The blog post we made earlier this week entitled, Mobile Apps Invading Your Privacy, gives detail around the information being requested by the advertisement libraries embedded inside a popular online radio application. There have been a number of great posts and comments that got us thinking more about the issues and the types of data being requested.
First off we want to thank some people who commented about the Pandora application not having permission to actually access the GPS on the device. Below are the Manifest permissions for the version of Pandora currently in the Google Application Marketplace:
- Full Internet Access
- Create Bluetooth Connections
- Read Contact Data
- Add or Modify Calendar Data and Send Emails to Guests
- Read Phone State and Identity
- Modify Global System Settings
- Prevent Device from Sleeping
- Bluetooth Administration
- Change Wifi State
- Change Network Connectivity
As you can see, GPS access is NOT included in that list. There was an error in the original post we made stating that some of the library code was requesting permissions from the Google system for GPS access, and as the commenter pointed out, that is incorrect. The code snippet we posted is only checking whether the parent application, Pandora in this case, has permission to access the GPS. If the parent does not have permission, the accessing of GPS data can’t occur.
However, the overarching theme of the original post is still valid. If Pandora had required GPS access for a legitimate reason, the embedded advertisement library would have been able to request the GPS data and send it off device. As we mentioned in the original post, there is a chance that Pandora has no idea what the embedded advertising library actually does, simply taking it from the advertising partner and embedding it into their application.