Popular Muslim prayer apps, that have over 17 million downloads combined, were banned from Google’s Play Store after it emerged they secretly harvested data with code developed by a company with alleged links to US security agencies.
‘Al-Moazin Lite (Prayer times)’, ‘Qibla Compass – Ramadan 2022’, ‘Full Quran MP3-50′, and ‘Al Quran Mp3 – 50 Reciters & Translation Audio’ were amongst dozens of other apps Google banned on March 25.
The Panama-based company Measurement Systems which engineered the code is linked to a US defence contractor, according to the Wall Street Journal.
The company paid app developers to include it in their apps, allowing it to reportedly siphon personal identifiers, such as phone numbers, locations, email addresses, from the devices.
The Wall Street Journal quoted a Google spokesman saying that the apps could be relisted if the code was removed.
Some of the apps that were taken down, including the Muslim apps, are now back on the Play Store
Invasive software
The code was discovered by researchers Serge Egelman and Joel Reardon from AppCensus, an organisation that audits mobile apps for user privacy and security.
The affected apps had a software development kit (SDK), which sent sensitive information to a third party.
In a blog post on their findings, Reardon writes: “A look at their code makes for an interesting case study in obfuscation (and provides a few examples of an app feeling far too much at home when collecting user data).”
Not all the apps with the code collected the same data but Qibla Compass and Audio Quran (also known as Full Quran MP3) detected users’ locations. Both those apps are developed by a company called AppSourceHub, which is based in Gujarat, India.
“We found a few, including Audio Quran, Qibla Compass, and a QR code scanner, all of which have location permissions,” Reardon said in the blog.
“This means that if the user grants the app access to location data, then this SDK does not need a side channel to get the router’s MAC address. In such apps, when we performed our test, we found that they also shared precise GPS location information.”
In all, the apps which had the code registered over 60 million downloads.
Reardon pointed out the dangers of harvesting such data and what could be done with it: “A database mapping someone’s actual email and phone number to their precise GPS location history is particularly frightening, as it could easily be used to run a service to look up a person’s location history just by knowing their phone number or email, which could be used to target journalists, dissidents, or political rivals.
Modern apps often include SDKs from unknown companies that aren’t well understood as it gives developers of the apps a stream of income and detailed analytics.
The Muslim apps implicated in the story did not immediately respond to a request for comment from Islam Channel.