U.S. FTC: Popular Android ‘flashlight’ app secretly shared millions of users’ locations, device ids

20 Comments

The creator of one of the most popular apps for Android devices has agreed to settle Federal Trade Commission charges that the free app, which allows a device to be used as a flashlight, deceived consumers about how their geolocation information would be shared with advertising networks and other third parties.

Goldenshores Technologies, LLC, managed by Erik M. Geidl, is the company behind the “Brightest Flashlight Free” app, which has been downloaded tens of millions of times by users of the Android operating system. The FTC’s complaint alleges that the company’s privacy policy deceptively failed to disclose that the app transmitted users’ precise location and unique device identifier to third parties, including advertising networks. In addition, the complaint alleges that the company deceived consumers by presenting them with an option to not share their information, even though it was shared automatically rendering the option meaningless.

“When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, in a statement. “But this flashlight app left them in the dark about how their information was going to be used.”

In its complaint, the FTC alleges that Goldenshores’ privacy policy told consumers that any information collected by the Brightest Flashlight app would be used by the company, and listed some categories of information that it might collect. The policy, however, did not mention that the information would also be sent to third parties, such as advertising networks.

Consumers also were presented with a false choice when they downloaded the app, according to the complaint. Upon first opening the app, they were shown the company’s End User License Agreement, which included information on data collection. At the bottom of the license agreement, consumers could click to “Accept” or “Refuse” the terms of the agreement. Even before a consumer had a chance to accept those terms, though, the application was already collecting and sending information to third parties – including location and the unique device identifier.

The settlement with the FTC prohibits the defendants from misrepresenting how consumers’ information is collected and shared and how much control consumers have over the way their information is used. The settlement also requires the defendants to provide a just-in-time disclosure that fully informs consumers when, how, and why their geolocation information is being collected, used and shared, and requires defendants to obtain consumers’ affirmative express consent before doing so.

The defendants also will be required to delete any personal information collected from consumers through the Brightest Flashlight app.

The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0.

The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through Jan. 6, 2014, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments can be submitted electronically via the Commission’s comment submission page. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

Source: U.S. Federal Trade Commission

MacDailyNews Take: “Open” wide.

[Thanks to MacDailyNews Readers “Fred Mertz” and “Wabash Sphinx” for the heads up.]

Related articles:
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013
FBI issues warning over Android malware attacks – October 15, 2012
Researchers discover serious flaw in Android app security, say HTC and Samsung ignore issue – September 28, 2012
Apple’s iPhone has passed a key security threshold – August 13, 2012
Android permissions flaw allows eavesdropping, data theft, location tracking – December 2, 2011
Massive HTC Android security flaw leaves security expert speechless – October 2, 2011
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010

20 Comments

  3. Samsung has promptly responded to the problem of android security (or total lack thereof) with a plan to offer each and every galaxy phone and tablet owner an extra large tube of Ky, so that they can be more comfortable with their purchase.

    Reply

  5. Even before a consumer had a chance to accept those terms, though, the application was already collecting and sending information to third parties

    Déjà vu. This is soooo Windows.

    I love the Apple user culture. We go ballistic when abuse like this occurs, running the scum out of town on a rail, after tar and feathering, disemboweling and flaying them alive. We take care of our own, and so does Apple.

    Reply

  9. I love my iOS 7 phone 5S. But I think that IOS 7 may have a backdoor in it too. IOS 6 gave law enforcement authorities fits when trying to break into it. But now they are wholeheartedly embracing iOS 7 which has me worried. I also see that some of the hostility has died down against Apple since iOS 7 which makes me think that they were pressured into doing something with this system that they did
    not want to.

    Reply

  12. I long for the days when one could try limited-functionality software for free, and if one liked it, then one could buy it. No tracking, no phoning home, no always-on internet connection required. Now users ON ALL MOBILE PLATFORMS have the choice of “free” spyware/data-mining/adware, or paid programs that still come with no guarantee of being clear of data snooping.

    Apple users are deceiving themselves if they think Apple isn’t playing the same game as Google, collecting as much data about you and your iOS habits as possible. Moreover, Cook & Co have admitted to cooperating with the NSA without user knowledge or alert, so they apparently don’t think it’s very important for you to know who/what/when/where it collects and shares your intercepted communications & data.

    The more one learns about the business model for mobile operating systems and software, the more one appreciates the Mac OS, where at least you can do things while disconnected from Big Brother.

    Reply

    1. “Moreover, Cook & Co have admitted to cooperating with the NSA without user knowledge or alert, so they apparently don’t think it’s very important for you to know who/what/when/where it collects and shares your intercepted communications & data.”
      URL to legitimate link proving this, or we’ll know your lying.
      Apple said they will not comply with NSA requests until absolutely compelled, by legal enforcement, to do so.
      Or didn’t you bother reading the posts on here?
      I guess you didn’t bother, you don’t want to see anything that contradicts your cozy little conspiracy theories, do you?

      Reply

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Tags: , , , , , , , , ,