April 6, 2011, 11:41AM
Pandora Mobile App Transmits Gobs Of Personal Data
23 Comments
A popular free mobile application from online music service Pandora.com that is the subject of a Grand Jury investigation into loose data privacy practices in the mobile application market confirms that the application silently sends reams of sensitive data to advertisers.
The analysis was conducted by application security firm Veracode and found that Pandora's free mobile application for Android phones tracked and submitted a range of data, including the user's gender, geographic location and the unique ID of their phone, according to an entry on Veracode's blog.
The company's analysis followed reports in the Wall Street Journal that a Federal Grand Jury in New Jersey had subpeona'd the company, and other mobile application vendors, in an inquiry over the illegal transmission of personal data.
Pandora's free application for Android allows users of the free online music streaming service to listen to it from their phone. The application has been installed more than 10 million times, according to statistics on Google's Android Market.
Editor's Pick
That free service comes at a price, Veracode found. Researchers who took apart the application and studied its code found libraries for five different ad networks embedded in the Pandora application. Those libraries collected and trasmitted a variety of different data from the Android phone and its owner. The data included both the owner's GPS location and tidbits the owners gender, birthday and postal code information. There was evidence that the app attempted to provide continuous location monitoring - which would tell advertisers not just where the user accessed the application from, but also allow them to track that user's movement over time.
Data was transmitted to a variety of third party advertisers, including ComScore, though its not clear that Pandora.com was aware of what kind of data was being accessed and transmitted, wrote Veracode analyst Tyler Shields.
The conclusion? "Your personal information is being transmitted to advertising agencies in mass quantities," Shields wrote. While some of that information is innocuous, it becomes very valuable when compiled into user profiles that provide "significant insight into a person's life," Shields wrote.
While Pandora's name was the only one named in the Wall Street Journal report, it is believed that other mobile application vendors have been subpeona'd in the inquiry as well. The Journal has brought to light privacy failures on behalf of Web-based and mobile applications before. In October, 2010, they called attention to loose security practices among Facebook applications, including the transmission of personal identifying information.
Commenting on this Article is closed.
Today's Most Popular
- Anatomy of a LulzSec Attack 'Singles Out' Web 2.0 Weakness
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- OPINION: Are Anonymous Members Forged in the Crucible of IT Compliance?
- Google to Notify Users of DNSChanger Infections Ahead of July 9 Deadline
- Facebook Cancellation Malware Disguised As Adobe Update Making Rounds
Most Commented Stories
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
20%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
28%
I don’t pay attention to how I access the internet while traveling
14%
Total votes: 65
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
Is it really that hard to link to the actual article? http://www.veracode.com/blog/2011/04/mobile-apps-invading-your-privacy/
Yup. I abandoned Pandora when I saw the permissions it was asking for on my Android phone. There's no way a music service needed all that stuff.
Anyone who thinks this is only pandora is mistaken. I don't really se the harm here. They use geo location to target local ads the same that all internet advertisers (including the ones on thsi site) do. Also if you are worried about "personal information" such as your birth date maybe you should evaluate other services you may use. You think facebook or google doesn't know more about you than pandora?
I wonder if Android users will pay more attention now to what they install on their phones. As the previous anonymous said, there's no way a music service needs permission to access gps, location, birthday etc...
Is this really that surprising? What other sort of business model would allow a "free" music source to make money?
I don't understand how everyone wants it both ways, they want a free app. Advertisers want to deliver content with a higher click rate, more targeted ads means more advertisers, means more money for the ad company and the client sending them the data.... Companies can't function without money, either pay for the full app and get rid of the ads (and presumably the private data being sent), or suck it up and realize you are paying in a non-monetary form. This would be more interesting if it said after paying for pandora, it was still sending your information. But if you aren't paying with money, you should be prepared to compensate with something else.
They can have the advertising without all the private information. Your argument is a false one. Television, magazines, radio all seem to do fine without knowing *exactly* where I am down to the meter.
Hear, hear!
I also always wonder. Just what bad thing is going to happen to you because of this information?
On one hand, we all believe it is our RIGHT to have a free an open web of information. But on the other hand, it is our RIGHT not to receive advertising, or have folks make money from our consumption of that same open web. I am ALL about consumer privacy - I use the Internet - but I think we need to make some choices about what we REALLY want.
A person could just pay for Pandora One and get advertisment free radio on their android device.
Just because you pay for an app doesn't mean it's still not tracking and collecting info.
The new internet and all these free apps are not free. You must pay form them, and in these cases, the currency is your privacy.
youre comparing apples to oranges. TV, Radio etc have much larger audiences and much larger profits and if you think none of these advertisement methods use your information your dead wrong. Comcast spotlight targets local adds based on subscriber location. but as already mentioned, beyond that the margins are much larger. Hell even your club cards for supermarkets are designed to gather information on buying habits which is used to affect pricing.
in order for mobile ads to be even remotely useful or worth spending money on, they need to be much more targeted. Mobile users have even less of an attention span than the average radio, tv, or magazine participant (for lack of a better word).
Making a big deal out of this is kind of unwarranted. or at least should have a better focus. instead of framing it as " be concerned because pandora knows who you are, where you are, and when you were born" why not frame is as " pandora uses this information to serve you ads that will hopefully be more useful than random adds. How do we ensure that the information is anonymous enough, or general enough to not be dangerous."
My ideas:
GPS for advertising purposes should be limitted to city or town location only
name should never be attached to any information. There really is no valid reason an advertiser needs your name anyways, likewise for any phone I.D. that can directly link to you (phone number, Imei, etc). carrier, phone model identifiers make sense.
DOB should be off limits. However month you were born in makes sense. this gives advertisers ways to focus people who have a birthday coming up without having to know something very personal and identifying. likewise for age. maybe limit it to age groups within five years. This person you are advertising to is in the 30-35 year old age group. Again makes the information specific enough to use in advertising without compromising privacy.
I can think of 100 other ways to implement a set of permissions or rules on what data can be made available for ads without compromising privacy.
Technology is here, advertisers will use it to their advantage, and really in doing so it benefits us. I know I know... no one likes ads. but they will be there regardless of whether they are targetted or not. personally if I do have to suffer through ads, I rather see newegg ads than acne medicine, and femanine hygiene products that I will never buy. Lets focus the conversation on making this benefit us without being a danger.
I was a paid subscriber of Pandora's service. They don't ship you a seperate Android app for those who pay. So they have to put up with the same snooping as the free customers.
I stopped using Pandora and let my paid subscription lapse after the Android app started asking for access to my calendar.
I was a paid subscriber of Pandora's service. They don't ship you a seperate Android app for those who pay. So they have to put up with the same snooping as the free customers.
I stopped using Pandora and let my paid subscription lapse after the Android app started asking for access to my calendar.
Ignorant... they specifically asked for perms to obtain contact list and mms indexing. They can eat shit and die.
What happened to "Notice and Choice"? You can frame the matter any way you like, but it's a pretty safe bet that the folks who installed this spyware on their phones weren't aware of the extent to which their personal data was being passed to others.
The notice in cases like these always seems to be after the culprit is found out. The reasons are obvious. Despite the supposed benefits of letting advertisers secretly stalk their audience members, most folks would rather decide for themselves who gets their personal information and when.
The problem with just going along with this kind of thing is that it just continues to get worse. Whatever Facebook does is used to justify the even more invasive spying of Pandora, etc. Minimizing Pandora's privacy invasion will just make it easier for the next company that believes that asking forgiveness if they're caught is better than asking permission beforehand.
If an advertiser needs to target people, he can ASK people what he wants to know about them. If they don't want to tell him, and he knows they wouldn't want to tell him, why would he think it's ok to go behind their backs to steal the information?
Actually, no, it isn't a false argument concerning advertisers and private information. You obviously have not worked in business or in advertising, Mr Anon. The more targeted the ad, the more valuable to the end user.
Always remember one mantra - nothing is free!
Anyone interested in Android privacy should read and star this bug which is to give users the power to decide what information apps are allowed to obtain:
http://code.google.com/p/android/issues/detail?id=6600
Looks like the auther is new to the "internet", and has never seen ads on the web, or wondered how some ads are more relevant than the others.
Login to gmail at home
Google knows - Yout are person P1, live in city X
Login to gmail at work
Google knows - P1 live in city X and works in city Y, at company A (your ip address gives it away)
Login to gmail from your phone
Google knows - P1 lives in city X, works in city Y at company A and owns Z phone.
Visit commerce/social networking sites that use google analytics or google ads,
Google knows - You live in city X, work in city Y at company A, own Z phone, shopping for mens clothing, should be male, aged 20-25 etc
After about a week or so .... they paint a pretty much full picture and categorize you into an "audience" to be sold to advertisers.
Same goes for ComScore/Neilson/Quantcast etc that measure "audience" and report them to indicate trends in the internet world, and help advertisers fine tune their product message.
Mind you none of this data is considered "personaly Indentifiable". Only things like Email, Phone number, Phone/Device ID are personaly identifiable data. These need to be safeguareded by folks who are authorized to collect them, fair, and should be 0 tolerance for compromising these.
And those guys with Andriod phones with issues with permissions .... go ahead and try "sharing" a song or station with your pals on Pandora .... guess what opens up ... your contacts list!! I have built an andriod app, and know that it prompts for all permissions up front. iOS works differently .... prompts only when the app tries to use the contacts list or calendar etc.
Pandora vs. Zeus
I think it's important to bring out the difference between Pandora and the infamous Zeus trojan. Both apps get on your hardware by claiming to do something for you for free.
But one app watches everything you do and sends all kinds of information about you to folks you don't know behind your back. And the other app is detected by many antivirus programs.
"A person could just pay for Pandora One and get advertisment free radio on their android device."
Great idea; reward these bastards with free money.