(no title)

>Hackers appear to have targeted a US location tracking firm Gravy Analytics. It collects information through smartphones, including peoples' precise movements, and then provides it to other companies or governments.

So... those companies sold their customers' data to Gravy Analytics? You know, Cambridge Analytica style? And these hackers just siphooned data from this tracking company?

>He also told Sky News the apps named in the leak weren't necessarily working with Gravy Analytics.

>Instead, he said, software development kits used in the apps appeared to be sending off users' location data.

So... those companies used SDKs from Gravy Analytics which secretly phoned home users' data to this tracking company?

Not sure what's worse, but if this is really the case, it highlights deep flaws in the way major companies evaluate their "software supply chain".

Also, from a more technical standpoint, single API calls following an established specification (assuming that's what those SDK actually do) should be favored over SDKs. If you send a POST containing certain data, there's no way the destination gets other data from you, unless your HTTP client is vulnerable and can somehow be attacked by the company who owns those APIs.