A popular free mobile application from online music service Pandora.com that is the subject of a Grand Jury investigation into loose data privacy practices in the mobile application market confirms that the application silently sends reams of sensitive data to advertisers.
The analysis was conducted by application security firm Veracode and found that Pandora’s free mobile application for Android phones tracked and submitted a range of data, including the user’s gender, geographic location and the unique ID of their phone, according to an entry on Veracode’s blog.
The company’s analysis followed reports in the Wall Street Journal that a Federal Grand Jury in New Jersey had subpeona’d the company, and other mobile application vendors, in an inquiry over the illegal transmission of personal data.
Pandora’s free application for Android allows users of the free online music streaming service to listen to it from their phone. The application has been installed more than 10 million times, according to statistics on Google’s Android Market.
That free service comes at a price, Veracode found. Researchers who took apart the application and studied its code found libraries for five different ad networks embedded in the Pandora application. Those libraries collected and trasmitted a variety of different data from the Android phone and its owner. The data included both the owner’s GPS location and tidbits the owners gender, birthday and postal code information. There was evidence that the app attempted to provide continuous location monitoring – which would tell advertisers not just where the user accessed the application from, but also allow them to track that user’s movement over time.
Data was transmitted to a variety of third party advertisers, including ComScore, though its not clear that Pandora.com was aware of what kind of data was being accessed and transmitted, wrote Veracode analyst Tyler Shields.
The conclusion? “Your personal information is being transmitted to advertising agencies in mass quantities,” Shields wrote. While some of that information is innocuous, it becomes very valuable when compiled into user profiles that provide “significant insight into a person’s life,” Shields wrote.
While Pandora’s name was the only one named in the Wall Street Journal report, it is believed that other mobile application vendors have been subpeona’d in the inquiry as well. The Journal has brought to light privacy failures on behalf of Web-based and mobile applications before. In October, 2010, they called attention to loose security practices among Facebook applications, including the transmission of personal identifying information.