At least five more Muslim prayer or similar apps worked with data broker X-Mode, which has sold location data to military contractors and by extension U.S. military intelligence, according to multiple technical analyses.
The news comes after the office of Senator Ron Wyden obtained and published a memo which said staff at the Defense Intelligence Agency (DIA) have been granted permission to query similar U.S. phone location data without a warrant five times in the past two and a half years. While the Muslim-focused apps have stopped sending data to X-Mode, the news still provides context on what sort of apps have been feeding data to companies that then sell information indirectly to the military.
Videos by VICE
“Using an app to check prayer times should not lead a Muslim to become a victim of government surveillance,” Nihad Awad, national executive director of the Council on American-Islamic Relations, told Motherboard in a statement.
Do you work at Babel Street, X-Mode, Venntel, or one of the apps mentioned in this piece? Did you used to, or know anything else about the location data industry? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Motherboard previously found how an app called Muslim Pro with over 96 million downloads collected granular location data of its users and sold that data to X-Mode. Motherboard also found that a similar app called Salaat First sold location data to another broker called Predicio, which has previously been connected to a supply chain of data that involves a U.S. law enforcement contractor. U.S. Special Operations Command (USSOCOM), a branch of the military, has also bought access to products that use commercial smartphone location data, Motherboard reported.
The new apps include “Prayer Times: Qibla Compass, Quran MP3 & Azan;” “Qibla Finder: Prayer Times, Quran MP3 & Azan;” and “Qibla Compass—Prayer Times, Quran MP3 & Azan.” Qibla Compass, the most popular app of the set, has been downloaded over 5 million times, according to the app’s Google Play Store Page.
In early November, Motherboard first identified Qibla Compass as transferring data to X-Mode. At the time, the developer behind Qibla Compass, a company called Appsourcehub based in Ahmedabad, India, did not respond to a request for comment. Now an analysis of Android apps that contain X-Mode related code by ExpressVPN and cybersecurity firm the Defensive Lab Agency corroborates and adds to Motherboard findings.
Sean O’Brien from the ExpressVPN Digital Security Lab and Esther Onfroy from the Defensive Lab Agency scanned apps for code that may indicate the presence of X-Mode within them. Motherboard then compared those results to our own similar analysis and then intercepted traffic from a selection of the Muslim-focused apps to verify the transfer of location data (an app containing X-Mode code does not necessarily mean the app sent data to X-Mode).
Motherboard downloaded historical versions of the apps from APK archive sites, then ran them on an Android phone and intercepted the apps’ traffic. This confirmed that versions of the apps available in 2020 did send location data to X-Mode. The current versions available on the Play Store do not transfer such data. In December, Apple and Google both banned X-Mode from their respective app stores following Motherboard’s Muslim Pro investigation.
None of the developers behind the various apps responded to a request for comment. Some developers are responsible for more than one of the apps. Older versions of two other apps which provide users with audio recordings of the Quran communicated with a X-Mode server but did not send granular location data in Motherboard’s tests.
The current version of Qibla Compass does provide data to two other companies, Opensignal and Tutela. Both of these firms work to test network connectivity of phones that have apps with their code installed; Tutela sells information to the telecom industry.
TechCrunch, which also received a copy of ExpressVPN and the Defense Lab Agency’s research confirmed that one U.S. subway map app with over 100,000 installs was downloadable from Google Play, despite the app still sending location data to X-Mode. New York Subway, an app for navigating the New York City transit system, asked for permission to send data specifically to X-Mode for ads and market research, but made no reference to its government work. The app maker, Desonline, removed references to X-Mode from its privacy policy shortly after TechCrunch asked for comment. Google confirmed it took action to remove the app from Google Play.
The memo the DIA sent to Senator Wyden said that the DIA currently provides funding to another agency that in turn purchases commercially available geolocation data from smartphones. The memo added that DIA analysts have used the database to search for Americans’ movements without a warrant, The New York Times first reported.
“D.I.A. does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes,” the memo said, referring to the Supreme Court decision that law enforcement obtaining location data should require a warrant. Other agencies have also said they don’t require a warrant or court order to obtain commercial location data. In October, BuzzFeed News reported on a Department of Homeland Security memo that argued it did not need a warrant to purchase such data.
“Using an app to check prayer times should not lead a Muslim to become a victim of government surveillance.”
The memo did not identify the broker or brokers the DIA sourced the location data from. It said that the broker or brokers does not separate the data into American and foreign smartphone users, meaning that the DIA has to process the data that appears to be from domestic phones and filter those into another database.
“Americans are sick of learning that their location data is being sold by data brokers to anyone with a credit card. Industry self-regulation clearly isn’t working—Congress needs to pass tough legislation, like my Mind Your Own Business Act, to give consumers effective tools to prevent their data being sold and to give the FTC the power to hold companies accountable when they violate Americans’ privacy,” Senator Ron Wyden said in a statement.
X-Mode did not respond to a request for comment; the company has not responded to any of Motherboard’s requests since Apple and Google booted X-Mode from their app stores in December. The company did provide a statement to TechCrunch which the publication then shared with Motherboard, however.
“The ban on X-Mode’s SDK has broader ecosystem implications considering X-Mode collected similar mobile app data as most advertising SDKs. Apple and Google have set the precedent that they can determine private enterprises’ ability to collect and use mobile app data even when a majority of our publishers had secondary consent for the collection and use of location data,” X-Mode CEO Josh Anton said in the statement. Motherboard previously found apps that sent to X-Mode did not obtain informed consent to transfer users’ location data. In these latest tests, Motherboard found a version of The Qibla Finder app started sending the data to X-Mode before a user had accepted the privacy policy pop-up in the app.
“We’ve recently sent a letter to Apple and Google to understand how we can best resolve this issue together so that we can both continue to use location data to save lives and continue to power the tech communities’ ability to build location-based products. We believe it’s important to ensure that Apple and Google hold X-Mode to the same standard they hold upon themselves when it comes to the collection and use of location data,” the statement added. Apple and Google do not sell location data.
Apple was unable to provide a statement in time for publication, and Google did not respond to a request for comment on X-Mode’s statement.
In an upcoming change to iOS in early spring, Apple says users will be able to see which apps have requested permission to track them. It also said that the company expects app developers to understand which software development kits (SDKs), bundles of code from companies like X-Mode, they use and to enable a notification to the user if so.
Subscribe to our cybersecurity podcast, CYBER.