[April 8: We've added some more information in a follow-up post]

Background

An article in the Wall Street Journal, dated April 5, 2011, disclosed that Federal prosecutors in New Jersey are investigating numerous smart phone application manufacturers for allegedly, illegally obtaining and distributing personal private information to third party advertisement groups. The allegations state that mobile applications are gathering data such as GPS location, device identifiers, gender, and even user age without proper notice or authorization from the end user. The Journal tested 101 applications and found that 56 of them transmitted the device unique identifier off the device, while 47 transmitted the phone's location. Five of the tested applications leaked personal information such as user gender and age.

Analysis

The folks at the Veracode research team decided to spend a bit of our time today breaking apart one of the accused applications to see what could be found within the code. Given what was written in the Journal article, we thought it would be most interesting to take an in-depth look through the Pandora application for the Android platform. A quote from the article states the following about the Pandora application:

In Pandora's case, both the Android and iPhone versions of its app transmitted information about a user's age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.

Our first step was to analyze the application using the Veracode platform. We followed up the automated static analysis with a manual analysis of the compiled dex code. The results were fairly interesting. The Pandora for Android application appears to be integrated with a number of advertising libraries. Specifically we found FIVE (yes that's FIVE!) advertisement libraries compiled into the application: AdMarvel, AdMob, comScore (SecureStudies), Google.Ads, and Medialets. Looking even closer, we analyzed each of the modules to determine the type of data they access.

The first library we decided to break apart was the AdMarvel and AdMob libraries. The AdMarvel library references the AdMob library fairly significantly. AdMob in particular accesses the GPS location, application package name, and application version information. Additionally there were variable references within the ad library that appear to transmit the user's birthday, gender, and postal code information. The code snippets below are taken from a decompilation of the AdMob library where GPS locations are being gathered. As you can see in the code, the library requests permissions for both COARSE_LOCATION, and FINE_LOCATION data:

public static Location getCoordinates(Context unknown)
{
.... SNIP ....
        String str1 = "android.permission.ACCESS_COARSE_LOCATION";
        int m = unknown.checkCallingOrSelfPermission(str1);
.... SNIP ....
        String str2 = "android.permission.ACCESS_FINE_LOCATION";
        int n = unknown.checkCallingOrSelfPermission(str2);

We can also see where the library actually attempts to capture GPS location information on a continuous looping mechanism:

        int i4 = Log.d("AdMobSDK", "Trying to get locations from GPS."); 
        localObject2 = (LocationManager)unknown.getSystemService("location"); 
        if (localObject2 == null) break label428; 
        Criteria localCriteria = new Criteria(); 
        localCriteria.setAccuracy(1);
        localCriteria.setCostAllowed(0); 
        localObject3 = ((LocationManager)localObject2).getBestProvider(localCriteria, 1); 
.... SNIP ....
        int i5 = Log.d("AdMobSDK", "Cannot access user's location.  Permissions are not set.");
.... SNIP ....
        int i6 = Log.d("AdMobSDK", "No location providers are available.  Ads will not be geotargeted."); 
.... SNIP ....
        if (Log.isLoggable("AdMobSDK", 3)) int i7 = Log.d("AdMobSDK", "Location provider setup successfully."); 
        AdManager.1 local1 = new AdManager.1((LocationManager)localObject2); 
        Looper localLooper = unknown.getMainLooper(); 
        ((LocationManager)localObject2).requestLocationUpdates((String)localObject3, 0L, 0.0F, local1, localLooper);

We also saw references to the user's gender:

        Object localObject = k; Gender localGender1 = Gender.MALE;
        if (localObject == localGender1)
       {
            localObject = "m";
       } while (true) {
      return localObject;

      Gender localGender2 = k; 
      Gender localGender3 = Gender.FEMALE; 
      if (localGender2 == localGender3) { localObject = "f"; continue; } 
      localObject = null;

And of course, access of the infamous Android ID value (android_id):

      if (f == null) { Object localObject1 = unknown.getContentResolver();
      localObject2 = localObject1;
      localObject1 = Settings.Secure.getString((ContentResolver)localObject2, "android_id");

The analysis into the remaining libraries resulted in even more of the same. The SecureStudies library accesses the android_id and directly sends a hash of the data to http://b.scorecardresearch.com while the Medialets library accesses the device's GPS location, bearing, altitude, android_id, connection status, network information, device brand, model, release revision, and current IP address.

Conclusion

So what does this mean to the end user? It means your personal information is being transmitted to advertising agencies in mass quantities. As more and more "free" applications attempt to monetize their offerings, we will likely see more of your personal information being shuttled out to marketing and advertising data aggregation firms. The application developers may not even be aware of the privacy violations they are introducing by using third party advertising libraries. They may merely think they are getting $x per ad impression, not that the ad library is leaking significant information about the user.

In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a persons life. Consider for a moment that your current location is being tracked while you are at your home, office, or significant other's house. Couple that with your gender and age and then with your geolocated IP address. When all that is placed into a single basket, it's pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them. I don't know about you, but that feels a little Orwellian to me.

Veracode Security Solutions

 

Security Threat Guides

About Tyler Shields

Tyler Shields is a Senior Researcher for the Veracode Research Lab whose responsibilities include understanding and examining interesting and relevant security and attack methods for integration into the Veracode product offerings. He also keeps track of new developments from other computer science and information security researchers to ensure that Veracode technologies are always kept in line with the most recent security advancements.

Comments (20)

saad | April 6, 2011 4:41 am

Thanks for this very informative post. While previous articles I've read in the WSJ or elsewhere discussed such things previously, this adds some real and serious meat to what may have been perceived as mere speculation up to this point.

Great job!

Steve | April 6, 2011 1:58 pm

Are there any known dangers with transmitting the devices UDID? Can this value be used to uniquely identify an individual?

androboy | April 7, 2011 6:42 am

I found Pandora in the Android market and checked what permissions it was requesting. It included network communications and personal information but location was not specifically called out. Seems like a major failure somewhere for not calling this out explicitly.

ptrace | April 7, 2011 8:30 am

Was any investigation done into whether Pandora sends the same data if a user has a paid subscription to the service (ad free)? It's one thing for an ad supported free application to collect information to 'pay the bills' (though to do it without disclosure is still a bit sleazy), but that amount of data to be harvested from a paying customer is a huge breach of trust.

MB | April 7, 2011 12:12 pm

Any analysis done on the Blackberry Pandora client? It seems that Blackberries allow the owner more granular control over what an app is allowed to do on the phone, so maybe BB users can restrict this information from being sent?

If you do restrict it, does the app break?

Lyn | April 7, 2011 5:12 pm

But when people download the application aren't they automatically agreeing to the company's Terms Of Service which mentions that this information will be used?

PacoBell | April 7, 2011 7:25 pm

Just because an app or module requests COARSE_LOCATION and FINE_LOCATION in the code doesn't mean it necessarily gets to do that. If it's not started as such in the manifest, Android will forbid it. And, as such, Pandora has no mention of location, course or fine, anywhere in said manifest. Did you also perform any network captures to verify your suspicions? Granted, such data would probably be encrypted, but did you even try?

Dave | April 7, 2011 8:58 pm

@Lyn:

Possibly. But tell me, when you install software, do you read every last letter of the EULA, or do you simply scroll through and click "yes"? We as technology users are so inundated with our computers, websites, smart devices, etc, asking us if we agree to something that most people simply click yes and move on. It's a failing of both the developers of the software and the end users. It doesn't help that a typical EULA is full of legalese that the average person can't understand.

I hate dumbing things down, but I think that might be just what is needed to get people to read things before they agree to them. Here's another issue with TOS; some websites state at the bottom, in small print, that by using the site you agree to their terms and conditions. Try zuken.com and look at the bottom. How can you agree to something you haven't read? I applaud Veracode for not pulling this stunt. :)

JT | April 7, 2011 10:33 pm

This is just bad reporting, not only does the Pandora app on Android not request the GPS location (thus not being able to get your location) but in the code snippets above you can see where the AdMob library requests location but is denied location because the app using the library (in this case, Pandora) did not request those permissions from the user so the location wasn't even sent.

Horrible journalism... let's scare everyone out there and throw a company under the bus who's not even doing what they're being accused of doing.

Bembo | April 8, 2011 5:08 am

I'm very curious to know how Android is able to find out the user gender...

Jon | April 8, 2011 10:16 am

"As you can see in the code, the library requests permissions for both COARSE_LOCATION, and FINE_LOCATION data"

This code you reference is NOT requesting permissions, it is merely checking whether said permissions HAVE BEEN requested by the parent app. Permissions are requested in the Android Manifest file and would show up when you go to download the app in "Security". I just checked, and Pandora does not request location permissions at all and also the GPS is never turned on when running Pandora.

You should really understand what the code means before you make assine assumptions about it.

Jon | April 8, 2011 10:33 am

BTW, backup for my previous post in case anyone wants to get smart with me:

http://developer.android.com/reference/android/content/Context.html#checkCallingOrSelfPermission(java.lang.String)

Barry Havemann | April 11, 2011 10:02 am

Maybe I'm a bit paranoid but experience warns me to be _far_ more concerned about government access to all of this information. Consider:

this data is getting cheap enough that even a local cop running your plate in a parking lot could instantly access virtually all of your very personal data and where you've been and what you've been doing all day.

We all do perfectly legitimate things we'd rather remained private. Advertisers are a nuisance but that's controllable. However I think most of us would be uncomfortable, perhaps frightened, at the thought that some entity could be dogging our every footstep.

cardinal | April 14, 2011 2:58 pm

Don't Apple and Google have policies about doing this type of thing...I can understand Google not checking apps as the tend to be "all care no responsibility", however doesn't Apple state that it checks all apps, and if so doens't the responsibility for ensuring that app that attempt to do this fall on Apple with regard to the iDevices. Do Windows Phone 7 and Symbian phone/app allow this?

hanson | April 15, 2011 9:08 am

1) Study had ONE error:
“As you can see in the code, the library requests permissions for both COARSE_LOCATION, and FINE_LOCATION data”

This code you reference is NOT requesting permissions, it is merely checking whether said permissions HAVE BEEN requested by the parent app. Permissions are requested in the Android Manifest file and would show up when you go to download the app in “Security”. I just checked, and Pandora does not request location permissions at all and also the GPS is never turned on when running Pandora.

You should really understand what the code means before you make assine assumptions about it."

Comment by Jon — April 8, 2011 @ 10:16 am


2) study correction on the ONE error made:

"As you can see, GPS access is NOT included in that list. There was an error in the original post we made stating that some of the library code was requesting permissions from the Google system for GPS access, and as the commenter pointed out, that is incorrect. The code snippet we posted is only checking whether the parent application, Pandora in this case, has permission to access the GPS. If the parent does not have permission, the accessing of GPS data can’t occur."

ISSUE: WHY IS AD MOB CODED TO FETCH GPS, IF PERMISSION WAS GRANTED?

Vaibhav Rastogi | April 25, 2011 2:09 pm

I understand the ad libraries may retrieve the Android ID and the GPS coordinates. The latter of course requires requesting the right permissions. What I do not understand is how the ad libraries are able to access the user's gender. This is not stored on the phone such that it may be accessed by any application. Moreover, the ad library cannot by itself access some variables like gender from the main app's code.

The code snippet above does not really show that the library had access to the gender. I would like to have someone's comment on how the gender was being retrieved.

Blackberry Application Developers | May 20, 2011 6:58 am

Nice write up....

TheDailyBerry | July 25, 2011 8:04 pm

If this is right, these developers could be making a ton of money off of this. As illegal as it is, this is very valuable information as third parties can use it to target specific geographical locations. Very interesting...

Honestly | January 1, 2012 5:06 pm

Everyone knows that the mega internet software company Google, developer of Android among many others, is the largest data mining company in the world collecting private personal data from all its users. Apparently, Google has and is being financed and supported by the NSA and CIA of the USA government. The government is doing this so that the spying and privacy violations will not be subservient to the Freedom of Information Act.

I guess 1984 Big Brother is really more prevalent than we all think with all of the new technologies gathering all of the personal habits, behaviors and interests of our daily lives; just to name a few.

ashok pai | October 14, 2012 2:28 am

so what is google doing about this ? their policy on people's privacy being extinct is okay, but the little vermins that are - the adlibs , ferreting sensitive information like this is totally unpalatable. this will most likely blow up on their face shortly. I have a question, does - schmidt use a plain vanilla android phone with ads and all taking out all of his contacts and the kind ? what would he feel about it ?

I'm all for google and android being a good viable platform, and i would detest microsoft being the top dog in yet another arena. but if this privacy thing is not remedied, and microsoft does a better job at restricting access to these lil vermins stealing data from the phones - then I'd most likely vote the microsoft approach.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *


Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.