Pandora Mobile App Transmits Gobs Of Personal Data

A popular free mobile application from online music service Pandora.com that is the subject of a Grand Jury investigation into loose data privacy practices in the mobile application market confirms that the application silently sends reams of sensitive data to advertisers.

Pandora AndroidA popular free mobile application from online music service Pandora.com that is the subject of a Grand Jury investigation into loose data privacy practices in the mobile application market confirms that the application silently sends reams of sensitive data to advertisers.

The analysis was conducted by application security firm Veracode and found that Pandora’s free mobile application for Android phones tracked and submitted a range of data, including the user’s gender, geographic location and the unique ID of their phone, according to an entry on Veracode’s blog. 

The company’s analysis followed reports in the Wall Street Journal that a Federal Grand Jury in New Jersey had subpeona’d the company, and other mobile application vendors, in an inquiry over the illegal transmission of personal data.  
Pandora’s free application for Android allows users of the free online music streaming service to listen to it from their phone. The application has been installed more than 10 million times, according to statistics on Google’s Android Market

That free service comes at a price, Veracode found. Researchers who took apart the application and studied its code found libraries for five different ad networks embedded in the Pandora application. Those libraries collected and trasmitted a variety of different data from the Android phone and its owner. The data included both the owner’s GPS location and tidbits the owners gender, birthday and postal code information. There was evidence that the app attempted to provide continuous location monitoring – which would tell advertisers not just where the user accessed the application from, but also allow them to track that user’s movement over time. 

Data was transmitted to a variety of third party advertisers, including ComScore, though its not clear that Pandora.com was aware of what kind of data was being accessed and transmitted, wrote Veracode analyst Tyler Shields. 
The conclusion? “Your personal information is being transmitted to advertising agencies in mass quantities,” Shields wrote. While some of that information is innocuous, it becomes very valuable when compiled into user profiles that provide “significant insight into a person’s life,” Shields wrote. 

While Pandora’s name was the only one named in the Wall Street Journal report, it is believed that other mobile application vendors have been subpeona’d in the inquiry as well. The Journal has brought to light privacy failures on behalf of Web-based and mobile applications before. In October, 2010, they called attention to loose security practices among Facebook applications, including the transmission of personal identifying information.

Suggested articles

Discussion

  • Anonymous on

    Is it really that hard to link to the actual article?  http://www.veracode.com/blog/2011/04/mobile-apps-invading-your-privacy/

  • Anonymous on

    Yup. I abandoned Pandora when I saw the permissions it was asking for on my Android phone. There's no way a music service needed all that stuff.

  • Anonymous on

    Anyone who thinks this is only pandora is mistaken. I don't really se the harm here. They use geo location to target local ads the same that all internet advertisers (including the ones on thsi site) do. Also if you are worried about "personal information" such as your birth date maybe you should evaluate other services you may use. You think facebook or google doesn't know more about you than pandora?

  • Anonymous on

    I wonder if Android users will pay more attention now to what they install on their phones. As the previous anonymous said, there's no way a music service needs permission to access gps, location, birthday etc...

  • Anonymous on

    Is this really that surprising? What other sort of business model would allow a "free" music source to make money?

  • Anonymous on

    I don't understand how everyone wants it both ways, they want a free app. Advertisers want to deliver content with a higher click rate, more targeted ads means more advertisers, means more money for the ad company and the client sending them the data.... Companies can't function without money, either pay for the full app and get rid of the ads (and presumably the private data being sent), or suck it up and realize you are paying in a non-monetary form. This would be more interesting if it said after paying for pandora, it was still sending your information. But if you aren't paying with money, you should be prepared to compensate with something else. 

  • Anonymous on

    They can have the advertising without all the private information. Your argument is a false one.  Television, magazines, radio all seem to do fine without knowing *exactly* where I am down to the meter.

     

     

  • Anonymous on

    On one hand, we all believe it is our RIGHT to have a free an open web of information.  But on the other hand, it is our RIGHT not to receive advertising, or have folks make money from our consumption of that same open web.  I am ALL about consumer privacy - I use the Internet - but I think we need to make some choices about what we REALLY want.

  • Anonymous on

    A person could just pay for Pandora One and get advertisment free radio on their android device.

     

  • Anonymous on

    Just because you pay for an app doesn't mean it's still not tracking and collecting info.  

    The new internet and all these free apps are not free.    You must pay form them, and in these cases, the currency is your privacy.

     

  • Anonymous on

    I was a paid subscriber of Pandora's service.  They don't ship you a seperate Android app for those who pay.  So they have to put up with the same snooping as the free customers.

    I stopped using Pandora and let my paid subscription lapse after the Android app started asking for access to my calendar.

     

  • Anonymous on

    I was a paid subscriber of Pandora's service.  They don't ship you a seperate Android app for those who pay.  So they have to put up with the same snooping as the free customers.

    I stopped using Pandora and let my paid subscription lapse after the Android app started asking for access to my calendar.

     

  • Anonymous on

    Anyone interested in Android privacy should read and star this bug which is to give users the power to decide what information apps are allowed to obtain:

    http://code.google.com/p/android/issues/detail?id=6600

  • Anonymous on

    The quality of reporting on threatpost.com has seriously plummeted. The author of this article is so ridiculously lazy and incompetent.
  • Anonymous on

    Does the author of this article even know what an online ad network is? It's readily apparent that he doesn't understand how online advertising works. What a fool.
  • Anonymous on

    Looks like the auther is new to the "internet", and has never seen ads on the web, or wondered how some ads are more relevant than the others.

    Login to gmail at home

    Google knows - Yout are person P1,  live in city X

    Login to gmail at work

    Google knows - P1 live in city X and works in city Y, at company A (your ip address gives it away)

    Login to gmail from your phone

    Google knows - P1 lives in city X, works in city Y at company A and owns Z phone.

    Visit commerce/social networking sites that use google analytics or google ads,

    Google knows - You live in city X, work in city Y at company A, own Z phone, shopping for mens clothing, should be male, aged 20-25 etc

    After about a week or so .... they paint a pretty much full picture and categorize you into an "audience" to be sold to advertisers.

    Same goes for ComScore/Neilson/Quantcast etc that measure "audience" and report them to indicate trends in the internet world, and help advertisers fine tune their product message.

    Mind you none of this data is considered "personaly Indentifiable". Only things like Email, Phone number, Phone/Device ID are personaly identifiable data. These need to be safeguareded by folks who are authorized to collect them, fair, and should be 0 tolerance for compromising these.

    And those guys with Andriod phones with issues with permissions .... go ahead and try "sharing" a song or station with your pals on Pandora .... guess what opens up ... your contacts list!! I have built an andriod app, and know that it prompts for all permissions up front. iOS works differently .... prompts only when the app tries to use the contacts list or calendar etc.

     

  • Anonymous on

    Pandora vs. Zeus

    I think it's important to bring out the difference between Pandora and the infamous Zeus trojan. Both apps get on your hardware by claiming to do something for you for free.

    But one app watches everything you do and sends all kinds of information about you to folks you don't know behind your back. And the other app is detected by many antivirus programs.

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.