back to article Pandora subpoenaed over privacy of iPhone, Android apps

A federal grand jury has subpoenaed online radio service Pandora for documents related to the privacy of smartphone apps it offers for Apple's iPhone and Google's Android operating system. The document demand, which was made earlier this year, was part of a larger set of subpoenas issued on an industry-wide basis to publishers …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Try this yourself

Grab a copy of Fiddler (http://www.fiddler2.com/) and install it. In your iPhone edit your wireless network and add the IP of your Fiddler installation and port 8888. Now all your iPhone's network traffic can be monitored in real time. Start up an app and see what you get.

For example start up Angry Birds. Notice how it sends an http request to http://data.flurry.com/aap.do. Flurry is an analytics company. The request includes the version of Angry Birds, your phone's unique ID (UDID), which levels you've been playing, how many birds you used, which options you tapped on, which promos you've looked at and so on. It includes some encoded data strings which could be capturing anything.

It's quite an eye-opener. If it's unable to contact the server it continues to queue the info until it can. Rovio's privacy policy states that Rovio may use third-party analytics to collect and use non-personal data that does not enable Rovio to identify the user. Well there's no may about it, they do use Flurry and they do send the UDID.

So far that's just a device. Now look at the free Bloomberg app. It also uses Flurry and also sends the same kind of data to the same URL. It includes the phone's UDID, which stocks you looked at, which screen options you tapped on and so on. Lots of apps use Flurry, and that's just one analytics company which happened to stand out in the analysis. I'm not picking on them and they no doubt provide a valuable service. I'm just concerned to know where I fit into it, after all it's my data they're building up.

While the individual companies may not be privy to all that information, Flurry certainly is. They may sell aggregation services to the likes of Rovio but Flurry themselves are in an incredibly privileged position. It would only take a single intrusive app to use their services and they could tie in my name, my contact details, message info, GPS location and anything else provided by that app, to my UDID, and now they can indeed personally identify me, That bothers me, and no privacy policy from any individual app provider is going to address this problem.

I've not got an Android phone so if someone wants to try it and report back it would be useful, I expect the same apps send the same data regardless of platform.

If you want to monitor any secure traffic switch on https decryption (Tools / Fiddler Options / HTTPS / Decrypt HTTPS traffic). This makes Fiddler act as a man in the middle proxy, so you will get certificate errors but can see all the data in the tunnel.

2
0
Anonymous Coward

One more thing

I forgot about a setting you need in order to enable remote access for the iPhone:

Tools / Fiddler Options / Connections / Allow remote computers to connect

0
0
Anonymous Coward

contact list

the article forgets to mention the harvesting of contact lists on iPhones by applications like Fring. No prompt, nothing. With other apps you may get prompted, but the warning comes from the application itself if the dev was kind enough to implement it. There's no protection at device/OS level whatsoever.

0
0
This topic is closed for new posts.

Forums