According to a fresh report from 404 Media, some of the most widely used mobile apps, including Candy Crush and Tinder, are reportedly collecting sensitive location data without users’ knowledge. The apps, available on both Android and iOS, may engage in data collection through the advertising ecosystem, raising serious privacy concerns. The data is believed to have reached Gravy Analytics, a location data broker whose subsidiary Ventel has previously sold such information to US law enforcement agencies.

The report suggests that this data collection likely occurs through real-time bidding (RTB) systems, where companies bid to display ads within apps. When these ads run, data brokers like Gravy Analytics are reportedly able to intercept and collect user location data, even without the direct involvement of app developers. This process is not controlled by the app makers themselves, meaning users remain unaware that their location is being monitored.

Security experts, including Zach Edwards of cybersecurity firm Silent Push, are concerned by the scale of this data harvesting. According to the report, Edwards said this is the first time the public has solid evidence showing that some data brokers are obtaining user information from ad bid streams rather than from code embedded in apps.

The leaked data reportedly includes more than 30 million location points, including sensitive areas like the White House, the Kremlin, Vatican City, and several military bases. The list of apps involved in this breach includes popular games like Candy Crush, Subway Surfers, Temple Run, and even dating platforms like Tinder and Grindr. It also mentioned health-related apps, such as MyFitnessPal and various pregnancy trackers, as well as religious and VPN apps, which ironically are often downloaded to increase privacy.

This privacy breach has raised concerns around the world, especially after the Federal Trade Commission (FTC) recently banned Gravy Analytics and Venntail for selling location data without user consent. While many apps seem safe on the surface, this incident indicates the growing risks associated with misuse of user data through indirect means such as the advertising ecosystem.

How to secure your data on Android phone and iPhone?

Experts recommend that smartphone users be cautious when granting location permissions to apps and consider reviewing app privacy policies more carefully. Android users are advised to avoid giving unnecessary permissions like location and camera access to apps that don’t need them for basic functionality. iPhone users can enable the “Ask apps not to track” feature after installing an app to limit tracking and data collection.