to a report by the Wall Street Journal. Despite their best efforts to find out what those apps are, Anomaly Six did not provide that information when asked, and the SDK itself is intentionally obfuscated. Since there’s no indication if the app you’re using is tracking you for the government, there is intrinsically no way to opt out.
Usually it’s easier to discover if an SDK is being used in a mobile application – as we’ve seen with the often found Facebook SDK that is often added for Facebook based login. Anomaly Six’s SDK tracker does not need to be disclosed to users, though. This means there are no indications in privacy policies or code that the app you’re using is actually a figurative government mole. Since we don’t know which 500 apps are feeding our information back to any number of three letter agencies, it’s really best to assume that your smartphone is always doing so. The shocking thing is that this method of exfiltrating data from users through third parties and software agreements is not illegal. That is because the data is supposedly anonymized and isn’t being sold for marketing or advertising purposes.
Earlier this year, the public took Zoom to task for including the Facebook SDK in their mobile app even though login by Facebook wasn’t even an active option. Zoom quickly removed the SDK but the damage to their reputation was done. People were understandably not comfortable with Facebook getting their information – and arguably the government having that access is even worse… Especially since we don’t even know what the government uses this data for.
This revelation that the government is using the exact same method to get location data and more from our very own pockets should be a wake up call for the world’s smartphone users. The government has a history of using third parties when possible to legally obtain intel that can’t be sought by the government itself. The third party government collaborator could be your mobile data provider, the companies behind the apps you are using, or even in the hardware manufacturers themselves. Trust is hard to come by, and once there’s more information on which popular apps include the Anomaly Six SDK, it should be a clear sign of which companies are willing to sacrifice the privacy of their users just because the government asks or pays for it.