Sensor Tower: Difference between revisions

'''Sensor Tower''' is a San Francisco mobile- and digital-intelligence company whose consumer-facing products have been independently documented exfiltrating user data on two separate occasions. In March 2020, BuzzFeed News reported that the company had secretly operated at least 20 VPN and ad-blocking mobile applications since 2015, with more than 35 million collective downloads, that prompted users to install a root certificate granting access to all traffic passing through the phone.<ref name="buzzfeed-pxlnv">{{Cite web |last=Silverman |first=Craig |title=Popular VPN And Ad-Blocking Apps Are Secretly Harvesting User Data |url=https://pxlnv.com/linklog/sensortower-banjo-apps/ |website=Pixel Envy |date=March 10, 2020 |access-date=May 30, 2026}}</ref><ref name="gizmodo">{{Cite web |title=At Least 20 VPN and Ad-Blocking Apps With 35 Million Downloads Have Been Secretly Harvesting Data |url=https://gizmodo.com/at-least-20-vpn-and-ad-blocking-apps-with-35-million-do-1842228757 |website=Gizmodo |date=March 9, 2020 |access-date=May 30, 2026}}</ref> In December 2025 and again in May 2026, security researchers identified two Sensor Tower-owned Chrome extensions, [[StayFocusd]] (~700,000 users) & StayFree (~200,000 users), as carrying the infrastructure to capture user conversations with AI chatbots.<ref name="tuckner">{{Cite web |last=Tuckner |first=John |title=Prompt poaching runs rampant in extensions |url=https://www.secureannex.com/blog/prompt-poaching/ |website=Annex Blog |publisher=Secure Annex |date=December 28, 2025 |access-date=May 30, 2026}}</ref><ref name="arnott">{{Cite web |last=Arnott |first=James |title=The AI Chat Scraping Extension Wall of Shame |url=https://amibeingpwned.com/blog/ai-chat-scraper-wall-of-shame |website=Am I Being Pwned? |date=May 11, 2026 |access-date=May 30, 2026}}</ref>

Sensor Tower was founded in 2013<ref name="st-about">{{Cite web |title=About Sensor Tower |url=https://sensortower.com/about |website=Sensor Tower |access-date=May 30, 2026}}</ref> & lists 275 Battery Street, Suite 800, San Francisco, California as its publisher address on the Chrome Web Store.<ref name="cws-stayfocusd">{{Cite web |title=StayFocusd - Website Blocker & Focus Timer & Shorts Blocker |url=https://chromewebstore.google.com/detail/stayfocusd-%E2%80%93-website-bloc/laankejkbhbdhmipfmgcngdelahlfoji |website=Chrome Web Store |publisher=Sensor Tower |access-date=May 30, 2026}}</ref> The company sells enterprise app & digital-advertising analytics, including its Store Intelligence, Ad Intelligence, Usage Intelligence & Pathmatics products, to brands, agencies, publishers & investors.<ref name="responsibly-sourced">{{Cite web |title=Responsibly Sourced Data |url=https://sensortower.com/responsibly-sourced-data |website=Sensor Tower |access-date=May 30, 2026}}</ref> Named clients listed by the company include Microsoft, Sky, Bandai Namco, Western Union, Procter & Gamble, Duolingo, Spotify, Coca-Cola & Activision Blizzard.<ref name="responsibly-sourced" /><ref name="dataai-acquisition">{{Cite press release |title=Sensor Tower Acquires Market Intelligence Platform data.ai |url=https://www.prnewswire.com/news-releases/sensor-tower-acquires-market-intelligence-platform-dataai-302090753.html |publisher=Sensor Tower via PR Newswire |date=March 18, 2024 |access-date=May 30, 2026}}</ref>

Riverwood Capital is Sensor Tower's principal private-equity sponsor.<ref name="dataai-acquisition" /> On March 18, 2024, Sensor Tower acquired its largest competitor in app market intelligence, data.ai (formerly App Annie), in a transaction financed by Bain Capital Credit; the combined company reported a customer base of more than 2,000 enterprises.<ref name="dataai-acquisition" /> Roughly 200 data.ai employees were laid off after the close as Sensor Tower stated it would ''"optimising our team structure."''<ref name="gamesindustry">{{Cite web |title=Sensor Tower acquires data.ai |url=https://www.gamesindustry.biz/sensor-tower-acquires-dataai |website=GamesIndustry.biz |date=March 19, 2024 |access-date=May 30, 2026}}</ref> Earlier acquisitions include the digital-ad-intelligence firm Pathmatics on May 24, 2021,<ref name="pathmatics">{{Cite press release |title=Sensor Tower Acquires Pathmatics, Scaling Trusted and Actionable Insights for the Digital Economy |url=https://www.businesswire.com/news/home/20210524005722/en/Sensor-Tower-Acquires-Pathmatics-Scaling-Trusted-and-Actionable-Insights-for-the-Digital-Economy |publisher=BusinessWire |date=May 24, 2021 |access-date=May 30, 2026}}</ref> & the digital-wellbeing apps ActionDash & StayFree on June 22, 2020.<ref name="pocketgamer">{{Cite web |title=Sensor Tower acquires StayFree and ActionDash apps |url=https://www.pocketgamer.biz/sensor-tower-acquires-stayfree-actiondash/ |website=PocketGamer.biz |date=June 22, 2020 |access-date=May 30, 2026}}</ref>

Sensor Tower's enterprise business is built on what it calls a ''"first-party consumer panel"'' assembled by acquiring & operating free consumer apps & browser extensions whose telemetry feeds the company's paid dashboards.<ref name="responsibly-sourced" /> The company markets this side of the business under the brand ST Pulse, which appears in the footer of Sensor Tower-owned consumer properties.

The two Chrome extensions currently flagged by independent researchers are [[StayFocusd]], a website-blocker & focus-timer with roughly 700,000 users that is published from the Sensor Tower developer account at 275 Battery St,<ref name="cws-stayfocusd" /><ref name="arnott" /> & StayFree, a screen-time tracker with roughly 200,000 Chrome users.<ref name="cws-stayfree">{{Cite web |title=StayFree - Screen Time Tracker & Limit App Usage |url=https://chromewebstore.google.com/detail/stayfree-screen-time-trac/elfaihghhjjoknimpccccmkioofjjfkf |website=Chrome Web Store |publisher=Sensor Tower |access-date=May 30, 2026}}</ref><ref name="arnott" /> Both extensions were classified ''Capability'' by James Arnott in May 2026, meaning the exfiltration code path & remote endpoints are wired up but did not fire during his sandbox observation window.<ref name="arnott" />

On March 9, 2020, Craig Silverman of BuzzFeed News reported that Sensor Tower had owned at least 20 Android & iOS apps since 2015, including Free and Unlimited VPN, Luna VPN, Mobile Data & Adblock Focus, with more than 35 million collective downloads.<ref name="buzzfeed-pxlnv" /><ref name="gizmodo" /> None of the listings disclosed Sensor Tower's ownership or that user data fed the company's analytics products.<ref name="buzzfeed-pxlnv" /> Once installed, the apps prompted users to install a root certificate from a third-party website, a small file that, in BuzzFeed's words, lets its issuer ''"access all traffic and data passing through a phone."''<ref name="buzzfeed-pxlnv" /> Apple & Google ordinarily restrict root-certificate privileges because of the security risk; Sensor Tower's apps bypassed those restrictions by completing the certificate install outside the store flow.<ref name="buzzfeed-pxlnv" />

<!-- INCIDENT_SCORE: 85 | Silverman documented secret ownership of 20+ apps with 35M downloads; root-certificate vector gave access to all device traffic; Apple removed Adblock Focus & Google removed Mobile Data after press contact; named executive Randy Nelson confirmed non-disclosure was deliberate "for competitive reasons" -->

On December 28, 2025, John Tuckner of Secure Annex published a technical analysis of what he called ''"prompt poaching,"'' a technique in which browser extensions capture & exfiltrate user conversations with AI chatbots.<ref name="tuckner" /> Tuckner's primary subject was the Similarweb extension, but in the same post he named Sensor Tower's StayFocusd as a second example of the same pattern:

<!-- INCIDENT_SCORE: 65 | Named security researcher (John Tuckner / Secure Annex) explicitly identified StayFocusd & attributed it to Sensor Tower; coined the term "prompt poaching"; corroborated by Cybernews & The Hacker News; finding is "behaviorally similar code" reduced to metadata capture, not confirmed full-chat exfiltration -->

On May 11, 2026, James Arnott published ''The AI Chat Scraping Extension Wall of Shame'' on amibeingpwned.com, classifying eight extensions across two buckets: ''Confirmed'' (AI-chat content observed leaving the browser during sandbox testing) & ''Capability'' (the exfiltration code path & remote endpoint are present & wired up but did not fire during the observation window, which Arnott attributed to server-side gating).<ref name="arnott" /> StayFocusd was listed at #4 with 700,000 users; StayFree at #7 with 200,000 users; both were attributed to Sensor Tower & both were classified ''Capability'' with LZ-String light obfuscation.<ref name="arnott" />

Arnott reported that StayFocusd's AI-chat-scraping remote-config gate had flipped between an earlier test & publication:

He also described a URL-exfiltration filter that was US-centric, listing exceptions for adult sites, US health sites & regex matches against US-format identifiers such as Social Security numbers & ZIP codes, with no equivalent protection for non-US users (UK users were named explicitly).<ref name="arnott" /> Arnott described the StayFree sibling extension in one sentence:

<!-- INCIDENT_SCORE: 75 | Independent sandbox-verified Capability classification by named researcher (James Arnott / amibeingpwned.com); remote-config gate for AI-chat scraping was active by publication date; PII filter is US-centric & breaks for non-US users; same publisher pattern observed in 2020 BuzzFeed disclosure (mobile apps) now extended to browser extensions (StayFocusd & StayFree, both Sensor Tower) -->

{{reflist}}