Pandora Android App Slurping Tremendous Amounts of Personal Data

A Veracode report confirms that Pandora's Android app tracks and shares users' gender, GPS data and the unique device ID with advertisers.

Free smartphone apps may be collecting more personal information than users realize and sharing them with third-party advertising firms, according to an analysis by a security firm. The report followed recent news articles that Pandora and other mobile app vendors had received federal grand jury subpoenas about their data sharing practices.

Federal prosecutors in New Jersey were investigating whether mobile application vendors are illegally retaining and sharing customers' personal information, the Wall Street Journal reported on April 5. The Journal further tested 101 apps and found that 56 transmitted the phone's unique device identifier to other companies without the user's knowledge; 47 transmitted the phone's location; and five provided the user's age, gender and other personal details. Privacy policies were not included on 45 of the tested apps, according to the Journal.

Pandora, the free music service, revealed in a Securities and Exchange Commission filing on April 4 that it had been subpoenaed by the federal grand jury to provide documents related to how the company collected and shared user information on its iPhone and Android apps. Pandora was not a "specific target of the investigation," the company said in the filing, and that subpoenas were issued "on an industry-wide basis" to other mobile app makers.

"Your personal information is being transmitted to advertising agencies in mass quantities," said Tyler Shields, a senior researcher for application security testing firm Veracode, on the company's ZeroDay Labs blog. He based his conclusions on a detailed analysis of Pandora's radio-streaming application for Android smartphones.

Veracode analyzed Pandora's Android app and found five advertisement libraries compiled into the application, including AdMarvel, AdMob, comScore, Google.Ads and Medialets. The research team analyzed each of the modules to identify exactly what was being collected.

The AdMob library transmitted users' birthday, gender, ZIP code and exact GPS location. The app continuously updated the GPS data, which provided Pandora with "significant insight into a person's life" by tracking users at home, office and other places, Shields concluded.

The library also accessed the Android ID, the phone's unique device ID. The other libraries collected the same types of information, as well. ComScore's SecureStudies library directly sent a hash of the Android ID to its ScoreCard Research Website. The Medialets library accessed the GPS data, bearing, altitude, Android ID, connection status, network information, device brand, model, release revision and current IP address.

While the user information helps Pandora personalize the music streams for its users, Veracode's analysis showed that Pandora is also sending the information to advertisers.

"As more and more 'free' applications attempt to monetize their offerings, we will likely see more of your personal information being shuttled out to marketing and advertising data aggregation firms," Shields wrote.

It was possible that Pandora and other smartphone app developers were not aware of the amount of information being collected and shared, Shields said. Developers could be integrating prebuilt code snippets from the libraries without analyzing what is happening.

"They may merely think they are getting $X per ad impression, not that the ad library is leaking significant information about the user," Shields said.

When all the data is "compiled into a single unifying picture," it's pretty easy for mobile app makers and advertising companies "to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them," Shields said.

"I don't know about you, but that feels a little Orwellian to me," he said.

A commenter on Shields' post on Veracode's blog wondered whether Pandora is collecting and transmitting the data for paid users as well. Another asked whether the BlackBerry app could be tweaked, since users have a more granular level of control over what the app can do on the device. Veracode has not yet investigated these questions.

Pandora's smartphone app allows users to listen to streaming music from their phone. The application has been installed more than 10 million times, according to statistics on Google's Android Market, and is the 28th most downloaded app in Apple's App Store.