Where your data goes when you install an app — the map

The question "does this app collect my data?" is the wrong one. Almost every app does. The right question is: how much, who does it share with, and who buys that stream afterward. Follow the pipe to the end and the answer turns out to be far less abstract than the industry would like.

There's a fairly fixed route your data travels. It isn't magic or conspiracy, it's architecture. Let's follow the pipe from the end inside your phone to the other end, where a government or a broker buys the result.

Exit 1: the SDKs that ship hidden inside the app

Almost no app is built from scratch. The developer drops in a pile of SDKs, ready-made third-party software kits that handle analytics, ads, social login, and crash reporting. The catch: each of those SDKs tends to be a data exit, and the company controlling what leaves through it isn't the app maker. It's whoever owns the SDK.

A University of Oxford study of roughly 959,000 Google Play apps measured the scale. Most apps contain third-party tracking, and the distribution is long-tailed: a handful of dominant trackers (Alphabet/Google and Facebook out front) show up in the bulk of them.¹ News apps and apps aimed at children were among the worst by tracker count.¹

And don't bet the iPhone saves you. A comparative study of iOS and Android covering about 24,000 apps found third-party tracking and unique-identifier sharing to be widespread on both ecosystems: "neither platform is clearly better than the other for privacy" on the dimensions studied.² The iPhone has other virtues. Being tracker-proof isn't one of them.

Exit 2: the label that doesn't match what's in the can

Since 2024, both Apple and Google require apps and SDKs to declare what they collect. Apple's Privacy Manifests (the file where an app declares data type, use, link to the user, and whether it's used for tracking) became mandatory for new or updated apps and third-party SDKs, with full enforcement from May 1, 2024.³ It's a real step forward. But the label doesn't always match what's inside the can.

Oxford researchers looked at what happened after iOS 14, when Apple let users block the IDFA, the device's advertising identifier. The result was counterintuitive: blocking the IDFA did not cut the number of tracking libraries inside apps. "The number of tracking libraries stayed roughly the same," and the privacy labels themselves were "sometimes inaccurate and misleading."⁴ Tracking an isolated individual got harder; the tracking didn't vanish, it moved.

NowSecure, a mobile security vendor (an interested party, so read it as a vendor audit, not independent truth), tested 23,300 iOS app packages in August 2025 and reports that 35% didn't declare the data they collected and 97% lacked the manifests now required for third-party SDKs.⁵ The exact figures are NowSecure's; the direction lines up with the academic work.

Exit 3: the location brokers who buy the stream

Here the pipe leaves the app and becomes a market. Data brokers buy that location stream coming from SDKs embedded in thousands of apps, stitch it together, and resell it, governments included. In 2024 the US FTC went after them in a string of cases.

The FTC ordered X-Mode Social / Outlogic to stop selling sensitive location data, its first such action against a location broker.⁶ The order expressly bars using location data from medical clinics, places of worship, labor unions, schools, and domestic-violence shelters.⁶ Soon after, InMarket Media was barred from selling precise location for failing to get informed consent from users.⁷ Then December 2024 brought two big ones: against Gravy Analytics, which sold location "precise to about a meter" and used geofencing to assemble lists of people who attended events tied to medical conditions and places of worship; and against Mobilewalla, which carried the FTC's first-ever ban on collecting data from ad-auction exchanges.⁸

Exit 4: the invisible auction that runs while the screen loads

The last exit is the hardest to see, because it happens inside the ad. It's called Real-Time Bidding (RTB): the automated auction that decides, in milliseconds, which ad you see. For the auction to run, a "broadcast" of what you're looking at and where you are is transmitted to a crowd of companies at once. They all receive the data, only one wins the auction.

The scale, per the ICCL (an Irish civil-liberties group, so this is their methodological estimate, not a regulator's count): that broadcast happens 178 trillion times a year across the US and Europe.⁹ Johnny Ryan, a former adtech executive now a researcher at the ICCL, calls RTB "the biggest data breach ever recorded."⁹ The line is deliberately loud, but it describes the mechanism well: the data isn't stolen, it's broadcast by design.

When the map became front-page news

In January 2025, weeks after the FTC blocked Gravy from collecting location without consent, the company was breached. TechCrunch reported at least 30 million location points in the initial leak, with the hacker claiming several terabytes.¹⁰ Apps named as the source of the data included FlightRadar, Grindr, Tinder, Candy Crush, and MyFitnessPal.¹⁰ You could place people at the White House, the Vatican, and military bases, and identify service members and LGBTQ+ users in countries that criminalize homosexuality.¹⁰ It's this whole article condensed into a single incident.

The regulatory picture is shifting

The 2024 FTC orders are the sharpest enforcement on record, but they're US-only, and the broker market is global. The EU's RTB scrutiny under GDPR and a wave of US state privacy laws push the same pipe toward consent and data-minimization rules, and regulators elsewhere cite the FTC precedents. The map doesn't respect borders: an SDK leaking your location doesn't check your jurisdiction before it transmits. What's changing is the cost of running these pipes openly, not the pipes themselves.

What the community is saying

In the privacy communities (r/privacy, r/degoogle, the GrapheneOS forums), the mood is informed resignation, not panic. People there already assume "every app leaks," and the surprise is never whether, it's how much and to whom. When a case like Gravy breaks, the tone is a mix of "told you so" and anger that the problem is structural rather than one villain app.

The honest axis of the debate is defense in depth vs. consent fatigue. On one side (strong in r/degoogle and r/GrapheneOS): de-Googling Android, using DNS-level firewalls, and auditing apps with tools like Exodus Privacy genuinely cuts tracking; "imperfect isn't the same as useless." The most mature take, from the GrapheneOS forum, is that switching operating systems does not erase the trackers inside the app. Install your bank's app or a delivery app and the SDKs come with it. What a hardened OS does is limit permissions and cut the network calls, not sterilize the app. That squares with the research.¹ ²

On the other side (in r/privacy and r/technology): the sense that opt-outs and privacy labels are "consent theater," since you block the IDFA and tracking migrates to fingerprinting and first-party data. Some read Apple's whole privacy push as a competitive lever rather than an end in itself. The usable consensus, from r/degoogle: auditing before you install (check permissions, run it through Exodus) pays off more than trying to clean up the mess afterward.

Verdict

You can't close all four exits, and anyone promising you can is selling something. But the map changes how you decide. Knowing the data leaves through SDKs, gets auctioned, and ends up at a broker, the highest-return move is the most boring one: pick the app with fewer trackers before you install it, deny location to anything that doesn't truly need it, and treat a privacy label as marketing until proven otherwise. Total privacy is impossible. Minimizing collection is achievable, and, once you've seen the map, hard to unsee.

---

Sources

1. Third Party Tracking in the Mobile Ecosystem · Binns, Lyngs, Van Kleek, Zhao, Libert, Shadbolt (University of Oxford) · WebSci '18 · DOI: 10.1145/3201064.3201089 · 2018 · https://dl.acm.org/doi/10.1145/3201064.3201089
2. Are iPhones Really Better for Privacy? A Comparative Study of iOS and Android Apps · Kollnig, Shuba, Binns, Van Kleek, Shadbolt · PoPETs 2022 · DOI: 10.2478/popets-2022-0033 · 2022 · https://petsymposium.org/popets/2022/popets-2022-0033.pdf
3. App Privacy Details · Apple Developer · https://developer.apple.com/app-store/app-privacy-details/ · and Two New Apple and Google Platform Privacy Requirements Kicking In Now · Future of Privacy Forum · https://fpf.org/blog/two-new-apple-and-google-platform-privacy-requirements-kicking-in-now/ · 2024
4. Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels · Kollnig, Shuba, Van Kleek, Binns, Shadbolt · ACM FAccT 2022 · DOI: 10.1145/3531146.3533116 · 2022 · https://arxiv.org/abs/2204.03556
5. New NowSecure Research Targets Mobile App Privacy Risks · NowSecure · https://www.nowsecure.com/blog/2025/09/29/new-nowsecure-research-targets-mobile-app-privacy-risks-what-you-dont-see-is-hurting-you/ · Sep 29, 2025
6. FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data · Federal Trade Commission · https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-prohibits-data-broker-x-mode-social-outlogic-selling-sensitive-location-data · Jan 23, 2024 (finalized Apr 2024)
7. FTC Finalizes Order with InMarket Prohibiting It from Selling or Sharing Precise Location Data · Federal Trade Commission · https://www.ftc.gov/news-events/news/press-releases/2024/05/ftc-finalizes-order-inmarket-prohibiting-it-selling-or-sharing-precise-location-data · May 1, 2024
8. Federal Regulators Limit Location Brokers from Selling Your Whereabouts: 2024 in Review · Electronic Frontier Foundation · https://www.eff.org/deeplinks/2024/12/federal-regulators-limit-location-brokers-selling-your-whereabouts-2024-review · Dec 2024
9. ICCL report on the scale of Real-Time Bidding data broadcasts in the U.S. and Europe · Irish Council for Civil Liberties · https://www.iccl.ie/news/iccl-report-on-the-scale-of-real-time-bidding-data-broadcasts-in-the-u-s-and-europe/ · May 16, 2022
10. Gravy Analytics data broker breach is a trove of location data that threatens the privacy of millions · TechCrunch · https://techcrunch.com/2025/01/13/gravy-analytics-data-broker-breach-trove-of-location-data-threatens-privacy-millions/ · Jan 13, 2025

Community (opinion, not factual source): r/privacy, r/degoogle, GrapheneOS forum and r/GrapheneOS. Aggregate sentiment read — no scraping of individual threads, no usernames exposed.

Newsroom · Acta Verum