Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pandora App Sends Private Data To Advertisers

Posted by CmdrTaco on from the of-course-it-does dept.

Trailrunner7 writes "An analysis of the popular free mobile application from online music service Pandora.com that is the subject of a grand jury investigation into loose data privacy practices in the mobile application market confirms that the application silently sends reams of sensitive data to advertisers. The analysis was conducted by application security firm Veracode and found that Pandora's free mobile application for Android phones tracked and submitted a range of data, including the user's gender, geographic location and the unique ID of their phone, according to an entry on Veracode's blog."

13 of 198 comments (clear)

  1. As I said last time by Anonymous Coward · · Score: 5, Informative

    As I said last time, "I stopped using their app when it wanted access to the system logs. This includes all notifications of pretty much everything going on on your phone. It might help them debug the app, it might help them with advertisers. Who knows. I just knew their app wasn't worth it."

    This is potentially a much more massive problem than we have been told.

    1. Re:As I said last time by Gutboy · · Score: 5, Insightful

      Google needs to allow you to authorize specific permissions for apps, not their current 'all or nothing' system. This way you could say "Yes, you can have my position because I believe a GPS mapping system needs that, but no you can't have my address book, since a GPS system doesn't need that". Sure it would screw advertisers over, but I don't care about them. Not everything in the world needs to have advertising on it.

    2. Re:As I said last time by Belial6 · · Score: 3, Insightful

      Every time this comes up, the Android folks say that they uninstalled Pandora when they tried to get assess to our personal data. No one talks about the data stealing on iPhones. Is that because we know they are not doing it on iPhone, or because the iPhone doesn't warn the user that the app is stealing their data.

    3. Re:As I said last time by MozeeToby · · Score: 3, Informative

      No. Currently an app has a list of permissions it requires. If that list includes something you don't want that app to have access to, the only course of action is to not give the app access to anything (via not installing it). OP would like the ability to look at the list of permissions and, for example, remove Pandora's permission to view notifications and system logs without removing the rest of the permissions for the app.

      I suspect that at least part of the reason this isn't easily done is for a few reasons. Obviously, the app makers aren't going to like it, since it will make advertising less effective and has the potential to generate lots of complaints when the apps don't work as advertised. Less obvious is the way apps are encrypted. I believe their permissions form part of the encryption key such that the app cannot run with more (or fewer) permissions than it was originally built for. This forms one of the central and most powerful anti-malware features of Android phones and I suspect they don't want to risk messing about with it more than they have to.

    4. Re:As I said last time by MrHanky · · Score: 3, Informative

      According to WSJ, who had the an article the other day,

      In Pandora's case, both the Android and iPhone versions of its app transmitted information about a user's age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.

      So I can't really see how Apple's system is all that much better. (And no, you don't need to use GPS to send location data, and neither is it used by advertisers.)

  2. Wait a minute... by Nidi62 · · Score: 5, Insightful

    So, you mean all those ads at the bottom of the Pandora app that were specific to my home town wasn't just a random coincidence? How is it taking these things "silently" when it tells you exactly what you are giving it access too? Obviously, knowing where you live has no bearing on the type of music it's going to play. What else did people think this was going to be used for?

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  3. what do you expect for free? by alen · · Score: 4, Insightful

    seriously, what do you expect from a free app that streams licensed music that they had to pay for? a bunch of ads no one clicks on?

    this is how google makes money, metrics. everyone is doing it as well.

  4. Live in Application by ObsessiveMathsFreak · · Score: 4, Insightful

    The big problem here is that whenever you install any application, you're technically giving the designers virtually free reign to do whatever they like with your system/PC/phone/whatever.

    Once permitted in, most commercial applications barge into your PC, rewrite whatever files they please, alter configuration settings, gobble up memory, install themselves as startup applications and often install an entire suite of unwanted applications and advertisements you didn't even ask for. Then they plonk themselves down in your living room, feet on the sofa, and begin to shout at you, along with all the dozens of other loudmouth applications you've invited in.

    --
    May the Maths Be with you!
  5. SELinux type security for Android by Bocaj · · Score: 5, Informative

    Google needs to change the security model to allow finer grained access and more information to users about how much information that access allows. I should be able to install an application that wants access to my contacts but choose to deny that access with a warning that it may affect the functionality of the app. There should be more detail information on just what information an application can get hold of with that access. I think using the SELinux model of security in the kernel would be a good idea. If I don't grant an application process rights to certain files, it can't get access no matter what.

  6. Not just android by ender- · · Score: 5, Interesting

    The actual Vericode post says it's both the iPhone and Android versions. I'm not sure why the article linked in the summary [and thus the summary] only mentions the Android version.

    I wonder then, does the web browser interface do something similar, minus the GPS info of course? What about the Pandora One desktop app?

    --
    Nothing to see here
  7. Looking forward for Pandora IPO by ub3r+n3u7r4l1st · · Score: 4, Interesting

    Despite the suit, recent SEC filing suggest eveything pointing up:

            * Revenue skyrocketed from $55,189,000 in FY2010 to $137,764,000 in FY2011.
            * Advertising revenue rose from $50,147,000 in FY2010 to $119,333,000 in FY2011.
            * Subscription and "other" revenue increased from $5,042,000 in FY2010 to $18,431,000 in FY2011.
            * Despite rising content acquisition costs (up from $32,946,000 to $69,357,000 between FY2010 and 2011), Pandora's loss narrowed from $15,549,000 in FY2010 to $321,000 in FY2011.

    Despite strong competition such as Sirius XM radio and even Apple to that regard, I wouldn't worry much.

    --
    New Economic Perspectives
  8. Re:Obvious what they are doing by berashith · · Score: 3, Funny

    yup , the stalkers employed by pandora can send Barry White tunes to any stranger that they need to get in the mood.

  9. Re:What about iOS version? by DanTheManMS · · Score: 4, Informative

    The iOS version of Pandora uses an ad framework called "Medialets" or at least it did as of an update in January 2010. Medialets is known to track exactly this kind of data (phone ID, physical location, etc). When I made a comment on their blog at the time, their response was essentially "Everyone else is doing it so it's okay."

    Personally I'm jailbroken and installed the PrivaCy addon, so I *think* I'm being at least somewhat less tracked. Who knows for sure, though?