DuckDuckGo Releases App Tracking Protection On Android With A Bold Claim
by
Nathan Wasson
—
Thursday, November 17, 2022, 05:40 PM EDT
Almost a year ago exactly, DuckDuckGo introduced a new App Tracking Protection feature for its Android browser app as part of the company’s plan to build an all-in-one privacy app that extends beyond just web browsing and search results. DuckDuckGo initially launched this new feature in closed beta, but, as of yesterday, the feature is now available in open beta for all users of the company’s Android app. In a blog post announcing the open beta, DuckDuckGo touted its App Tracking Protection feature as more powerful than Apple’s App Tracking Transparency feature on iOS and iPadOS.
App Tracking Transparency (ATT) first hit Apple devices back in December 2020, giving users the option to block apps from tracking their activity across third-party websites and apps. This kind of privacy protection doesn’t prevent apps, including Apple’s own apps, from directly tracking users’ in-app activity, but it’s still a protection powerful enough to have crushed Facebook’s data mining of iOS users and forced Google to modify its ad tracking tech.
Apple’s larger privacy push in late 2020, of which ATT was a part, also introduced a new app privacy section in the App Store, requiring developers to disclose what information they collect for tracking purposes and whether it is linked to users or their devices. In July of this year, Google released a similar feature to its Play Store. This new data safety section shows Android users not only what information apps collect and share, but also how apps secure that data.
However, unlike Apple, Google still doesn’t offer Android users a feature like ATT that prevents apps from conducting third-party tracking. DuckDuckGo, which notes that the majority of smartphone users worldwide use Android devices, wants to provide such a third-party tracking blocker to Android users. The App Tracking Protection feature in the DuckDuckGo app is the company’s attempt to do so. While the DuckDuckGo app already blocks third-party trackers on websites visited within the app, the App Tracking Protection feature works to block third-party tracking in other apps as well.
Many apps contain multiple third-party SDKs (software development kits) that share user activity data with other companies. DuckDuckGo performed some in-house testing and found that “[o]ver 96% of the 100 popular free Android apps … tested contained third-party trackers. Of those, 87% sent data to Google and 68% sent data to Facebook.” The App Tracking Protection feature detects these trackers by matching them against a list maintained by DuckDuckGo and blocks their outbound network traffic.
Similar to apps like PCAPDroid and NetGuard, the DuckDuckGo app registers with Android as a virtual private network (VPN) in order to facilitate App Tracking Protection. There isn’t any actual DuckDuckGo VPN, so the app doesn’t connect to servers controlled by the company while App Tracking Protection is enabled. Instead, the feature makes use of the fact that the VPN functionality in Android allows apps to monitor and control network traffic. When App Tracking Protection is enabled, it automatically watches for outbound traffic from third-party tracking SDKs and blocks this traffic.
DuckDuckGo contrasts its App Tracking Protection feature with Apple’s App Tracking Transparency feature, highlighting the fact that ATT requires users to indicate that they don’t want an app to track them upon first launching each app. App Tracking Protection, by contrast, blocks all third-party trackers in DuckDuckGo’s list of trackers across almost all apps by default once the feature is enabled. There are a few apps, such as web browsers and system apps, that may not function properly when third-party trackers are blocked, so App Tracking Protection is disabled for these apps by default, though users can enable it manually. DuckDuckGo says it is working to resolve these issues so it can expand the number of apps for which it can offer third-party tracking protection without disrupting the user experience.
DuckDuckGo found itself in hot water earlier this year when a privacy researcher discovered that DuckDuckGo’s web browser privacy protections contained a carve-out for LinkedIn and Bing trackers embedded in websites, allowing them to collect and share user activity data. DuckDuckGo’s search results are powered by Microsoft’s Bing search engine, and, according to the CEO of DuckDuckGo, the company’s search syndication agreement with Microsoft prevented DuckDuckGo from blocking Microsoft-owned properties in its browser. The CEO further stated at the time this news broke that the company was “tirelessly working behind the scenes to change this limited restriction.” It now appears that DuckDuckGo may have been able to work something out with Microsoft, as the blocklist for the App Tracking Protection feature contains both LinkedIn and Bing trackers.
That said, this blocklist isn’t fully exhaustive. We tested DuckDuckGo’s App Tracking Protection with three popular apps—Backdrops, Bingo Cleaner, and Duolingo—and found that the feature didn’t appear to block all of the trackers present in these apps. Taking Backdrops, which is a popular wallpaper app, as an example, App Tracking Protection informed us that it blocked both Google and Twitter trackers within the Backdrops app. However, Exodus Privacy, which scans apps for third-party tracking SDKs, found a total of thirteen trackers within Backdrops.
While five of these trackers belong to Google, and one to Twitter, the other other seven are split between Batch, IAB, and Facebook. The majority of these remaining trackers belong to Facebook, and while DuckDuckGo’s blocklist contains multiple Facebook trackers, it doesn’t list the specific tracking SDKs detected by Exodus Privacy in Backdrops. Thus, it seems that DuckDuckGo still has some work to do expanding its blocklist.
We should also mention a significant downside of DuckDuckGo’s App Tracking Protection for some users, which is that the feature cannot be enabled at the same time as an actual VPN or any other app that makes use of the VPN functionality. Android is limited to just one VPN at a time, meaning those already using this single VPN slot will have to choose whether to switch to App Tracking Protection or stick with whatever app is already enabled as a VPN. Some apps that usually use the VPN functionality can continue to work properly while another VPN is active if granted root privileges. DuckDuckGo’s App Tracking Protection feature doesn’t currently offer this capability, though most users don’t root their Android devices and the company may not want to encourage device rooting, as it can be a security risk.
Nonetheless, given the options currently available, DuckDuckGo’s App Tracking Protection feature looks to be a good system-wide anti-tracking tool for Android users, and we’re excited to see how it develops.