How Free Apps Harvest Your Data — The Business Model Behind 'Free'

The TLDR

If you’re not paying for the app, your data is the payment. This isn’t a metaphor — it’s the literal revenue model. A free app makes money by collecting your behavioral data through advertising and analytics SDKs, packaging that data into profiles, and selling access to those profiles to advertisers. The average free app includes 10–30 third-party SDKs, each collecting its own data set. By the time you open the app, your device ID, location, contacts, and usage patterns have already been transmitted to companies you’ve never heard of.

The Reality

Here’s the business model of a free app:

1. Revenue source: Advertising (display ads, in-app purchases promoted via targeted ads)
2. Advertising requires: Behavioral data to target ads effectively
3. Behavioral data requires: SDKs that collect it
4. SDKs require: Permissions (location, contacts, device ID, usage data)
5. Permissions require: You tapping “Allow” without reading

The result: the app is a data collection vehicle that happens to provide a service. The service gets you to install it. The data collection is the business.

How It Works

The SDK Layer

When a developer builds a free app, they don’t write their own advertising or analytics code. They integrate third-party SDKs — Software Development Kits — from companies like:

• Facebook SDK: Tracks app installs, in-app events, and connects your activity to your Facebook profile. Even if you don’t have a Facebook account, the SDK collects a device-level identifier.
• Google Analytics / Firebase: Tracks user behavior, session length, feature usage, crashes, and demographics.
• Adjust / AppsFlyer / Branch: Attribution SDKs that track which ad you clicked before installing the app. They collect device IDs, IP addresses, and install/open events.
• Ad networks (AdMob, Unity Ads, IronSource): Serve ads and collect behavioral data to improve targeting.

Academic research from UC Berkeley found that the average free Android app includes 15–20 third-party trackers. Some apps include over 30.

Each SDK collects its own data independently. The developer may not even know exactly what each SDK transmits, because the SDKs are closed-source black boxes.

Chinese-Operated Apps

TikTok and Temu deserve specific attention because their data practices differ from Western apps in legally meaningful ways.

TikTok (ByteDance): China’s 2017 National Intelligence Law requires Chinese organizations to “support, assist, and cooperate with national intelligence efforts.” ByteDance, TikTok’s parent company, is a Chinese company. While TikTok maintains that US data is stored on Oracle servers in the US (Project Texas), the legal obligation to cooperate with Chinese intelligence remains.

What TikTok collects: keystroke patterns, clipboard content, device identifiers, location, contacts (if permitted), browsing history within the app, biometric identifiers (faceprint, voiceprint), and content of messages. The FTC and multiple state attorneys general have brought actions against TikTok over its data practices, particularly regarding children’s data.

Temu (PDD Holdings): The Temu class action filings alleged that the app requests permissions far exceeding what a shopping app needs — camera, microphone, contacts, call logs, precise location — and described the specific combination as creating “spyware-level” data access.

The distinction isn’t just what’s collected — it’s who has legal access to it. Data collected by a US company is subject to US legal process. Data collected by a Chinese company is subject to Chinese national security law.

The Permission-Collection Pipeline

The data flow works like this:

1. You install an app and grant permissions
2. SDKs embedded in the app collect data from those permissions
3. Data goes to the SDK provider’s servers (Facebook, Google, Adjust, etc.)
4. SDK providers enrich the data and sell it through their ad platforms
5. Data brokers buy aggregated data from ad platforms and SDK providers
6. The enriched data feeds back into targeting for more ads

Your weather app’s location data flows through this pipeline. Your flashlight app’s device ID flows through this pipeline. Your free game’s usage patterns flow through this pipeline.

What “Free” Actually Costs

A 2019 study published in the Journal of Marketing Research estimated that the average American’s personal data is worth approximately $240 per year to advertisers. For heavy social media and app folks, that figure is higher.

But the cost isn’t just monetary. The data collected by free apps has been used for:

• Political targeting: Cambridge Analytica used Facebook app data to build voter profiles for political campaigns
• Insurance pricing: Health and fitness app data sold through brokers to insurance companies
• Employment screening: App usage patterns and social media data used in hiring decisions
• Government surveillance: Commercial app data purchased by government agencies to track individuals without warrants

What You Can Do

The Cost-Benefit Decision

For each free app on your phone, ask: what would it cost me to use a paid alternative that doesn’t collect data? Often the answer is $2–$5/month. Compare that to what you’re giving up.

Permission Management

• Audit your permissions — review what each app has access to and revoke everything that isn’t essential to the app’s core function
• Use approximate location where available instead of precise
• Deny “Always” location — most apps work fine with “While Using” or no location at all

Privacy Labels

• iOS App Store: Check the Privacy Nutrition Labels before installing. They show what data is collected and whether it’s linked to your identity.
• Google Play Store: Check the Data Safety section. Note that this is self-reported by developers and less verified than Apple’s labels.

Alternative Apps

Privacy-respecting alternatives exist for most categories:

• Weather: Open-Meteo (no tracking)
• Navigation: OsmAnd (OpenStreetMap, offline, no tracking)
• Email: ProtonMail / Tutanota (encrypted, no ad model)
• Browser: Firefox / Brave (ad-blocking, anti-tracking built in)

The tradeoff is usually convenience or polish for privacy. Whether that tradeoff is worth it depends on your threat model.

Sources & Further Reading

• UC Berkeley ICSI: Mobile App Tracking — academic research on SDK-level data collection
• FTC Commercial Surveillance Report — federal analysis of data collection practices by major tech companies
• Temu Class Action Filings — legal documentation of Temu’s alleged data practices
• EFF: Mobile Privacy — practical mobile privacy guidance
• Apple App Store Privacy Labels — Apple’s data collection disclosure framework
• ByteDance / TikTok Data Practices — TikTok’s own disclosures (read critically)