Mobile Apps Invading Your Privacy

[April 8: We've added some more information in a follow-up post]

Background

An article in the Wall Street Journal, dated April 5, 2011, disclosed that Federal prosecutors in New Jersey are investigating numerous smart phone application manufacturers for allegedly, illegally obtaining and distributing personal private information to third party advertisement groups. The allegations state that mobile applications are gathering data such as GPS location, device identifiers, gender, and even user age without proper notice or authorization from the end user. The Journal tested 101 applications and found that 56 of them transmitted the device unique identifier off the device, while 47 transmitted the phone’s location. Five of the tested applications leaked personal information such as user gender and age.

Analysis

The folks at the Veracode research team decided to spend a bit of our time today breaking apart one of the accused applications to see what could be found within the code. Given what was written in the Journal article, we thought it would be most interesting to take an in-depth look through the Pandora application for the Android platform. A quote from the article states the following about the Pandora application:

In Pandora’s case, both the Android and iPhone versions of its app transmitted information about a user’s age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.

Our first step was to analyze the application using the Veracode platform. We followed up the automated static analysis with a manual analysis of the compiled dex code. The results were fairly interesting. The Pandora for Android application appears to be integrated with a number of advertising libraries. Specifically we found FIVE (yes that’s FIVE!) advertisement libraries compiled into the application: AdMarvel, AdMob, comScore (SecureStudies), Google.Ads, and Medialets. Looking even closer, we analyzed each of the modules to determine the type of data they access.

The first library we decided to break apart was the AdMarvel and AdMob libraries. The AdMarvel library references the AdMob library fairly significantly. AdMob in particular accesses the GPS location, application package name, and application version information. Additionally there were variable references within the ad library that appear to transmit the user’s birthday, gender, and postal code information. The code snippets below are taken from a decompilation of the AdMob library where GPS locations are being gathered. As you can see in the code, the library requests permissions for both COARSE_LOCATION, and FINE_LOCATION data:

public static Location getCoordinates(Context unknown)
{
.... SNIP ....
        String str1 = "android.permission.ACCESS_COARSE_LOCATION";
        int m = unknown.checkCallingOrSelfPermission(str1);
.... SNIP ....
        String str2 = "android.permission.ACCESS_FINE_LOCATION";
        int n = unknown.checkCallingOrSelfPermission(str2);

We can also see where the library actually attempts to capture GPS location information on a continuous looping mechanism:

        int i4 = Log.d("AdMobSDK", "Trying to get locations from GPS."); 
        localObject2 = (LocationManager)unknown.getSystemService("location"); 
        if (localObject2 == null) break label428; 
        Criteria localCriteria = new Criteria(); 
        localCriteria.setAccuracy(1);
        localCriteria.setCostAllowed(0); 
        localObject3 = ((LocationManager)localObject2).getBestProvider(localCriteria, 1); 
.... SNIP ....
        int i5 = Log.d("AdMobSDK", "Cannot access user's location.  Permissions are not set.");
.... SNIP ....
        int i6 = Log.d("AdMobSDK", "No location providers are available.  Ads will not be geotargeted."); 
.... SNIP ....
        if (Log.isLoggable("AdMobSDK", 3)) int i7 = Log.d("AdMobSDK", "Location provider setup successfully."); 
        AdManager.1 local1 = new AdManager.1((LocationManager)localObject2); 
        Looper localLooper = unknown.getMainLooper(); 
        ((LocationManager)localObject2).requestLocationUpdates((String)localObject3, 0L, 0.0F, local1, localLooper);

We also saw references to the user’s gender:

        Object localObject = k; Gender localGender1 = Gender.MALE;
        if (localObject == localGender1)
       {
            localObject = "m";
       } while (true) {
      return localObject;

      Gender localGender2 = k; 
      Gender localGender3 = Gender.FEMALE; 
      if (localGender2 == localGender3) { localObject = "f"; continue; } 
      localObject = null;

And of course, access of the infamous Android ID value (android_id):

      if (f == null) { Object localObject1 = unknown.getContentResolver();
      localObject2 = localObject1;
      localObject1 = Settings.Secure.getString((ContentResolver)localObject2, "android_id");

The analysis into the remaining libraries resulted in even more of the same. The SecureStudies library accesses the android_id and directly sends a hash of the data to http://b.scorecardresearch.com while the Medialets library accesses the device’s GPS location, bearing, altitude, android_id, connection status, network information, device brand, model, release revision, and current IP address.

Conclusion

So what does this mean to the end user? It means your personal information is being transmitted to advertising agencies in mass quantities. As more and more “free” applications attempt to monetize their offerings, we will likely see more of your personal information being shuttled out to marketing and advertising data aggregation firms. The application developers may not even be aware of the privacy violations they are introducing by using third party advertising libraries. They may merely think they are getting $x per ad impression, not that the ad library is leaking significant information about the user.

In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a persons life. Consider for a moment that your current location is being tracked while you are at your home, office, or significant other’s house. Couple that with your gender and age and then with your geolocated IP address. When all that is placed into a single basket, it’s pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them. I don’t know about you, but that feels a little Orwellian to me.

Veracode Security Solutions

 

Security Threat Guides

saad | April 6, 2011 4:41 am

Thanks for this very informative post. While previous articles I’ve read in the WSJ or elsewhere discussed such things previously, this adds some real and serious meat to what may have been perceived as mere speculation up to this point.

Great job!

Steve | April 6, 2011 1:58 pm

Are there any known dangers with transmitting the devices UDID? Can this value be used to uniquely identify an individual?

Fingered by Your Music Player : Droid Lust! | April 6, 2011 4:06 pm

[...] Pandora music player has, according to reports, been sending every scrap of data it could suck out of your phone to pretty much anybody who wants [...]

links for 2011-04-06 (Jarrett House North) | April 6, 2011 9:00 pm

[...] Mobile Apps Invading Your Privacy You know that free services make their money on advertising, but what does that mean? How does one app that talks to five advertising services without explicit approval sound? (tags: security android mobile) [...]

androboy | April 7, 2011 6:42 am

I found Pandora in the Android market and checked what permissions it was requesting. It included network communications and personal information but location was not specifically called out. Seems like a major failure somewhere for not calling this out explicitly.

ptrace | April 7, 2011 8:30 am

Was any investigation done into whether Pandora sends the same data if a user has a paid subscription to the service (ad free)? It’s one thing for an ad supported free application to collect information to ‘pay the bills’ (though to do it without disclosure is still a bit sleazy), but that amount of data to be harvested from a paying customer is a huge breach of trust.

MB | April 7, 2011 12:12 pm

Any analysis done on the Blackberry Pandora client? It seems that Blackberries allow the owner more granular control over what an app is allowed to do on the phone, so maybe BB users can restrict this information from being sent?

If you do restrict it, does the app break?

Lyn | April 7, 2011 5:12 pm

But when people download the application aren’t they automatically agreeing to the company’s Terms Of Service which mentions that this information will be used?

Miscellaneous News: Pandora mobile app found to be sending birth date, gender and location information | April 7, 2011 6:26 pm

[...] Pandora mobile app found to be sending birth date, gender and location information We still haven't heard much more about that Federal Grand Jury investigation into Pandora and other mobile apps over privacy concerns, but an independent security firm has now gone ahead and taken matters into its own hands. According to an analysis done by the folks at Veracode, Pandora does indeed seem to be sharing more information about you then it lets on. More specifically, they found that the Android app (they haven't yet gotten around to the iOS version) "appears" to be sending information about users' birth date, gender, Android ID and GPS location to various advertising companies — bits of information that the firm notes could be combined to determine who someone is, what they do for a living, and even who they associate with. For its part, Pandora is simply declining to to comment at the moment, and we're guessing that's unlikely to change anytime soon given the aforementioned investigation. Hit up the source link below for Veracode's complete findings. [Source: Veracode] [...]

PacoBell | April 7, 2011 7:25 pm

Just because an app or module requests COARSE_LOCATION and FINE_LOCATION in the code doesn’t mean it necessarily gets to do that. If it’s not started as such in the manifest, Android will forbid it. And, as such, Pandora has no mention of location, course or fine, anywhere in said manifest. Did you also perform any network captures to verify your suspicions? Granted, such data would probably be encrypted, but did you even try?

Dave | April 7, 2011 8:58 pm

@Lyn:

Possibly. But tell me, when you install software, do you read every last letter of the EULA, or do you simply scroll through and click “yes”? We as technology users are so inundated with our computers, websites, smart devices, etc, asking us if we agree to something that most people simply click yes and move on. It’s a failing of both the developers of the software and the end users. It doesn’t help that a typical EULA is full of legalese that the average person can’t understand.

I hate dumbing things down, but I think that might be just what is needed to get people to read things before they agree to them. Here’s another issue with TOS; some websites state at the bottom, in small print, that by using the site you agree to their terms and conditions. Try zuken.com and look at the bottom. How can you agree to something you haven’t read? I applaud Veracode for not pulling this stunt. :)

JT | April 7, 2011 10:33 pm

This is just bad reporting, not only does the Pandora app on Android not request the GPS location (thus not being able to get your location) but in the code snippets above you can see where the AdMob library requests location but is denied location because the app using the library (in this case, Pandora) did not request those permissions from the user so the location wasn’t even sent.

Horrible journalism… let’s scare everyone out there and throw a company under the bus who’s not even doing what they’re being accused of doing.

Bembo | April 8, 2011 5:08 am

I’m very curious to know how Android is able to find out the user gender…

תיבת פנדורה | Newsgeek | April 8, 2011 8:19 am

[...] היא משתפת צדדים שלישיים במידע שלה, ואם כן, אז עם מי.חברת Veracode שראו את התחקיר על פנדורה ואפליקציות נוספות שהופיע ב-WSJ, [...]

Jon | April 8, 2011 10:16 am

“As you can see in the code, the library requests permissions for both COARSE_LOCATION, and FINE_LOCATION data”

This code you reference is NOT requesting permissions, it is merely checking whether said permissions HAVE BEEN requested by the parent app. Permissions are requested in the Android Manifest file and would show up when you go to download the app in “Security”. I just checked, and Pandora does not request location permissions at all and also the GPS is never turned on when running Pandora.

You should really understand what the code means before you make assine assumptions about it.

Are Your Apps Ratting You Out? | April 8, 2011 12:02 pm

[...] Veracode decided to test one of the accused applications, Pandora for Android, and the results are…not good. Veracode tore the application down and found five advertisement libraries, most of which offered up information ranging from the invasive (gender) to the ridiculous (altitude? How will THAT have an effect on advertising?) [...]

ZeroDay Labs blog » Mobile App Privacy Continued… | April 8, 2011 1:47 pm

[...] blog post we made earlier this week entitled, Mobile Apps Invading Your Privacy, gives detail around the information being requested by the advertisement libraries embedded inside [...]

Pandora’s Android app gathers personal info, report says | April 9, 2011 12:49 am

[...] “In siege some of this information is uninteresting, though when gathered into a singular unifying picture, it can yield some poignant discernment into a person’s life,” resolved Veracode researcher Tyler Shields in a Tuesday blog post. [...]

Barry Havemann | April 11, 2011 10:02 am

Maybe I’m a bit paranoid but experience warns me to be _far_ more concerned about government access to all of this information. Consider:

this data is getting cheap enough that even a local cop running your plate in a parking lot could instantly access virtually all of your very personal data and where you’ve been and what you’ve been doing all day.

We all do perfectly legitimate things we’d rather remained private. Advertisers are a nuisance but that’s controllable. However I think most of us would be uncomfortable, perhaps frightened, at the thought that some entity could be dogging our every footstep.

Is My Phone Spying on Me? Pandora & Other App Creators Subpoenaed For Sharing Your Private Information… « Evo4You.com | April 13, 2011 11:28 am

[...] According to Veracode, an application security company that analyzed the Pandora Radio App, the Pandora app for Android finds, gathers, and transmits mass quantities of personal data to advertising agencies which includes your birthday, gender, postal zip code, your phones unique device ID, and even your GPS coordinates! You can learn more on Veracode’s study of the Pandora Radio app on Tyler Shields blog post here. [...]

cardinal | April 14, 2011 2:58 pm

Don’t Apple and Google have policies about doing this type of thing…I can understand Google not checking apps as the tend to be “all care no responsibility”, however doesn’t Apple state that it checks all apps, and if so doens’t the responsibility for ensuring that app that attempt to do this fall on Apple with regard to the iDevices. Do Windows Phone 7 and Symbian phone/app allow this?

hanson | April 15, 2011 9:08 am

1) Study had ONE error:
“As you can see in the code, the library requests permissions for both COARSE_LOCATION, and FINE_LOCATION data”

This code you reference is NOT requesting permissions, it is merely checking whether said permissions HAVE BEEN requested by the parent app. Permissions are requested in the Android Manifest file and would show up when you go to download the app in “Security”. I just checked, and Pandora does not request location permissions at all and also the GPS is never turned on when running Pandora.

You should really understand what the code means before you make assine assumptions about it.”

Comment by Jon — April 8, 2011 @ 10:16 am

2) study correction on the ONE error made:

“As you can see, GPS access is NOT included in that list. There was an error in the original post we made stating that some of the library code was requesting permissions from the Google system for GPS access, and as the commenter pointed out, that is incorrect. The code snippet we posted is only checking whether the parent application, Pandora in this case, has permission to access the GPS. If the parent does not have permission, the accessing of GPS data can’t occur.”

ISSUE: WHY IS AD MOB CODED TO FETCH GPS, IF PERMISSION WAS GRANTED?

What Can We Learn from the Apple Location-Services Privacy Flap? | April 25, 2011 11:42 am

[...] the mobile privacy iceberg. Beyond location tracking, we know that many mobile application makers, like Pandora, are transmitting location data, gender and listening habits to advertisers (tip of the hat to my friends at Verac0de). Earlier [...]

Vaibhav Rastogi | April 25, 2011 2:09 pm

I understand the ad libraries may retrieve the Android ID and the GPS coordinates. The latter of course requires requesting the right permissions. What I do not understand is how the ad libraries are able to access the user’s gender. This is not stored on the phone such that it may be accessed by any application. Moreover, the ad library cannot by itself access some variables like gender from the main app’s code.

The code snippet above does not really show that the library had access to the gender. I would like to have someone’s comment on how the gender was being retrieved.

Pandora’s out of the box « Give a blog a Bone | April 25, 2011 4:32 pm

[...] turns out that Pandora appears to be integrated with a number of advertising libraries including; AdMarvel, AdMob, comScore, Google.Ads, and Medialets. What this means is that consumers [...]

DATENSCHUTZ | Vorsicht, Schnueffel-Apps! | May 10, 2011 8:20 am

[...] US-Sicherheitsunternehmen Veracode(Externer Link – Öffnet in neuem Fenster) hat die kostenlose Android-App von Pandora untersucht. Daten werden an fünf Werbeunternehmen [...]

TheDailyBerry | July 25, 2011 8:04 pm

If this is right, these developers could be making a ton of money off of this. As illegal as it is, this is very valuable information as third parties can use it to target specific geographical locations. Very interesting…

Veracode Blog » Welcome to the NEW Veracode blog! | December 6, 2011 10:35 am

[...] posts like Chris Lytle’s analysis of the Sony PSN breaches and Tyler Shield’s deep dive into Pandora’s mobile application. And we’ll never shy away from controversy as Chris Wysopal demonstrated in his response to the [...]

Veracode Blog » 2011 Event Roundup | December 23, 2011 10:53 am

[...] Tyler Shields cautioned developers on “Avoiding the Pandora Pitfall”. With a different threat landscape and new, mobile-specific, privacy concerns, secure [...]

Honestly | January 1, 2012 5:06 pm

Everyone knows that the mega internet software company Google, developer of Android among many others, is the largest data mining company in the world collecting private personal data from all its users. Apparently, Google has and is being financed and supported by the NSA and CIA of the USA government. The government is doing this so that the spying and privacy violations will not be subservient to the Freedom of Information Act.

I guess 1984 Big Brother is really more prevalent than we all think with all of the new technologies gathering all of the personal habits, behaviors and interests of our daily lives; just to name a few.

ashok pai | October 14, 2012 2:28 am

so what is google doing about this ? their policy on people’s privacy being extinct is okay, but the little vermins that are – the adlibs , ferreting sensitive information like this is totally unpalatable. this will most likely blow up on their face shortly. I have a question, does – schmidt use a plain vanilla android phone with ads and all taking out all of his contacts and the kind ? what would he feel about it ?

I’m all for google and android being a good viable platform, and i would detest microsoft being the top dog in yet another arena. but if this privacy thing is not remedied, and microsoft does a better job at restricting access to these lil vermins stealing data from the phones – then I’d most likely vote the microsoft approach.

iPhones, Location and Threats to Your Assets | Threatpost | March 24, 2013 9:54 pm

[...] user usage patterns before they then, perhaps, pass that information on to their own advertisers? Application security firm Veracode discovered the libraries for at least 5 advertising firms embedde… for the Pandora music service seeking the location data from the phone earlier this month. It [...]

Kostenlose Apps Android | GPS Suche | May 17, 2013 12:44 pm

[...] Mobile Apps Invading Your Privacy – Veracode Apr 5, 2011 … In Pandora’s case, both the Android and iPhone versions of its app ….. Fenster) hat die kostenlose Android-App von Pandora untersucht. [...]

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post