When I downloaded the Flashlight app to my iPhone, I was in a jam. I was camping, I think. Or maybe a pen had rolled under my couch. I remember that smug sense of self-congratulation after I downloaded the software, which converted the iPhone’s LED flash into a steady and bright beam of light.
But I shouldn’t have been so pleased with myself. Though I didn’t realize it at the time, I was potentially handing over a boatload of data to advertisers as well. Even a flashlight app, it turns out, can ask for a shocking amount of user data when you download it, tapping everything from my calendar to my phone’s location engine to my camera. Yes, my camera. This is something you can keep in check, thanks to the privacy controls on today’s iPhone, but the truth is that most people don’t.
The FTC has clamped down on flashlight apps for doing downloading data for advertisers without informing consumers, and these seemingly innocuous apps are only a small part of the problem. On my phone, several apps want access to information they probably shouldn’t, and odds are, that’s the case with your phone, too. The lesson here is that when it comes to mobile software, there’s really no such thing as a free app. But there’s a corollary, and it’s that this whole world of mobile app privacy is both murkier and more troubling than things are on your computer desktop.
The Flashlight app on my phone is built by a company called iHandy. The company didn’t return messages asking for comment in this article, but a mobile phone security operation called Appthority did an analysis of the data that Flashlight can potentially request, and it’s pretty scary.
According to Appthority’s president, Domingo Guerra, Flashlight is designed to do location tracking, read my calendar, use my camera, gain access to unique numbers that identify my phone, and then share data with a number of ad networks, including Google’s AdMob, iAd, and JumpTap. It may not actually be doing all of these things — Appthority’s analysis only shows what the software is capable of, not necessarily what it’s actually up to — but the fact that there’s such an arsenal of dubious uses should raise eyebrows.
Guerra can’t think of any reason why a flashlight app would need to be able to track me or to see my calendar. “All of that stuff is pretty shady, and it has a lot of advertising networks in there that it’s sharing data with,” he says.
Flashlight apps have a particularly fierce reputation for data exfiltration. The FTC went after the makers of “Brightest Flashlight” last year for deceiving users about how it shared geolocation information with advertising networks. But, according to Guerra’s analysis, there were several free apps on my phone that were data hungry.
A music app that simulates guitar chords shares data with ad networks. Guerra’s analysis found code in the app that could be used to do location tracking or access my address book, although there’s no evidence that it’s actually doing those last two things.
Another fun app that my daughter downloaded, called Stack the States, shares that data with an ad network. But if I spend $0.99 for the paid version, all that tracking goes away and I get a great app with no privacy concerns, Guerra says.
The problem is that app makers aren’t completely upfront about what data they’re sharing and how it’s being sold via the ad networks. It’s troubling because the data that we store on our phones is both more intimate — Geolocation data shows where we live, where we work, and where we like to go — and also more permanently tied to us.
Websites keep track of PC users using browser cookies — little files that get downloaded to your computer, and which can easily be erased. Many mobile apps, on the other hand, track you using unique identifiers such as the UDID (Unique Device Identifier — the equivalent of your phone’s serial number) or IMEI (International Mobile Station Equipment Identity — the unique number mobile networks use to identify subscribers).
Many apps request access to parts of our phone without explaining why, says Adi Kamdar, an activist with the Electronic Frontier Foundation. “We seem to see this sort of thing happening pretty often, especially with apps that through updates ask for more permissions,” he says. “They may not be making a whole lot of money from app downloads or ad clicks, so they may have this perspective that we need to collect as much customer data as possible as an insurance policy.”
The good news in all of this is that the hardware makers seem to be learning that this is a problem that they’re going to have to address. Apple has made it pretty easy to control which services your apps are able to use. You go intoSetting → Privacy and then you can switch apps off and on. When I did this, I discovered that a second flashlight app, this one made by Lemondo Entertainment, had requested access to my phone’s microphone and location services.
Bizarrely, though, Google developed a similar technology for Android, called App Opps, and then removed it, claiming that it couldn’t release the software because it might harm software on the phone. Google didn’t reply to my requests for comment on this story.
So now I’m pledging to do a regular inventory of what apps I have and what they’re up to. As for the flashlight apps, they’re gone. It turns out I really didn’t need them. Apple introduced a built-in flashlight in iOS 7.