But is this yet another case of Chicken Little crying
that the sky is falling?

Pandora app security warnings

The Wall Street Journal has come forward with a lengthy article about Android and iOS applications, and how they transmit your data to advertisement companies. They assembled a selection of 101 smartphone apps (50 Android apps, 50 iOS apps, and the WSJ's iPhone app -- they haven't seen fit to release an Android version just yet) and found that 56 of them transmit unique identifying data from your smartphone.  More specifically -- apps are transmitting the unique device ID, age, location, gender, time spent using the app and other possibly personal identifying data.  Yes, it's wallpaper-gate all over again.  Let's dissect this a bit, after the break. [WSJ.com]

While Google says app makers bear all the responsibility of how their applications handle the data, they do provide all permissions the application requests access to.  We've all seen that when we install apps, but let's be honest, most of us click right past.  We shouldn't, but we do.  So what happens to all this data that gets sent out?

Mobclix, which handles data for more than 15,000 apps over 25 different ad networks, describes it a bit.  Basically, they take your device ID, scramble it so it's no longer humanly readable but can be used in a database, then match it against your location and get Neilsen demographic and spending habits data for your area.  With this data, they claim to be able to place you in one of 150 "segments" -- categories like "soccer moms," or "die-hard gamers."  This lets the ad company know what ads are likely to interest you. Mobclix does say that the categories are broad enough so that you can't be personally identified, and this is about "tracking people better."

Scary stuff?  Maybe.  But it's pretty familiar, as it's been happening on the Internet for years.  Websites use tracking cookies to do the exact same thing, because there's money to be made in it.  As a matter of fact, the Wall Street Journal shouldn't be throwing too many stones in this glass house.  Michael Learmonth at Advertising Age found that the WSJ installs on average of 60 tracking files (which the WSJ does admit is true, and classifies their site as a "medium" risk) that followed users to sites like car dealerships, Players club, YouTube, SyFy, and more.  And one of the Web's (and smartphone apps) biggest offenders, MySpace, is owned by the WSJ's parent company NewsCorp.

So what does all this really tell us?  For one, old media will do and say anything to scare people into pulling back from the "digital age," and are some of the biggest online offenders as well.  That and you're never alone on the Internet, which we all should know by now.  Pay attention to what an app does, ask yourself why an app needs your gender or age, and use some common sense.  It's not the end of the world if Paper Toss knows you drive a Toyota, no matter what people like Rupert Murdoch want you to believe.

 

Reader comments

WSJ reports smartphone apps can (and do) track user data

34 Comments

I think it is one think to collect and use personal information and another to sell it or provide it to third parties without notifying users. The collection of information by apps is getting out of hand, but users can choose not to use them if they don't like the invasion of privacy. I switched to Slacker because it does not collect location data like Pandora.

The reality is that once data is disclosed, you have no control over how it is used. And the more information out there stored about you, the more likely it will also leak or be stolen, even if that company that held it wasn't planning to do anything "wrong" with it.

The other day I was googling some music titles, and later started playing a game (Wordup) and the ad at the bottom of the screen was for that same artist's album at some music download site I've never even heard of.

The WSJ article does raise some interesting points:
1. reputable web sites usually have privacy policies, but apps almost never have privacy policies
2. some of the user tracking violates the official policies of Apple and Google
3. the apps make little or no attempt to notify users about what is being tracked and also give the user no control over the tracking
4. some of the tracking is anonymized and some is not and there is no way for the user to tell exactly where their information is going

Bottom line is that while the existing apps may not be especially evil, there is little to stop evil apps from really taking advantage of this mess. And even a simple error can cause a lot of private information to get leaked.

Really? I had no idea this was happening........come on people, the apps gives you this info upfront. It should be no surprise to anyone before pressing dowload, the buyer is advised of this fact. Either you want to be a part of the information age or you don't. If you don't, buy a feature phone, put a rotary dial phone in your home, turn off your computer and buy a typewriter so you can stay safe from the big bad age of technology. In ten years from now when we are all implanted with CPU chips in our heads, we will look back at today's issues and laugh.

The problem with the permissions displayed before installing an app is that they only indicate what the app accesses, and that these categories are too broad. It's perfectly natural for Shop Savvy to access my location - it makes it possible to provide local retail pricing. An app like Ride Hopper can also access my location - to make sure I'm in a specific park before allowing me to submit ride wait times. Because both of these also require Internet access to work, it's *possible* for them to share my data, but there's no way for me to know if they will or not just by looking at the permissions.

But you see and understand that stuff.

Its the oddball stuff that they sneak in there that you wiz right past. Like it being able to see your contacts and phone status etc.

There should be a system level tool that controls the sandbox each app runs in, supplied by Google, and which allows you to see what the app might try to get, and block it.

If you end up killing the app's ability to function, you can always set to defaults. But you could quickly see and control the less than honest ones.

I really couldn't care about the information that they gather. In fact I would rather see ads that interest me since 85% of apps now are ad supported. So if I have to see them, show me something that I am interested in. But then again being rooted and running AdFree I never see an ad.

i saw this on pandora but i think the reason for contacts permission is that you can send stations to anybody on your phonebook.

With Android, at least you know that Google has always made their money through advertisements. We all acknowledge that quietly, since it is their business.

With Apple, despite its iOS being a closed ecology, they are still selling their users' data. WHY?

You are never safe, or private. Take as many precautions as you can, but know that they have an army of hacker working for them. They will find you.

Hell my garmin gps has adds POP up when I'm certain areas coupons or bonus point stuff. They all do it. Welcome to age of technology. Be like that guy in dukes of hazard run around with a tin foil hat on

I watch with interest as the "Big Brother is Watching" crowd wail about privacy invasion in one breath and demand more cool, unlimited , inventive and FREE programs in the second breath. Did anyone ever hear there was "no free lunch?"

Fast Freddie in Milwaukee

I think we all know what we, as the app downloader, are getting into. The educated tech savvy Android user will usually read the permissions that are in the securty section of the app and, coupled with the comments that are posted from others that have the app, will determine if they want it or not. But if anyone knows anything about computer cookies, this kind of thing has been happening for years. I am sure it happens on iOS as well. You just have to be mindful of what you are downloading, read those comments and check sites like this one to help you out in case you aren't as Android savvy or are a new Android user. I am not afraid because some apps need some of those permissions for the app to do it's job.

It *is* a huge/big deal about how apps are working behind the scenes to erode privacy.

Despite the article wording, a phone doesn't know your age or gender; not unless Google is computing that and helping them by disclosing such data. But there is PLENTY of very sensitive stuff on your phone.

What we *do* need is a layer in the OS that will specifically block apps from gaining access to what we don't want to disclose. It is not enough to just present some pseudo-disclosure at time of application installation. It is too easy to accidentally answer "yes" to something, especially when an application changes what it sends on a future update.

I mean, look at the Pandora Radio screen above- don't people think it is beyond spooky to give permission to have Pandora read to your contacts or send Email to them? How can that *ever* be acceptable?

We'll use Pandora as an example here, I'm sure there are others. (for the folks below, substitute the WSJ journal online, because it works the same way).

Your phone only sends what Pandora tells it to send. When you sign up for a Pandora account, you tell Pandora your age and gender. Same as when you sign up for a subscription for many websites. Google has nothing to do with it in this case, nor do any of the permissions -- it's sending the data you freely gave to Pandora. Remember, we're not talking about malicious applications here, these are legitimate apps that simply use a shady business practice to earn income.

I completely agree about some apps (like Pandora) asking to access things they don't really have any business accessing. That's why I don't install those apps, as that is shown to me before I install it.

While I kinda don't like it, I would rather have the app than not so its just the price/risk of getting what I want.

> Websites use tracking cookies to do the exact same thing

LOL this is just pure ignorance.

Depositing data and later collecting is absolutely nothing like grabbing arbitrary information from local storage (any app can do this to your SD card without your knowledge) or reading / uploading your contacts (many apps do this...)

The inherent permissions given to Android apps (such as access to the internet and the ability to access arbitrary files) is a disaster waiting to happen. I wonder where the next generation of Celebrity sex tapes will come from?

"The Wall Street Journal has come forward with a lengthy article about Android and iOS applications, and how they transmit your data to advertisement companies."

while your theories (they aren't facts, as they are wrong) may apply somewhere, it's not here.

Before you type out a reply -- please be prepared to tell us what app randomly uploads contacts, and what app can access your SD card without asking for permission before being installed. An Android applications "inherent permissions" only allow it to read and write to it's own data directory (sandbox)-- everything else must be approved by the user.

The slant on this article really made no sense. As if this isn't really an issue. It is an issue and actually far bigger issue on Android than on iOS.

1. See above ^
2. If you read the source article, you'll see this is a bigger "issue" in iOS than it is in Android, with some apps even slipping through Apples strict policies and sharing data that Apple does not allow to be shared. Walled garden only works when the man at the gate does his job.

Those saying this isn't like browsing the web on a computer.. you're very incorrect. To make my point without going into a super-long discussion, its an information superhighway right? meaning it does go both ways.. not just one.

I think I posted about that WSJ article first lol. Although I think the WSJ over-hyped the story and it's really nothing new.. I said it before and I will say it again.. Android SHOULD HAVE the ability for the END USER (customer) to restrict/alter app permissions at THEIR DISCRETION, kinda like I CAN on my BB... This is why they will NEVER be taken seriously in business world. I for one do not allow this and have altered my hosts file to restrict this bull..I connect to my router/firewall, look at what the phone transmits to and then alter my hosts files accordingly.. Of course the average user will not do this lol..

I knew a lot of this, but it does better put in front of me some questions I had about why certain apps have perms that I don't see as needed. What I'd like is an app that summarizes all the perms for apps I have installed.
I am going to start watching more closely.
I lot of this happens with cookies. True, you can clear them after the fact, when it's too late, or turn them off. But if you do, most sites won't work properly.
But cookies don't have my phone number or location, or access to my contacts. In fact, we call things that go after contacts viruses, so as I think about it, I'll be removing most apps that have contacts listed.
Devs, I'd pay you more money directly for a non-sharing version, CAN YOU HEAR ME NOW?

ADS

The ones you need to worry about are NSA„ DHS, FBI, ATF, DOJ, CIA, TSA, DOD. Just to name a few that you hope are not tracking you. But I put Google up there with them, especially after the China incident.
How many of you are on .Facebook, twitter and the likes. How many play things like Mafia wars or even online games through the PS3 or other things. You know how they track you with ezpass and if you pay with a credit card for a MTA metro card. You have no idea how many bad guys we catch like that.
So now just add your apps to the list and one day you might see my black helo over your car.......or house.

Old news, it's been repeated all over the place on newsfeeds and forums. There's a few wallpaper and "bogus" apps on the market that does this very thing, the wallpaper app from China definitely tracks your IMEI, phone and contact info and even your location but the dev denies everything but was proven again by an independant research group that used a custom Android ROM to monitor app activities.

There are ALOT of legit and good apps and developers, but you gotta watch what you install and read up on the review comments. Live wallpapers doesn't need any permissions for instance.

I really have no qualms with this whole data taking issue. I have nothing to hide. If you're so paranoid about it I'm sure there is some missile silo you can hide in, and a homing pigeon you can use. Cars track your milage and your driving habits, some even upload this information to manufactures. Doesn't mean you're going to stop driving and get a bike. Nothing is as secure or private as anyone really wants it to be. Just move on. There are more important things to fret about. I hate when the media insights fear in people with dumb stuff like this. Just stick to the news.

Most of these are free Add driven apps and anyone using them should already know that means targeting adds toward you to support the app. Some like weather apps among others might need to transmit your location to um.... work maybe?
For the most part the WSJ article is a load of c&ap!!