Popular mobile music-streaming service Pandora has been accused of sending “mass quantities” of personal data from its mobile applications for the purpose of serving mobile advertising.
Tyler Shields, a senior researcher for application security testing firm Veracode, dug into Pandora to take a closer look at the personal information it processes. Shields first identified that Pandora’s Android application integrates with five different mobile advertisement libraries: AdMarvel, AdMob, ComScore (SecureStudies), Google.Ads, and Medialets, all of which Shields decompiled to analyze.
Looking at just AdMob, the network receives a user’s location as GPS coordinates, the application package name as well as the application version. In addition, said Shields, “there were variable references within the ad library that appear to transmit the user’s birthday, gender, and postal code information.” The application also shared the android_id, which is a variable that developers can use to identify individual smartphones, although the legality of doing so is unclear.
When the data is fragmented it may seem insignificant, but when combined, it creates a substantial user profile in exchange for accessing a seemingly “free” mobile app. The subject of mobile apps collecting personal user-data has become the focus of federal prosecutors in New Jersey who are investigating whether mobile application vendors are illegally retaining or sharing personal information about their customers with third-party advertising groups.