Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Drops the Hammer On Maker of Location-Sharing Flashlight App

Posted by Soulskill on from the permissions-permissions-permissions dept.

chicksdaddy writes "The Federal Trade Commission announced on Thursday that it settled with the maker of 'Brightest Flashlight Free,' a popular Android mobile application, over charges that the company used deceptive advertising to collect location and device information from Android owners. The FTC says the company failed to disclose wanton harvesting and sharing of customers' locations and mobile device identities with third parties. Brightest Flashlight Free, which allows Android owners to use their phone as a flashlight, is a top download from Google Play, the main Android marketplace. Statistics from the site indicate that it has been downloaded more than one million times with an overall rating of 4.8 out of 5 stars. The application, which is available for free, displays mobile advertisements on the devices it is installed on. However, the device also harvested a wide range of data from Android phones which was shared with advertisers, including what the FTC describes as 'precise geolocation along with persistent device identifiers.' As part of the settlement with the FTC, Goldenshores is ordered to change its advertisements and in-app disclosures to make explicit any collection of geolocation information, how it is or may be used, the reason for collecting location information and which third parties that data is shared with."

32 of 187 comments (clear)

  1. Location obviously needed by Imsdal · · Score: 5, Funny

    But if the app doesn't know your location, how would it possibly know where to provide the light?

    1. Re: Location obviously needed by iamhassi · · Score: 5, Insightful

      Have to wonder how many other apps are doing this that have not been caught yet

      --
      my karma will be here long after I'm gone
    2. Re: Location obviously needed by Anonymous Coward · · Score: 2, Interesting

      Have to wonder how many other apps are doing this that have not been caught yet

      That's the big problem, the FTC is currently playing a losing game of whack-a-mole. The ultimate solution is to inform the developer community that there will be a three month grace period for them to come clean. After that start throwing offenders in prison until the problem goes away. Currently there are no enforced consequences, all the FTC was able to do is get Goldenshores Technologies, LLC, to agree to obey current laws on deceptive business practices and fraud. The scumbag owner is currently laughing all the way to the bank instead of sitting in a holding cell somewhere awaiting sentencing.

      Why isn't the FTC dismantling Goldenshores Technologies (and the personal assets of all the owners) for whatever they can get? I thought the whole idea of civil forfeiture was to deny criminal scumbags from profiting from their crimes.

    3. Re:Location obviously needed by Notabadguy · · Score: 2

      Droidlight has been around as long as Androids. Why is there need for competition in a free flashlight app?

  2. Re:This app never seemed necessary by oodaloop · · Score: 2

    It's for the LED flash next to the camera, which is much brighter than a white screen.

    --
    Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  3. Security model by Anonymous Coward · · Score: 3, Interesting

    If someone still says that Android's (or IOS I suppose) security model isn't completely broken...

    Why can't the user choose to disable networking on a per-app level?

    1. Re:Security model by MachineShedFred · · Score: 4, Informative

      On iOS, you do have granular permissions - if an app requests your location, you can say no, and the app can go fuck itself - the API doesn't give it shit. It's not all-or-nothing.

      Disabling data access per app is a different story though, so your point still stands.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    2. Re:Security model by Concerned+Onlooker · · Score: 2

      "Disabling data access per app is a different story though, so your point still stands."

      On iOS 7 you can do this, but only if you're not using wifi. In the prefs you can turn off cellular data access on a per app basis. You can also see how much of your cellular data plan each app is eating.

      --
      http://www.rootstrikers.org/
  4. Re:This app never seemed necessary by locopuyo · · Score: 2

    Doesn't your phone have a camera flash that can be used as a flashlight and works just as well? I think this has been standard for the past 5 years, and most phones have a flashlight app that comes on the phone.

    --
    The Official Site of 1337 Pwnage
  5. Permissions? by Anonymous Coward · · Score: 2, Insightful

    Who gives a flashlight app permissions to access location, internet, flash drive, etc?

  6. Re:As a user by MachineShedFred · · Score: 3, Insightful

    I think at this point, the default mode for most Android users is to just allow, as most apps have a laundry list of things they want access to. It's probably the second-least read message from an app install of all time (first being the EULA).

    No, that is not wise. But people aren't always wise.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  7. Some Hammer by TubeSteak · · Score: 5, Insightful

    No civil fines.
    No criminal penalties.
    No admission of guilt.

    --
    [Fuck Beta]
    o0t!
  8. Re:This app never seemed necessary by rubycodez · · Score: 2

    ah, so that's why the display on the back side of my phone left me seeing red

  9. Don't be Naive by A10Mechanic · · Score: 5, Insightful

    This is just the tip of the dirty iceberg here. Thousands of apps do this and far worse for your privacy. Caveat Emptor

  10. Why can't they copy this from iOS? by dingleberrie · · Score: 5, Insightful

    I have an iPhone 5 and a Nexus 7.
    When I download an app on the Nexus, I always feel an uneasiness as I look at all the access it wants to my contacts and other invasively unnecessary permissions. So each time I must make a decision to accept or reject using the app. I've rejected some that just seem overreaching, but I've become less strict over time... like I'm accepting to lose a battle. I assure myself, that my phone has all my real contacts, not my Nexus 7 and then begrudgingly accept the conditions. This is one reason I will not use an android phone and why I rarely download apps on android.
    http://yro.slashdot.org/story/13/12/06/1452241/ftc-drops-the-hammer-on-maker-of-location-sharing-flashlight-app#
    iOS, for those that don't know, will let me decline permissions to track my location or share my contacts on a per-app basis. Even if I enabled it before, I can go into the control center and disable it. I don't benefit from that aspect of the iOS app, but I'm fine with that. For all the control that Android is supposed to give the user, iOS shines here and I wish that is one thing that Android would copy.

    1. Re:Why can't they copy this from iOS? by wbo · · Score: 2

      Newer iPhones (and i think a few other iOS devices) do have a flash and in fact a flashlight toggle is built into the lock screen on devices running iOS 7 or later.

    2. Re:Why can't they copy this from iOS? by Anonymous Coward · · Score: 4, Informative

      Oh you have a Nexus 7? Perfect, you can download App Ops to select permissions on a per-app basis.

      Any Android 4.3 or higher device supports it. And root is not required.

  11. So No One Thought It Odd by Greyfox · · Score: 5, Interesting
    Their flashlight app was requesting network and GPS privs? There's obviously a fundamental problem with the Android security model, and I'm just going to go ahead and point my finger at people. First off, people assume that just because it's on the Play store, it's safe to install. Obviously not the case. Second, people obviously don't review the privs their apps request and say something like "Why the fuck does a flashlight app need access to my GPS and network?" And third, lazy developers have no incentive not to request every priv in the model.

    I'd heard Cyanogenmod was experimenting with a means to deny specific privs to an application rather than take the all-or-nothing approach of "You have to give me all this shit or you can't install it." That's a feature I'd really like to have for my Android phone.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    1. Re:So No One Thought It Odd by Mr_Silver · · Score: 4, Insightful

      Their flashlight app was requesting network and GPS privs? There's obviously a fundamental problem with the Android security model, and I'm just going to go ahead and point my finger at people. First off, people assume that just because it's on the Play store, it's safe to install. Obviously not the case. Second, people obviously don't review the privs their apps request and say something like "Why the fuck does a flashlight app need access to my GPS and network?" And third, lazy developers have no incentive not to request every priv in the model.

      Not to mention that although for a very basic app (like a flashlight one) it is possible to spot a nefarious permission, once you start looking a much more feature-rich app then it gets very difficult for users to work out the validity of the permission requested.

      For example, a mobile banking app wants your location. Is this because:

      1. It's sending location data to a server to track you?
      2. It's sending it to third party companies for location based advertising?
      3. It wants that information so it can tell you where the nearest ATM or bank branch is?
      --
      Avantslash - View Slashdot cleanly on your mobile phone.
  12. The true cost of free by sinij · · Score: 3, Insightful

    As someone that used to work with mobile security - this is tiny minority that got caught. If you carry your mobile phone with you, then you have no reasonable expectation of privacy. Treat your smartphone as a combination of public WiFi and a court-assigned GSP tracking ankle bracelet.

  13. Re:This app never seemed necessary by safetyinnumbers · · Score: 4, Insightful

    I just hold down the lock switch for a second to turn on the LED, it's a built-in feature on my Nokia.

    But why doesn't Android sandbox apps in a way that the app is unaware of? Just present all apps with an empty contact list, a fake GPS location, an empty drive, etc and the user grants permissions to substitute the real ones as needed. That way, all apps could be installed and you'd get a popup such as "this app wants your location" in a similar way to IOS, only this way the app would keep working if you said no.

  14. Re:This app never seemed necessary by Archangel+Michael · · Score: 2

    Indeed, why do you need an APP for this. My ROM (CM 10.2) has a "torch" function built in. Why would you need an app for it?

    This is not an Android problem this is a problem with crappy carrier priorities. Must bundle crap nobody wants, and not include the obvious highly requested features.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  15. Re:This app never seemed necessary by NoNonAlphaCharsHere · · Score: 5, Insightful

    Apparently you're completely unaware of Google's business model.

  16. Re:This app never seemed necessary by mlts · · Score: 2

    There used to be a utility called LBE Privacy Guard which did exactly this in earlier versions of Android, and on jailbroken iPhones, a utility called PMP (protect my privacy.) If the app wants contacts, it gets randomly generated cards. Songs, similar. Location, it gets where you select. Photos? Fake photos or an empty drive, ad id? Randomly generated.

    Only thing is that LBE Privacy Guard has not been updated for the past few versions of Android.

    Pretty much, one's best defense against a rogue fleshlight app is to have a firewall program like Droidwall or its successors and block the app from communicating on any interface.

  17. Re:This app never seemed necessary by Solozerk · · Score: 3, Insightful

    The "built-in" torch function you're talking about in CM is an app. It's open source - see here: https://github.com/CyanogenMod/android_packages_apps_Torch .

    You make it an app because it makes no sense to integrate such a feature directly in the OS/ROM - it would take longer, and that way you can update it and have additional features (morse code flashing, for example).

    What baffles me is why people would install an app named "Brightest Flashlight Free" (name sounds like a moron-magnet), which probably require network access and include ads, when there are tens of ads-less Open-Source alternatives in the Google market as well as outside it.

  18. Re:As a user by CubicleZombie · · Score: 2

    When I read the access request for any Android app, I end up declining. SD card, network, contacts, and location access, for a kitchen timer? No thanks. That's why I have no apps on my phone and why I miss my Startac.

    And I just don't have the time to mess around with custom roms or rooting the phone.

    --
    :wq
  19. Re:This app never seemed necessary by Politburo · · Score: 3, Funny

    Rogue fleshlight? I don't wanna know where that thing has been...

  20. I was offered money to add spyware to my app by efalk · · Score: 5, Interesting

    I have a couple of calculator apps on the Android market. Obviously, a calculator has zero need for any of your personal data, and that's how much I collect -- zero.

    I recently received an email from "Appayable.com". They provide me with a spyware module to add to my apps. The spyware module collects users' personal data and uploads it to Appayable.com. I get paid. Profit!

    They say they only sell anonymized data, but I still thought it was a pretty reprehensible business model. I suspect it's pretty common practice, though.

    The letter:

    I noticed that RpnCalc Financial -- HP 12C has seen a growing number of downloads in recent weeks. I wanted to reach out and discuss how my company, Appayable, offers developers the opportunity to monetize their app without placing ads or impacting user experience

    We pull the social profile of your users, anonymize the data, and identify the mobile device. Appayable's SDK does not take up screen real estate on your application, maintaining the great user experience, and providing more revenue for you. Plus, we do not rely on impressions - as we do not place ads within your app - thus, you generate revenue based on a single download and install. No need to retain the user - only have them open the application once.
    The revenue stream created is ongoing based on our data partnerships, regardless of continued use of the mobile application.

    We've worked hard to make it really simple for you to integrate our service into your app, and as a result have over 6,500 applications on our platform in only 6-months! Whe you have a few minutes, I'd love to talk to you or the appropriate person about working with us.

  21. Simple LED Widget by slinches · · Score: 3, Informative

    I just recently got a Nexus 5 to replace my aging Nokia N9 and was amazed by the near complete lack of simple tools that don't want access to your data in return. For the N9, there were a ton of useful free open source tools provided by the community over at maemo.org. That community was great. Every time I thought that there was something that was missing or new capability I wanted, I'd look there and find an app that already exists or a group of people in the process of building it.

    The contrast between that experience and the excessive commercialism of Android was startling. After looking around for a while I did find this Simple LED Widget that is just what it says and doesn't require any unnecessary permissions, but I had to sift through dozens of apps like the one in the TFA.

    Is there anything even close to maemo.org for Android? I've heard some good things about F-Droid, but I haven't looked into it enough yet to know if it's the best option.

    --
    Knowledge Brings Fear
  22. Re: This app never seemed necessary by iamhassi · · Score: 2, Informative

    iPhone doesn't need it since every app has to be approved by Apple themselves before hitting the appstore and iOS doesn't allow access to contacts or locations without a large popup saying "do you want this app to access (blank)?" Which you can turn off anytime in settings. There are some advantages to a walled garden

    --
    my karma will be here long after I'm gone
  23. the missing app by Tom · · Score: 3, Insightful

    What's obviously missing is a Mock App - something that will satisfy all those requests and provide them with the data they want - fake data.

    Sadly, I don't expect Google - whose revenue stream is largely based on advertisement - would make that possible in Android.

    --
    Assorted stuff I do sometimes: Lemuria.org
  24. For non-evil Android apps, see F-Droid by Phil+Urich · · Score: 2

    What app do u make?(desperately seeking non-evil android apps)

    Whenever I'm looking for an app of some kind, I check F-Droid first.

    --
    I remember sigs. Oh, a simpler time!