Smartphone owners who granted “always allow” location access to a weather widget or prayer-time app may have unknowingly fed their precise coordinates to a commercial data broker that sold the information onward. The Federal Trade Commission’s January 2024 enforcement action against X-Mode Social, Inc. and its successor Outlogic exposed exactly that supply chain: software development kits embedded inside third-party apps collected location data even when those apps were not actively open, then routed it to a broker that packaged and resold it. The case offers a concrete blueprint for anyone who wants to find, and shut down, background location tracking on their own device.
Why revoking background location access matters right now
The FTC’s action against X-Mode Social did not target a single rogue app. It targeted the data pipeline that sat behind dozens of apps. According to the agency, X-Mode embedded its SDK inside third-party applications and collected precise location data tied to sensitive categories, including visits to health clinics, houses of worship, and domestic-violence shelters. That data was then sold or licensed to other companies. The agency’s order against the broker required the company to delete previously collected records and obtain affirmative consent before gathering or sharing precise location information going forward.
The practical consequence for phone owners is direct. An app that appears harmless on the surface, such as a fuel-price finder or a local-news reader, can carry an embedded SDK that quietly pings a user’s GPS coordinates at regular intervals. Those pings continue as long as the operating system grants background location permission. Revoking that permission severs the data flow at the source, regardless of what the app’s developer or any downstream broker intends to do with the information.
A reasonable expectation is that users who revoke background location permission from apps whose developers have appeared in FTC location-data enforcement dockets will see a measurable drop in unexpected location-sharing network traffic within 30 days. That expectation rests on a simple mechanical fact: without the operating-system permission, the SDK cannot access GPS hardware. The FTC case makes clear that the collection depended on that access being granted and maintained.
How the X-Mode SDK supply chain worked inside everyday apps
The enforcement record filed as the X-Mode case file describes a three-layer data supply chain. At the first layer, app developers integrated X-Mode’s SDK into their own products. The SDK ran inside the app but operated independently, collecting the device’s latitude and longitude at intervals set by X-Mode rather than by the host app’s developer. At the second layer, X-Mode aggregated those coordinates from multiple apps and enriched them with timestamps, device identifiers, and inferred location categories. At the third layer, the company sold or licensed the enriched dataset to downstream buyers.
The FTC alleged that consumers who downloaded the host apps had no meaningful way to know that an SDK inside the app was transmitting their coordinates to a separate company. Permission prompts on iOS and Android ask whether a user wants to share location with the app itself. They do not disclose which third-party SDKs ride along inside that app or where the data ultimately travels. That gap between what the permission dialog says and what actually happens is the core tension the enforcement action addressed.
The order imposed specific obligations. X-Mode and Outlogic must stop selling or licensing precise location data that could reveal visits to sensitive locations. The company must delete location data it collected without proper consent. And before collecting or sharing precise location information in the future, it must obtain affirmative express consent from users, meaning a clear opt-in rather than a buried clause in a privacy policy. These requirements apply regardless of whether the data is collected through an SDK, a direct app, or any other technical method.
How to audit background location permissions on a phone
Both iOS and Android now surface which apps hold background location access, though the path differs by operating system. On an iPhone running iOS 16 or later, opening Settings, then Privacy and Security, then Location Services displays every app along with its current permission level. Apps labeled “Always” can track location even when they are not in use. Tapping any entry lets the user switch to “While Using,” “Ask Next Time,” or “Never.” On Android 12 and later, the equivalent path is Settings, then Location, then App Location Permissions, where apps are grouped by whether they are allowed all the time, only while in use, or not at all.
The X-Mode case suggests a specific audit strategy beyond simply scanning the list. Users can look for apps they rarely open yet that hold “always” permission. A flashlight utility or a coupon aggregator with perpetual location access is a red flag. Cross-referencing the developer name listed on the app’s store page against public FTC enforcement records adds another layer of scrutiny. The FTC maintains a searchable database of cases and proceedings where developer and broker names appear in full.
After revoking background access, users can monitor battery and data usage for changes. An app that previously consumed noticeable background data or battery life but drops to near zero after the permission change was likely transmitting location coordinates on a recurring basis. That is not definitive proof of misuse, but it is a strong signal that the app was doing more in the background than its visible features would suggest.
Deciding which apps truly need “always” access
Not every request for continuous access is inappropriate. Navigation tools that provide turn-by-turn directions, safety apps that share real-time location with trusted contacts, and system-level services that support lost-device recovery may legitimately need to track a phone in the background. The key is whether the app’s core function clearly depends on that capability and whether the developer explains the need in plain language.
For everything else, “while using” is usually sufficient. A weather app can determine a forecast when it is opened, without polling location every few minutes around the clock. A shopping app can find nearby stores when a user taps a map icon. If an app stops working entirely when switched to “while using,” that is a cue to reconsider whether it is worth keeping installed at all.
Users can also take advantage of temporary permissions. Both major mobile operating systems now offer options that grant access just once or only for the current session. Choosing those options for apps that are used infrequently-such as airline apps that are opened only on travel days-reduces the window during which background tracking is even possible.
What the X-Mode case signals for the broader ecosystem
The FTC’s action does not eliminate the location-data market, but it does reshape its risk calculus. Brokers that once relied on obscure SDKs embedded in unrelated apps now face the prospect of being forced to delete entire datasets if they cannot demonstrate valid consent. App developers that previously treated SDK integrations as a quiet revenue stream must now consider whether those integrations expose them to enforcement or user backlash.
For individuals, the most immediate takeaway is that operating-system controls remain a powerful privacy tool. The X-Mode supply chain depended on a simple yes-or-no gate: if the phone said “always allow,” the SDK could harvest coordinates continuously; if the phone said “never,” the pipeline went dry. No broker can retroactively reconstruct precise GPS trails that were never collected in the first place.
As regulators continue to scrutinize how location information is gathered and traded, users who periodically audit their permissions, pare back “always” access to the minimum necessary set of apps, and delete software they do not truly need can materially reduce the amount of sensitive data in circulation about their daily movements. The X-Mode case shows that even when the data economy operates out of sight, the settings on a single device still carry real leverage.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
