For anyone who’s curious about what our mobile apps are doing behind our backs, a new Android app called Seudo is a potential gold mine of insights.
After I installed Seudo, the app claimed that TikTok was gathering minute-by-minute details on my network connection, which could help the social media app infer some form of location information. McDonald’s, meanwhile, appeared to be gathering all kinds of device data for tracking purposes, and several other apps, including Pandora and photo editor Lensa, were contacting Facebook for no clear reason.
To be clear, these findings don’t necessarily indict the apps in question. TikTok, for instance, claims that it does not collect any location information except possibly at the country or time-zone level, while Lensa noted after publication of this story that it only send non-personal data to Facebook Analytics. Still, as a tool for privacy advocates and reporters to start holding companies more accountable on privacy, Seudo could be a useful starting point.
“Really, what we’re trying to do is give the negotiating power back to the consumer, where you don’t have to trade off your privacy or your data in order to get a service,” says Sabrina Storozuk, Seudo’s cofounder and CEO.
How Seudo sniffs out snooping
During setup, Seudo prompts you to install a security certificate for running a local virtual private network, or VPN. Seudo then tries to decipher the behavior of all your installed apps by analyzing traffic to and from the device.
While it’s not the only app that uses a VPN to sniff out bad behavior—Guardian Firewall and Lockdown are other examples—Seudo goes a step further by trying to explain in detail what each app is doing. Using AI, the company identifies keywords or identifiers in the data it’s deciphered, then turns it into a description for users.
When I downloaded and started using the McDonald’s app, for instance, Seudo started throwing up warnings about “tracking technology that could be gathering your personal information,” and suggested that McDonald’s was collecting all sorts of data about the characteristics of my phone. It also showed that this information was heading to Kochava, an analytics firm and data broker. Kochava, which helps analyze McDonald’s data, says it is not a data broker for the restaurant and that it neither owns nor determines how clients’ data is used.
“We are unable to provide meaningful comment on speculative information obtained by Seudo, a third party app,” a McDonald’s spokesperson said after publication of this story. “McDonald’s takes seriously the trust that our customers put in us each day to uphold our robust data privacy commitments that guide how McDonald’s uses, protects and shares customer information, including our commitment to not sell personal information.”
Seudo’s reporting on TikTok was a bit stranger. At first, Seudo’s app would alert me about once per minute that “your network connections are being tracked” and that “your location can also be tracked with this access.”
“You’ll notice that right off the bat, every request that comes in is a massive amount of information,” Storozuk says of TikTok in particular.
These alerts did not appear the following day, however, and a TikTok spokesperson says that the app does not collect location data at a more granular level than region or time zone. It’s worth noting that TikTok doesn’t ask for location data when you install its Android app, and my Pixel 2 XL’s location settings showed no record of TikTok accessing the device’s location. The company suspects that Seudo’s findings were a “false positive.”
However, Storozuk says she’s found lots of other cases of questionable behavior by popular apps. When you connect a Tinder account with Facebook, for instance, she says Tinder makes its own copy of your profile photo and keeps it on its own servers.
Tinder confirmed that members who sign up through Facebook can opt into letting the site keep a copy of up to four recent public profile photos (it does this to prevent you from having a blank Tinder profile if you happen to delete your Facebook). However, the onboarding flow when you sign up for the app through Facebook does not provide an option to opt out of providing profile pictures to Tinder, nor does it clearly disclose that Tinder is keeping its own copies.
Tinder says it does not share the photos it stores with any other dating apps within its parent company, Match Group, unless a profile is reported for criminal activity.
At Storozuk’s prompting, I also installed the King James Bible, which has more than 10 million installs in the Google Play Store and claims that it “gets you closer to God and helps you learn God’s word without internet access.” While the app does indeed work offline, it also regularly contacts Facebook when an internet connection is available.
“That is not offline at all,” Storozuk says. (iDailyBread, the app’s developers, did not respond to a request for comment.)
A privacy work in progress
Storozuk, who built security systems for businesses before cofounding Seudo, says the app has been in development for three years, going through various internal iterations. But now that people are becoming more attuned to privacy issues, she felt the time was right to release it publicly.
“It’s now a topic of discussion at the water cooler at work, or at the dinner table, or at a dinner party,” she says. “I feel that people understand the ramifications of it.”
Based on the versions I’ve been testing since last weekend, there’s clearly a lot of work left to do.
In its current form, the app is a slog to use, routinely failing to load the right menus when selected and putting a tremendous strain on battery life. It also crashed my Pixel 2 XL on a few occasions, and slowed my internet connection to a crawl. Right now, for most people, the app has too many issues to justify its $2 per month (or $20 per year) asking price.
Beyond just making the app much more stable and less of a battery hog, Seudo could do more to streamline the firehose of data it’s putting out so that more users can decipher it. A lot of the questionable behavior that Seudo reports, such as TikTok’s persistent data collection, could be aggregated into a single thread instead of listed repeatedly in an “alerts” feed.
There’s also a lot of information that could probably just be hidden by default. Most people don’t need to know, for instance, that Gmail is sending data to Google, or that Instagram is sending data to Facebook. Storozuk says privacy is deeply personal, and Seudo doesn’t want to make assumptions about what behavior is acceptable, but if Seudo’s goal is to appeal to consumers instead of just hardcore privacy geeks, it’ll have to strike some kind of balance.
But when it’s working as intended, there’s nothing quite like it. I’m looking forward to hearing more about what Seudo, and any privacy advocates brave enough to use it, find out now that the app is live.
“As soon as this is out, and we have some brainpower and team power again, we’ll start to really dig into where we saw some activity that may be suspect,” Storozuk says.
This story has been updated with comments from McDonald’s, Kochava, and Lensa.