UPDATE
Amazon’s Ring Doorbell app for Android is a nexus for data-harvesting, according to an investigation by the Electronic Frontier Foundation (EFF). Privacy advocates allege Ring goes so far as to silently deliver updates on Ring customer usage to Facebook, even if the Ring owner doesn’t have a Facebook account.
“Ring isn’t just a product that allows users to surveil their neighbors,” EFF’s Bill Budington said in a posting on the findings, published Monday. “The company also uses it to surveil its customers.”
The EFF performed dynamic analysis on the Ring for Android mobile app (version 3.21.1), using the “mitmproxy” tool running on a Wi-Fi access point connected to the doorbell. The proxy tool was able to intercept and analyze HTTPS flows to and from the device, Budington explained. And, to remove “noise” generated from other apps on the Wi-Fi network, the AFWall+ firewall app was used to isolate the network traffic coming from the test device to the mobile app.
Information collected includes personally identifiable information (PII); device and carrier data; unique identifiers that allow companies to track users across apps; real-time data on user interactions with the app; and information about a user’s home network. EFF observed the information being sent to three main data analytics and marketing companies (Branch, MixPanel and AppsFlyer), as well as to Facebook.
A Ring spokesperson told Threatpost, “Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing. Ring ensures that service providers’ use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes.”
A Marketing Bonanza
The findings were significant. The doorbell was observed sending a raft of private information from the Ring app via third-party trackers. Facebook for instance gathers real-time user interaction data and a unique identifier it can use to follow Ring users’ activity as they move around the web.
“Facebook, via its Graph API, is alerted when the app is opened and upon device actions, such as app deactivation after screen lock due to inactivity,” Budington wrote. “Information delivered to Facebook (even if you don’t have a Facebook account) includes time zone, device model, language preferences, screen resolution and a unique [tracking] identifier (anon_id), which persists even when you reset the OS-level advertiser ID.”
The other three companies receive their own individual compendiums of data. Branch for instance receives unique identifiers for the Ring hardware (device_fingerprint_id, hardware_id, identity_id) as well as the device’s local IP address, model, screen resolution and DPI.
AppsFlyer is alerted when a user interacts with the “Neighbors” section of the mobile app, EFF discovered. Neighbors is Ring’s neighborhood-watch feature that allows users to send and receive alerts for crime and safety events within a five-mile radius. AppsFlyer also gets sensor data from whatever mobile device the Ring app is installed on, including information from the magnetometer, gyroscope and accelerometer. And, it receives mobile carrier information, when Ring was installed and first launched, and, like Branch, a number of unique identifiers for the Ring device itself.
MixPanel receives the most information, EFF found. This includes users’ full names, email addresses, device information such as OS version and model, whether Bluetooth is enabled, and app settings such as the number of Ring locations that a user has.
All four companies receive enough information for a marketer to start to build a rich profile of a consumer, according to the EFF, which can then be enhanced via other trackers and cookies as users interact with websites and other mobile apps.
“The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device,” Budington explained. “This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it.”
Lack of User Visibility
Adding insult to injury, user awareness of the tracking is low to nonexistent, the EFF determined. The information was being sent “without meaningful user notification or consent,” Budington said. He added that Amazon has not been transparent with its apps-integration disclosure online, either.
“MixPanel is briefly mentioned in Ring’s list of third-party services, but the extent of their data collection is not,” Budington wrote. “None of the other trackers listed in this post are mentioned at all [on that page]…This data is given to parties either only mentioned briefly, buried on an internal page users are unlikely to ever see or not listed at all.”
Further, uncovering the tracking via technical means is difficult at best, according to Budington, thanks to the app’s security measures. For one, the traffic is being sent using encrypted HTTPS. And two, it uses certificate pinning.
“App-level certificate pinning is when an app validates the certificates of a remote server against a record of that certificate stored within the app, rather than validating against the list of root certificates within the OS,” explained Budington. “This is often used as a security measure, to ensure that misissuance of certificates or mismanagement along the chain of trust in PKI does not compromise the integrity, confidentiality or authenticity of HTTPS traffic.
“Unfortunately, it can also prevent security researchers and users from seeing exactly what information these devices are sending, and to whom.”
Ring has been under scrutiny for its privacy practices before, most notably surrounding its integrations with law enforcement. These allow homeowners to provide voluntary access to camera footage to officers. In the event of an incident, police can request the video recorded by homeowners’ cameras for a specific geographic area and time range.
In November, it drew criticism for a reported plan to use facial-recognition software to create an artificial-intelligence-enabled neighborhood watch list of “suspicious individuals.” And in January, four Ring employees were fired for allegedly “spying” on customers.
The EFF said that it all adds up to a disturbing pattern. “Ring has [leveraged] an image of the secure home,” Budington noted. “For consumers, this image has cultivated a sense of trust in Ring that should be shaken by the reality of how the app functions: Not only does Ring mismanage consumer data, but it also intentionally hands over that data to trackers and data-miners.”
This post was updated at 8:45 ET on Jan. 29 to include a statement from Ring.