Is your Pandora app transmitting more than the latest hits? Internet security company Veracode conducted an investigation recently and found that the Pandora Android app is transmitting things like user location, gender, birthday, and postal code information to third-party ad networks.
"Your personal information is being transmitted to advertising agencies in mass quantities," Veracode wrote in a blog post. "As more and more 'free' applications attempt to monetize their offerings, we will likely see more of your personal information being shuttled out to marketing and advertising data aggregation firms."
Veracode was inspired to test out the app after Pandora revealed that it was served with a grand jury subpoena related to an investigation about the security of mobile apps. Pandora said in a regulatory filing that it was not a specific target of the investigation, but believes that similar subpoenas were issued "on an industry-wide basis" to other companies that produce smartphone apps.
As a result, Veracode decided to analyze the Android version of the Pandora app, and found libraries from five ad networks bundled into the app: AdMarvel, AdMob, comScore (SecureStudies), Google.Ads, and Medialets.
Veracode then drilled down to see what type of data each network was collecting. AdMob accessed GPS location, application package name, and application version information, and "there were variable references within the ad library that appear to transmit the user's birthday, gender, and postal code information," Veracode said.
"The SecureStudies library accesses the android_id and directly sends a hash of the data to http://b.scorecardresearch.com while the Medialets library accesses the device's GPS location, bearing, altitude, android_id, connection status, network information, device brand, model, release revision, and current IP address," the post said.
Pandora is currently in a quiet period related to its planned IPO and could not comment on the Veracode post.
Veracode noted that "application developers may not even be aware of the privacy violations they are introducing by using third party advertising libraries. They may merely think they are getting $x per ad impression, not that the ad library is leaking significant information about the user."
Individual data points, meanwhile, are somewhat uninteresting, but put together, they "can provide significant insight into a persons life," Veracode said. "That feels a little Orwellian to me."
The fact that apps transfer data to ad networks is not particularly new, but the detalils of what they transfer made headlines last year. Veracode actually released a study in September that found that more than half of mobile applications aren't secure. Out of approximately 2,900 applications tested over an 18-month period, 57 percent failed to meet "acceptable levels" of security, Veracode said.
Shortly after that, a report from researchers at Penn State, Duke, and Intel Labs found that in a study of 30 randomly selected, popular Android apps, about two-thirds of them "used sensitive data suspiciously."
In December, the Wall Street Journal also conducted a study of 101 mobile applications and found that iPhone apps distribute more personal data without the users' permission than Android apps. That resulted in two lawsuits against Apple for transmitting user information to third parties without permission, though Business Insider also suggested that the Journal may have been exaggerating the threat of transmitting data back to an ad network.