
Screenshot of the GP Apps website
Period Tracker by GP Apps is another popularly downloaded app we previously looked at in 2019.
Screenshot of the GP Apps website
Go back to the full report page
Period Tracker by GP Apps is another popularly downloaded app we previously looked at in 2019. In our original research, we determined that this app did not appear to share any user input data with Facebook.
This time, we examined the third parties that the app appeared to integrate and what kind of data was being shared with these third parties, as well as what user data the app was storing on its own or external services. It’s worth noting that the developers of the app released a statement following the overturning of Roe v. Wade that:
'We are adamantly opposed to government overreach, and we believe that a hypothetical situation where the government subpoenas private user data from health apps to convict people for having an abortion is a gross human rights violation. In such a scenario, we will do all we can to protect our users from such an act. We would rather close down the company than be accomplice to this type of government overreach and privacy violation.'
The statement also explained that users could use the app without an online account, and that, in this case, their data would be stored only locally on their device, rather than backed up to a cloud-based account.
We indeed got started on the app without having to create an account and without having to complete any onboarding questionnaire. Then, we were presented with a consent pop-up for the processing of user data for networks like Google, InMobi and AerServ. We clicked 'No, thank you' (Figure 4.1), which confirmed that 'Ad networks won't collect data to personalise advertising for you in this app' (Figure 4.2).
We were then directed to the cycle dashboard, where we began inputting our cycle data. Throughout our use, we did not observe our input data being sent across the web traffic to any API, which perhaps suggests a confirmation of the app's claims that user input data would be stored locally on the device only and not on the cloud for users who choose not to create an account.
We nonetheless noticed some calls to third-party advertising and analytics SDKs. Most of the ads SDKs that we saw, such as Nexage and Moat Ads, were not properly functional and returned errors in the web traffic. We did some digging and discovered that these advertising networks no longer exist in the same state as they appeared in the web traffic; Nexage was acquired by AOL Advertising, which has since been absorbed into the larger Yahoo Advertising network, and Moat Ads, formerly an AOL customer, has since been acquired by Oracle.
It appears that this period tracker app has left outdated ads integrations in its implementation. While personal data does not appear to be shared in these ad requests, and these third-party URL paths do not appear to be functional SDKs anymore, it is nonetheless concerning that the app's developers have not removed these outdated calls. There is the risk, for example, that these URLs could in theory be hijacked by malicious actors (a threat called ‘broken link hijacking’).
Other ads SDKs we observed were advertising network calls through Pub Ads (acquired by Google), which requested device data and responded with a variety of ad placement information:
Neither Pub Ads nor any of the above advertising SDKs (Moat, Nexage) were named in the app’s Privacy Policy; the only mention of advertising SDKs in the privacy policy was a general statement that automatically collected information (e.g., device type, IP address, OS, other device data) would be sent to third party advertising networks and analytics companies (not specified by name). As the app claims in its public statement, it indeed does not appear to store any user input data (at least as far as our DIAS environment can see). The app does appear to utilise some third-party ads SDKs like Pub Ads, as well as some outdated or non-functional ads SDKs.
Read more
If you want to make sure we can keep doing work like this you can donate now to make sure PI can keep holding governments and companies to account.