Dieser Artikel wurde vor mehr als einem Jahr veröffentlicht. Die Informationen könnten veraltet sein.

How Facebook knows which apps you use – and why this matters

Ein Artikel von , veröffentlicht am 18.12.2018, bearbeitet am20.12.2018
Bild: iStockphoto.com / g-stockstudio

Looking for a new partner, perhaps on Tinder? Or on Curvy, for people with curves, or Grindr maybe, the gay dating app? Fighting your smoking addiction with the app “Kwit”, or monitoring your depressive cycles with “Moodpath”? If you do, chances are Facebook knows all about it. And you can’t know that it does.

This is a translation of the German article Facebooks unsichtbare Datensammlung originally published on 13.12.2018.

Approximately 30 percent of all apps in Google’s Playstore contact Facebook at startup and transmit user data. This way, the company knows which apps you use and when you use them – including apps related to religion, sexuality or health. For users, this data-transmission is entirely invisible.

All services mentioned above (Tinder, Curvy, Grindr, Kwit, Moodpath) and in the following article have three things in common. First: Most users access them via their smartphone apps. Second: All of these apps establish a connection to Facebook the moment you open them and tell the platform. Third: Facebook connects all this info to the personal profile they have of you.

This is true at least for the Android apps of each of the services (we tested the versions available in the Playstore on November 28, 2018). Note: The operator of the app "moodpath" announced upon notification, that they will remove the Facebook module from the app.

Tell me which apps you use and I tell my customers, who you are

This way, Facebook collects precious data from outside its own platform: Who is using which apps and when?

For a calendar-app, this might not be highly sensitive information. But if you use the app “Bible + Audio” or have yourself reminded of Islamic prayer-times with “MuslimPro”, you give away quite some interesting details.

Facebook expands its profiles with this data, making lots of money from it. If you are using the parenting-guide “Pregnancy+”, you will likely be interested in baby-products soon. If you are monitoring your headaches with “Migraine Buddy”, you will likely respond well to ads for new migraine-medication.

Facebook confirmed the use of information from third party apps for targeted advertisement in a statement to mobilsicher.de.

How Facebook gets into your apps

The reason Facebook is able to collect all this data without you knowing about it is the result of the company strategically offering analytics tools, combined with complacency on the part of app developers. Because it´s the developers themselves who willingly build the means for Facebook to learn about your app use into their products. All Facebook does is provide the suitable software module, a so called Software Development Kit (SDK), ready to be downloaded and built into any smartphone app.

Why would any developer do this? If you build and offer an app, Facebook offers you “Facebook Analytics”, a service to analyze your users’ behavior. Facebook Analytics tells you what users do in your app – where they click, where they get confused or quit, which functions they prefer.

Sweet deal: Data for free Service

This is valuable and perfectly legitimate information you need as a developer if you want to build a good product. Facebook’s analytics tool is not only very professional and accurate but unlike many other similar services, it is also free. So unsurprisingly, it is vastly popular.

The US-based research project “AppCensus” found that 30 percent of all apps established a connection to Facebook (Facebook Analytics and other Facebook services) in a sample of 83,064 apps they analyzed.

The prize for the useful service: The data on user behavior and user journey end up in Facebook’s hands. The developer or operator of an app can look at them – but he has no control over them.

What exactly does Facebook learn?

This arrangement – data for free service – does not seem to bother app operators at all. We assume that this is at least partly due to the fact that most of them don’t know what Facebook’s SDK actually does.

For instance, most developers we asked about this issue assumed that the information Facebook receives is anonymized. However, that’s not the case. If you look at the data traffic of an app with the Facebook module built in, here’s what you will typically see (this example comes from the official app of the Conservative Party in Germany, CDU. After notification the party declared, that they will remove the Facebook-SKD with the next update.)

Data traffic of the app Meine CDU. On the left you see all web addresses the app connects to on startup. This is before any user interaction takes place. On the right, we show the content of one data package that is transmitted to Facebook. The highlighted line contains the Advertising-ID

Besides technical information like the Code D5803, describing the device-model (Sony Xperia Z3 Compact), Facebook learns the time of use, the IP address and which app the traffic originates from – in this case the conservative party’s App “Meine CDU”.

But the critical piece of information is found in the highlighted line, tagged as “advertiser_id”. It contains the so called Advertising ID, in this example the string „3e072b22-ed75-4502-b26c-10ca1ad1abe1“.

Is the Advertising ID really anonymous?

Every Android device with a connected Google account has such an Advertising ID. iPhones and iPads have a similar identifier, created at first boot by Apples mobile operating system iOS.

The Advertising ID is unique for every device and can be read by any app installed – no permission or user interaction necessary. Facebook makes use of this: If you log on to your Facebook account just once using your smartphone, Facebook collects your Ad ID and connects it to your account. If your name, birthday, email address or other personal identifiable information is stored in this account, it is very far from being anonymous.

From now on, Facebook can connect every scrap of information to your account and user profile, as long as it comes together with your Ad ID. And that is exactly what it does with the information coming from third party apps, as Facebook confirmed in a written statement to mobilsicher.de.

This way, your Ad ID loses its anonymity, at least until the moment it changes. This happens automatically when you perform a factory reset or get a new phone. You can also change your Ad ID manually, whenever you want. But since hardly anyone does that, the Ad ID works perfectly well as an identifier.

Rough deal: Zero transparency for users

From the user interface, there is no way you can see that a connection to Facebook (or to anywhere else) is established. The data transmission is independent from user interaction or whether you chose to log in with your Facebook account. It happens even when you don´t have a Facebook account at all.

None of the apps we refer to in this text actively notifies users of this data transmission, for instance with a dialogue window. Not even half of them mention Facebook Analytics in their privacy policy. Strictly speaking, none of them is GDPR-compliant, since the transmission starts before any user interaction could indicate informed consent.

In the absence of authoritative numbers, our educated guess is that this does not look much different in the remaining 30 percent of apps who use the Facebook SDK.

Facebook itself states in its Data Policy that the company uses information from third-party apps for targeted advertisement. But many app developers don’t, and Facebook confirmed in a statement to mobilsicher.de that at this time, users have no option to see in their Facebook accounts which apps are connected to their profile. Mark Zuckerberg announced a functionality to make this transparent in May of this year, dubbed “clear history”. To this day, it is still not available.

Freedom of Choice?

Confronted with the issue, Facebook routinely points out that opt-out options are in place. In fact, targeted ads can be disabled through the settings of your Android device or in the settings of your Facebook account. So everybody has a choice, right?

But what exactly is the effect of this setting, regarding the collection of your data? We tested it with an Android device that had “targeted ads” disabled in its Android settings.

The data traffic of this device looked very much the same as pictured above (in this example from the app of a local section of the German Social Democratic Party SPD, dubbed "SPD Landtagsfraktion NRW". The app has been removed from the appstore upon notification).

Data traffic of the App SPD Landtagsfraktion NRW. The setting deactivate personal ads in the menu of the device is active. On the left you see all web addresses the app connects to on startup. On the right, we show the content of one data package that is transmitted to Facebook. The highlighted line advertiser_tracking_enabled reads now false. But the data are still beeing transmitted.

The difference is: In the line beneath the Ad ID, dubbed “advertiser_tracking_enabled”, it reads “false”. So the SDK sends a flag along with the data, telling Facebook that the user opted out of targeted ads.

We asked Facebook whether data containing this flag will be discarded after transmission, as you would expect. In its written answer to exactly this question, a spokesperson replied:

“If a person utilizes one of these controls, then Facebook will not use data gathered on these third-party apps (e.g. through Facebook Audience Network), for ad targeting.”

It is hardly possible to overlook the ambiguity of this answer. In our view, it leaves only one conclusion: Facebook stores the data and builds a user profile nevertheless – it just doesn’t show the respective ads to the users. But should they decide at some later point to change the setting and allow for targeted ads, a well maintained and exhaustive user profile will be in place waiting for them.

Die Autorin





PGP Public Key

Download als .asc


BC80 45E0 3110 EA00 A880 0827 2F02 1121 0445 27DC

Miriam Ruhenstroth

Begleitet mobilsicher.de seit der Gründung – zuerst als freie Autorin, dann als Redakteurin. Seit Januar 2017 leitet sie das Projekt, das 2020 um den AppChecker erweitert wurde. Davor arbeitete sie viele Jahre als freie Technik- und Wissenschaftsjournalistin.

Weitere Artikel


Vorbild Österreich: Wie man die E-Schrott-Sammlung besser hinbekommt

Im südlichen Nachbarland wird viel mehr E-Schrott gesammelt als hierzulande. Wie schafft Österreich das?


Einzelne iPhone-App freigeben – so geht’s

Bevor Sie Ihr iPhone einer anderen Person in die Hand geben, können Sie es über eine System-Funktion auf eine einzige App beschränken. Ihre anderen Apps und Daten bleiben dann geschützt. Wir zeigen, wie es geht.


Checkliste: Handy weg – was tun? (Android)

Ihr Smartphone oder Tablet wurde gestohlen oder ist verloren gegangen? Mit unserer Checkliste können Sie jetzt den Schaden begrenzen. Verbundene Online-Konten lassen sich über den Computer sperren, eventuell können Sie Ihr Gerät auch orten.


iOS 12: Die wichtigsten Neuerungen für Privacy und Sicherheit

Die aktuelle Version des mobilen Betriebssystems von Apple glänzt vor allem mit Leistung und Schnelligkeit. Doch auch in Sachen Privacy und Sicherheit hat sich was getan. Vor allem beim Tracking-Schutz, bei der Passwort-Verwaltung und beim Schutz vor ungewolltem Auslesen hat Apple nachgelegt.