Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pandora App Sends Private Data To Advertisers

Posted by CmdrTaco on from the of-course-it-does dept.

Trailrunner7 writes "An analysis of the popular free mobile application from online music service Pandora.com that is the subject of a grand jury investigation into loose data privacy practices in the mobile application market confirms that the application silently sends reams of sensitive data to advertisers. The analysis was conducted by application security firm Veracode and found that Pandora's free mobile application for Android phones tracked and submitted a range of data, including the user's gender, geographic location and the unique ID of their phone, according to an entry on Veracode's blog."

6 of 198 comments (clear)

  1. As I said last time by Anonymous Coward · · Score: 5, Informative

    As I said last time, "I stopped using their app when it wanted access to the system logs. This includes all notifications of pretty much everything going on on your phone. It might help them debug the app, it might help them with advertisers. Who knows. I just knew their app wasn't worth it."

    This is potentially a much more massive problem than we have been told.

    1. Re:As I said last time by MozeeToby · · Score: 3, Informative

      No. Currently an app has a list of permissions it requires. If that list includes something you don't want that app to have access to, the only course of action is to not give the app access to anything (via not installing it). OP would like the ability to look at the list of permissions and, for example, remove Pandora's permission to view notifications and system logs without removing the rest of the permissions for the app.

      I suspect that at least part of the reason this isn't easily done is for a few reasons. Obviously, the app makers aren't going to like it, since it will make advertising less effective and has the potential to generate lots of complaints when the apps don't work as advertised. Less obvious is the way apps are encrypted. I believe their permissions form part of the encryption key such that the app cannot run with more (or fewer) permissions than it was originally built for. This forms one of the central and most powerful anti-malware features of Android phones and I suspect they don't want to risk messing about with it more than they have to.

    2. Re:As I said last time by MrHanky · · Score: 3, Informative

      According to WSJ, who had the an article the other day,

      In Pandora's case, both the Android and iPhone versions of its app transmitted information about a user's age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.

      So I can't really see how Apple's system is all that much better. (And no, you don't need to use GPS to send location data, and neither is it used by advertisers.)

  2. SELinux type security for Android by Bocaj · · Score: 5, Informative

    Google needs to change the security model to allow finer grained access and more information to users about how much information that access allows. I should be able to install an application that wants access to my contacts but choose to deny that access with a warning that it may affect the functionality of the app. There should be more detail information on just what information an application can get hold of with that access. I think using the SELinux model of security in the kernel would be a good idea. If I don't grant an application process rights to certain files, it can't get access no matter what.

  3. Re:What about iOS version? by DanTheManMS · · Score: 4, Informative

    The iOS version of Pandora uses an ad framework called "Medialets" or at least it did as of an update in January 2010. Medialets is known to track exactly this kind of data (phone ID, physical location, etc). When I made a comment on their blog at the time, their response was essentially "Everyone else is doing it so it's okay."

    Personally I'm jailbroken and installed the PrivaCy addon, so I *think* I'm being at least somewhat less tracked. Who knows for sure, though?

  4. Re:What's needed by macs4all · · Score: 2, Informative

    Is an app that sits between your personal and phone info and all your other apps and controls what data gets presented to each app

    You mean, something that keeps each app in something akin to its own "play area". Kind of like a kid's sandbox...

    Now only if there was a mobile OS that did that for you. And even better, one that automatically asked you for permission when certain "privacy-related" features, like location services, are accessed by an app for the first time, and gave you an easy-to use way to see if an app had tried to do that in the past 24 hours, and even better, let you change your mind about permissions after you had already installed the app, on a global, or app-by-app basis.

    Oh, wait...