A popular flashlight app sold millions of Android users’ location data to advertisers and they had no idea

Daniel Bader

December 6, 2013 3:05 pm

According to a report by the Federal Trade Commission, a popular free flashlight app, Brightest Flashlight Free, has been selling Android users’ location data to advertisers right under our noses.

Despite an option within the app to disable the location sharing feature, which was promised to be anonymized and used only by the developer, Brightest Flashlight was locating users and, paired with a unique device ID, selling that data to advertisers.

The FTC report, which was issued only after the Commission settled the dispute with the developer, “alleges that the company deceived consumers by presenting them with an option to not share their information, even though it was shared automatically rendering the option meaningless.”

The report points out that consumers of apps must be aware of the permissions associated with each download, and make informed choices about which developers to trust. Android is a much less regulated environment than iOS, BlackBerry or Windows Phone, making it especially easy for developers to take advantage of the wealth of user data at their fingertips. Why a flashlight app needed to collect users’ location data should have been at the top every Android users’ mind when downloading the app.

While this is not the first Android app to run afoul of Google’s terms of service, its seemingly innocuous nature exposes the potential risks of using an app that says one thing but does another. In this case, Brightest Flashlight Free does apparently live up to its claim of being an excellent flashlight app; it just turns out that we, the users, were the product, not the customers.

The app’s developers, Goldenshores Technologies, are prohibited from misrepresenting their apps in the future, but this is unlikely to be the last time we hear of a free app misusing peoples’ location data. Apple makes it much more difficult for developers to do the same thing, and has even banned the use of UDIDs for advertising purposes. It’s unlikely Goldenshore was selling users’ location data to advertisers for nefarious purposes, but the fact remains that we didn’t know, and were mislead, and that’s what caused the FTC investigation.

SourceFTC

  • Michael Bazdell

    You’d have to be pretty dense to install a flashlight app that requires location data and network access….

    • It’s Me

      Yup. Blame the user.

    • Michael Bazdell

      So if you drink a bottle of liquid that has POISON written on the label, it’s the bottle’s fault?

    • It’s Me

      And that would be a useful analogy if the app in question said “WE SELL YOUR LOCATION DATA”.

      If instead, that bottle of liquid was labelled as juice, was sold by a trusted store and included, in small print, that it contained Acesulfame-K, along with the rest of the ingredients, then you might not so easily blame the consumer for not realizing that is a possible carcinogen that is allowed in food products.

      In the end, I was agreeing with you. The user opted to use a platform that requires a level of diligence when using it normally. If they cannot meet that level, then they ought not to be using computers.

      But then I come from a background where I think users are dense that are not regularly running a sniffer to see what is being transmitted across the wire(less).

    • Michael Bazdell

      The idea is more that if you’re getting a flashlight app, why would you install it if it requires network access or location data? It’s a flashlight. Granted some of them will come with ads so those permissions make sense, but then why are you getting a flashlight app with ads?

      I wasn’t trying to make a blanket statement for every app and their required permissions. This is a case where using barely any consideration should have alerted the user that something is a bit strange with the app.

    • It’s Me

      It’s a free app. Would it be that unexpected for any free app to be supported with ads? Seems like that would be more than common, it would be expected. Would a flashlight app be any less likely to try to monetize their app with ads than any other app?

    • J-Ro

      Phones should come standard with a flashlight button now. I heard the iPhone does and I know the Blackberry does. Google needs to add that in the next update.

    • Joe

      HTC comes with a built in flashlight app.

    • Alex

      What sniffer app do you use? Looking for some recommendations!

    • It’s Me

      Wireshark. Have it at work and home. Stick it promiscuous mode and see what’s what.

    • Kevin Sutton

      Well… the case seems to be the application presents a phony option to turn off information sharing; not that an app tries to accumulate data for sale.

      So it would be not be labeled ‘poison’. It would be labeled ‘safe for consumption’. Did you make it to the second paragraph of the article?

    • Michael Bazdell

      I agree that this was more than just the permissions, much like the LG TV’s that sent back data even after you told it not to. However the initial problem does stem from the user in this case.

    • Axlin

      If you want to opt out of information sharing, why would you install an app which collects said information in the first place? A flashlight app which collects precise location data, wifi information, accesses your contacts/SMS messages, requires full network access, etc, is obviously up to no good. While the developer is scum and should be held accountable, the users need to be held accountable as well for their complete lack of common sense and willingness to set themselves up for this exact type of situation.

      Edit: To further make my point, those who actually care about their privacy can ALWAYS find an app which comports with their standards. Case in point: Find “Search Light” on the Google Play store. Look at ITS required permissions, compare them to the permissions requested by other flashlight apps, and consider that it offers literally equivalent functionality. This notion that you must be “the product” if you wish to use an app for free is completely ridiculous.

    • Michael Bazdell

      For sure. I’m pointing out these people are rather dense. You can only do so much for people before you’re doing everything for them.

    • J-Ro

      I think Jesus said it best “Give a man a fish and eats for a night. Give a man a smartphone and he starves in a grocery store”

    • Matt

      “While Googling how long chicken is good for in the fridge, because, you know, that ish is expensive.”

    • Nadefrenzy

      Hey man, you might have all the time in the world then if you really inspect the “permissions” on a flashlight app—many of us don’t.

      However, I must say, categorizing all of us under one judgement reflects very poorly upon you.

    • TomsDisqusted

      Most ad based apps on all the platforms retrieve your location and some info that identifies your device (and require network access) – that is standard.
      What is special about this case is that they misrepresented what they did with that data.
      So, the permissions aren’t really the issue (nor is Android). The issue is a company saying one thing and doing another.

    • J-Ro

      I think the only difference is that they got caught. Likely a lot more are doing this but haven’t been found out yet.

    • MXH070

      I’m pretty sure you never read the Gmail or Youtube disclaimer of what Google is entitled to on your device if you use those Google service. If you haven’t and have those accounts then you can lump yourself in with dense population as well.
      Majority of the population don’t read the LONG drawn out disclaimers and these companies know that if you make the font small enough and make the statement long people can’t be bothered as they have some blind trust the company is looking out for there well being, so they just click the little accept box and carry on. What needs to be done. If a app mines data then it needs to labeled as so in plain language “This app sells your information ”

    • AngryAndConsiderate

      Dense is not even properly used in this case. I’m sorry to inform you that stubbornness has little to do with anyone’s decision to install a flashlight app. Stupidity or ignorance would be the better word. And I am neither, yet I installed this app. You can’t possibly understand why anyone would allow a flashlight app access to such information, and I realized that the purpose was for advertising. I didn’t realize they were selling my location, however. But why should I care? What is the absolute worst case scenario for a developer having your location information? I’ll tell you what it is; it’s that developer using that information to locate and kill all of the app users… But that’s an idea for a modern horror movie and unrealistic. A much more realistic worst case scenario would be… To sell to advertisers. And really, how is that a big deal? What’s the worst they can do? Annoy me with location based advertisements and depending on how specific the location is, maybe send me ads in the mail? A pain to deal with, no doubt but hardly the end of the world. Besides, there are plenty of legitimate reasons to collect location data that would not infringe on your privacy. So when a privacy policy gives you a reason, assuming you even read it, it’s probably a decent reason. And it’s kind of illegal to not uphold your promise in those things. What I’m getting at, is that you’re no better than anyone else and, in fact, I’m sure that there are plenty of users of the app that are far more intelligent than you. So step down from the soap box, you’ve no right to be there.

  • Walter

    Those muthas. I had that app for a while and deleted it. I wonder if there will be a class action case against them and those who bought the data. I wouldn’t mind a small peice of that pie.

  • Columbo

    I wonder how often this happens. This is why I’m a fan of BlackBerry, no random unnecessary permissions for their native aps.

    • Columbo

      Haha touche. Even so! My flashlight isn’t selling my personal info, and I’m pretty happy about that.

  • Mythos88

    I don’t know why this app was singled out. That kind of behavior is absolutely rampant on Android and is why Trend Micro flags 35% of Android apps as malware. Even Google emails your personal info to devs when you purchase an app from Google Play.

    • Ry29

      Who would downvote you?… it’s sadly the truth

    • TheFloppyBeaver

      It’s the people who are so blindly loyal to a product for no reason. I certainly have my preferences, but it doesn’t mean that I’m going to agree with everything the brands behind the products do and support every decisions they make.

      Constructive criticisms are a great thing! It helps the brands that we like improve, it’s too bad that some people out there lack the critical thinking to understand this. :(

  • Jonathan Schmitt

    READ!! People, READ!!

    Everytime you install an app on Android it brings up this small thing that lists the permissions of the app. READ!

    • Ry29

      I agree. The problem is, there is apps out there (this one is not one of them) that are considered essential, but you can’t limit what permissions they get unless you install Privacy Droid, etc. I like how BlackBerry upon installation gives you a dialog, and you can toggle which permissions it can get

  • TheFloppyBeaver

    Nobody’s going to care, it’s obvious that most consumers have no concerns about their privacy these days.

    Shame.

    • Pigs Can Fly

      That’s true, when the discussion of NSA tracking people through Facebook and etc, and the discussion of XBox One’s Kinnect and the possibility of the camera watching and some guy goes “I don’t care about who sees what’s going on in my house”, so he’s fine with a peeping tom peering through his window? Some people just don’t get it.

  • TheFloppyBeaver

    BTW, when will Android adapt granular permissions for Google Play?

    • Ry29

      Agreed. Other OS’s offer granular control.

  • RG

    “You’re turning on your flashlight in location X, are you sure? it’s daytime and sunny”

  • d a

    With this app it’s a no brainer it seems but some app devs are getting scummy. They create a paid app, then change the permissions down the road after you’ve been sucked in and sucked in a lot of people. Under these circumstances I have no problem with using pirated versions of software to avoid new permissions if you have to erase and reset your phone.

  • ginobili1

    I would say that the developer is completely to blame for this lapse. The user can only do so much to read the permissions, but if the dev said that these are used for ads, the user (a lot of the times) goes lenient thinking that he/she is getting a free app anyway so why not.

    Now if the dev uses those permissions for more than ads, then it is completely the developer’s fault. I would suggest that these guys be banned from the store and there must be a lawsuit on them.

    I really hope that the other devs learn something from this.

  • Mosa Altalibi

    So… Honestly wondering, Which flashlight app DOESNT either have access to location, phone calls, or camera. Stock android should have its own assistive light widget, because I can’t find one without seemingly harmful and/or pointless permissions.

    • Patrick Cuyegkeng

      I use the one built into Battery Widget Reborn. The app itself is great for what it does (it’s a battery widget, but with stats and the ability control some things to help with battery life), but also can be configured to toggle the flash. It does require a lot of permissions (because it can control things like your WiFi, network sync, etc.), but I do not see Location as one of them.

    • Noah Roesler

      But… Android does have a native built in assistive light widget…

    • Mosa Altalibi

      Touchwiz on Samsung, yes. Sense on HTC, yes. Stock android for nexus or Moto X, no.
      Unless I’m mistaken? If I am, please do enlighten me.

    • Noah Roesler

      Oh maybe not then.. I got the Touchwiz

    • Pigs Can Fly

      Nope, not on Moto X, I use flashlight through Switchpro.

    • alamarco

      TeslaLED Flashlight doesn’t have any unnecessary permissions. Simple application for flashlight needs.

    • Mosa Altalibi

      I just went through a bunch of apps and i think this one’s the best so far.

    • Stephen B Morris

      All flashlight apps must have access to the camera to use the LED flash. I personally use ‘nexus flashlight’. Only has 2 permissions and the developer has a donate version. Seemed honest to me.

    • Mosa Altalibi

      But you see thats the issue. I think there should be more detailed and limited permissions.
      I get that having permissions for location doesnt make any sense, and should have been avoided regardless. But in another year or so theres going to be an article about how some flashlight company is stealing photos from users. At which point people will again be like “users should read the permissions and be more careful, because >obviously< you shouldn't give it permission to take photos and videos."

  • canucks4life

    doh I used to have this app :(

  • S2556

    I currently have this app installed as it has been on and off my devices for over a year. Not sure if the permissions changed but usually I don’t have a problem running into these sketch apps. Hmmmmm. Well sounds like they do the same thing as many others but don’t tell you which is annoying and wrong. Not as bad as I initially thought though.

  • Pigs Can Fly

    That’s why I’m wary on permissions with certain apps, I was searching for a magnifier app so I can read tiny print and half of them has these crazy permissions like phone status and network (even paid versions), so I finally found one that only accesses the camera and storage. I noticed an awful lot of keyboard themes with those odd permissions too.

  • nosnhoj

    This is why I would never own a hemriod phone, tired of google tracking everything I do on my computer too

    • Striker67

      Couldn’t agree more. Google sucked people in and got them dependent on their service reliant on their services and now they know more than the government about your habits, your friends, who you write to, where you go and people don’t seem to care. I have started to be more careful with Permissions and as apps update now I review the permissions. If I dont like them I uninstall the app or don’t update. Facebook and linked in are bad. Way too much data given to both and I have gone back to mobile apps. Haven’t updated any Google apps for a while now. Google really needs to get its act together and protect their users instead of taking advantage of them. I would rather pay for email and their other apps to protect my privacy more.

  • nosnhoj

    Don’t know how all you i****s can defend android, get a blackberry they would never allow an app to do this

  • Ronell  I.T. Man

    When a Flashlight App asks for access to your Contacts and locations “Android Logic : Allow “. In BlackBerry App World you get 1 Starred for that.

    #TeamBlackBerry

  • King kobi

    that’s it I’m done with android. selling my note 2 for cheap. its white with a genuine protectant Samsung case. I’ve been using my surface rt I got the other day and i’m loving it. Jail broke it and running many legacy apps. time to give windows phone a try

  • MXH070

    This is the norm for the android users base all data is mined from the users by Google or by the app developers it well known. A day doesn’t go by that one doesn’t read an article of Google services being hacked or another vulnerability to android OS exposed but Android users don’t care about security or privacy just as long as they get FREE stuff.

  • Martin Chan

    This was bound to happen. I know everyone’s skipped reading the permissions on Android. Not everyone’s going to read every single piece. There’ll be a lazy day. But it’s to be expected. It’s a tradeoff for the kind of ecosystem Android provides.

    It’s time for Android to eliminate those unnecessary apps. Provide flashlight, etc like iOS and BB10 has. Not sure about WP yet.

  • Tom

    Privacy Guard on CM10.2 = problem solved.