Flashlight App Covertly Sends Location Information

Fast Company today reported on a popular flashlight application which attracted the attention of the Federal Trade Commission for deceptively sending identifying information including GPS derived location even before the users had agreed to the EULA. Obviously a keen user would notice such privileges when downloading the application from the Play Store, but this doesn’t excuse the behavior of an application that was ostensibly just a flashlight.

Certainly it is a worrying trend that we have seen with many apps – including ones from companies big enough to know better – requesting permissions that simply are not required by any stretch of the imagination for the application to function. The official Android Facebook app springs to mind as a particularly impressive display of overuse of privileges.

So what recourse does a user have against this intrusive behavior? Obviously they could elect to simply not install the application but surely the permissions system in Android is robust enough to tolerate some fine tuning. Indeed it was – with Android 4.3 and its AppOps feature, which although hidden allowed users the freedom to fine tune exactly what permissions the app could make use of. It did have some serious shortcomings – for example, the permissions were only available once an app had attempted to make use of them, but nonetheless it was a dramatic step forward in the right direction. I was saddened to see this feature disappear without any explanation in 4.4 and wondered if complaints from developers potentially endangering their revenue stream had anything to do with its removal. So this leaves users of 4.4 with little option other than rooting their device, using a custom ROM and/or making use of third party solutions like XPrivacy. This is bad form, Google. Permissions – particularly privacy invasive ones like access to your location information, unique identifiers that could potentially link you with the device and direct access to the device’s cameras and microphone should be made available for toggling in a simple user interface. Until Google has done this at a minimum they cannot claim to be serious about protecting their user’s privacy.

UPDATE: as per this LifeHacker post it appears that some of the permission managers are again working in 4.4 thanks to some tweaking. It appears that the old means of invoking it by intent is gone, but I am nonetheless elated to have regained some control back. That said – Brian Party correctly noted that the LH article is attempting to sell a permission manager that in itself is a privacy threat to your phone. The open source AppOps by Sylvain Garland (market link) appears to be the least evil of the bunch, requesting no additional permissions. As an aside I am planning somewhat of an exposé (including some disassesmbly) of some of the cellular baseband firmwares as I believe the baseband is likely the biggest threat we have to our privacy. If you have anything to contribute don’t hesitate to contact me. You can retrieve my PGP key from the key page and find my email address within the key metadata.

9 thoughts on “Flashlight App Covertly Sends Location Information

  1. Are you sure 4.4 has removed the App Ops capability? My Nexus 7 (original) running 4.4 build KRT16S with Settings versions 4.4-920375 still allows me to access the App Ops tool using the “App Ops Starter” app, which was updated on 26 Nov with a changelog note “Support for Android 4.4 finally added!”

      • For whatever it’s worth, I strongly recommend the “App Ops Starter” app vs the one the Lifehacker article references. App Ops Starter is about 200kb and requires zero permissions.

        App Ops 4.3 / 4.4 KitKat, as linked by Lifehacker, is 2.05MB and requires:
        Storage: modify/delete
        System tools: install shortcuts
        Network communication: full network access
        System tools: read USB contents
        Network comms: Google Play billing, view network connections
        Affects battery: prevent sleep

        No way in hell am I installing that when the first one does the trick. It opens the App Ops screen and that’s all. Maybe if other features exist in the second app that one wants it might be worth it, but I haven’t looked into what else it does. Maybe Lifehacker wants their permission manager to have in-app purchases, I sure don’t.

      • Agree with you 100 percent. I just linked to the article to show that some apps have updated. There is no need for these apps to have /any/ permissions as all they are doing is calling the built in appops. The only thing that has changed (looking at the source) is how it is called.

        In 4.3 it is just a simple action/intent that’s called… android.settings.APP_OPS_SETTINGS

        In 4.4 it first launches com.android.settings.Settings (main settings) with the extra component com.android.settings.applications.AppOpsSummary.

        Why they’d change the method of invocation, I don’t know?

        There’s nothing I hate more than apps that over ask for permissions. The LH article I thought was a good primer for the “average guy” but seeing as it is endorsing crapware I will update.

      • It’s all good. I’m not well acquainted with the Android source or app development issues, so I don’t know if this adds a high bar of entry to get into the tool (it seems not). Why change? Who knows. Probably lets Google count people using App Ops with more granularity or something.

        I just had to spew out my rant in the interest of readers who might think the LH-referenced app was their only way in.

        Cheers! And thanks for your blog.

      • As always appreciate your comments. I often don’t have the time to vet links – you’re absolutely right that a user may have read the LH article and figured that the software they spoke about was the only option.

        As to why they decided to change the way appops is launched – I have no idea. I am at least glad that it can be launched albeit using a slightly different intent.

        Thanks for reading and contributing. I have always said that a blog is only useful if people “chat back”

      • Yeah, I touched on XPosed/XPrivacy in my original article but it is hardly an adequate solution for Joe Q Public.

        Google needs to a) fix appops in 4.2.2 b) standardize permissions between what is displayed on installation and what is toggleable in appops c) make the damn thing visible to the average user – in particular make the install dialog from the play store have checkboxes for each permission.

        I suspect that Google’s floundering on this issue has more to do with the pressure of the advertizers who monetize apps with their crapware.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s