
Popular Flashlight App has been secretly sharing your location - bobbles
http://www.fastcompany.com/3023042/fast-feed/this-popular-flashlight-app-has-been-secretly-your-sharing-location-and-device-id
======
WestCoastJustin
I actually commented on this very thing @
[https://news.ycombinator.com/item?id=6266539](https://news.ycombinator.com/item?id=6266539)

> " _I wanted to install a led flashlight app a couple days ago. The one with
> 10 million downloads wants access to my phone book, internet, browser, etc.
> WTF! This is a LED flashlight app and it has an install base of 10 million,
> why on earth does it need access to the internet and phone book?! Arg, there
> is a total disconnect between useful apps and privacy! I do not know what
> the answer is, but the current system really grinds my gears!_ "

> " _Imagine if you wanted to use the ls, cd, grep, tar, pwd, top, etc
> commands on unix and an "ad" would pop up, or maybe you would see it
> connecting to the internet. These are utilities too. Is this acceptable
> behavior?_"

~~~
andyjohnson0
It is advertising supported, so the requirement for internet access is
plausible - even though it was misused.

~~~
thepicard
But your contact book and location?

~~~
andyjohnson0
Obviously unjustified and a clear warning sign.

------
pan69
What I don't get about app permissions is that it's all or nothing. You see
these apps and they require access to just about everything. As if I'm going
to install that? Not.

However, it should be that an app asks for permissions and as a user I can
tick or untick each individual permission. I.e. does this or that weather app
really need access to my contacts? Nope. So why can't just untick that
permission?

Permissions on apps seem to be pretty much broken.

~~~
kumarm
Since Android 4.3 you can deny (individual) permissions for apps using App ops
(There are apps that let you check which app's are using a permission and deny
them the permission).

I Know it makes dev's life difficult but the capability does exist since
Android 4.3.

~~~
nobodyshere
That is not really relevant since 4.3+ versions are not on vast majority of
devices. Only hopes are on Cyanogen.

------
Pxtl
Dear play store: let me search by permissions. Or to sort by low-permissions.
When I want a flashlight app, I want to be able to search for things that
_only_ use the camera system.

I appreciate that Android lets developers and users do what they want and lets
Users know what the applications have permission to do, but if you have to
snoop at every application's specific details to find this out, it's not
really good for those of us who _care_ about such things.

A big problem is some of the permissions have terrible names - stuff like
"read phone state and identity" \- what freaking user is going to know what
that means?

~~~
judk
Teaching you to care about permissions would ruin Android's ad supported
business model.

------
AmVess
No surprise here.

I recently switched from iOS to Android, and the two readily available app
stores on my device(Google Play and Amazon)are little more than a cross
between a digital flea market and the wild west.

Google would do well to copy Apple's approach to app store curation and
locking down their OS so that shenanigans like this can't be pulled off.

~~~
bad_user
I sure hope Google doesn't copy Apple's approach, because the openness of the
platform and the relaxed rules of Google Play is what drove me to use Android
in the first place, even though my first two smartphones where an iPhone 3G
and then a 3GS, which are now paper holders.

Apple's curated approach wasn't allowing me to find and install an app for a
very simple need - completely blocking calls and SMS from certain phone
numbers, without those numbers even showing up in the logs. My iPhone couldn't
do tethering either, because it's an on/off switch accessible to your mobile
career and my mobile career was charging an extra 4 EUR/month for it.

Also, people don't freaking read and we can pretend that it's somehow our
problem, but what's so hard at looking at the list of required dependency and
reading:

    
    
         - wants access to your location
         - wants to read your contacts list
    

What's so hard about asking yourself - why the hell would a flashlight app or
screensaver want to know my location or my contacts list or whatever? Are
people so dumb that we need to disallow them from hurting themselves?

Android is not perfect and the permissions system could sure use some work. It
would have been awesome if you could disallow certain permissions, but still
install the app, in which case the app would simply not receive your location,
or it would receive a blank contacts list and so on.

~~~
bruceboughton

       Also, people don't freaking read and we can pretend that it's somehow our 
       problem, but what's so hard at looking at the list of required dependency
       and reading:
           - wants access to your location
           - wants to read your contacts list
    

The problem with this is these apps poison the whole marketplace. If I'm going
to buy a car, I'm not going to buy it from somewhere where half the cars,
perhaps the popular, good-looking ones, phone home to advertisers and track my
location for profit and where it is my job to read all the paperwork to check
which ones do and which ones don't.

The reason why the App Store has been so attractive to developers is that it
has engaged users who know the downside of installing random app Foo is not
high. If we train users to be wary of apps, it will not be good for hones
developers of good quality apps either.

~~~
bad_user
Err, the reason why the App Store has been attractive to developers is because
it's a distribution channel that generated money, period.

> _If we train users to be wary of apps, it will not be good for honest
> developers_

So what you're saying is that users would learn to not trust implicitly random
strangers making promises in exchange for cash and that would somehow harm
honest developers? Like how in the world did you reach that conclusion?

Dude, selling an app on the web or in an app store is no different than
selling something in the real world. You find some initial customers, if your
product is good those customers will give you reviews, they'll tell other
people and so on. Trust is something you earn. I don't see where the problem
is for "honest developers", I really don't.

~~~
bruceboughton
>> Err, the reason why the App Store has been attractive to developers is
because it's a distribution channel that generated money, period.

I agree. My point is that a large part of why this is true is that users have
learned that installing random software from the App Store is mostly harmless.
This is in stark contrast to the situation on Windows (desktop) and Android
(mobile).

>> Dude, ...

Thanks.

>> selling an app on the web is no different than selling something in the
real world. You find some initial customers, if your product is good those
customers will give you reviews, they'll tell other people and so on. Trust is
something you earn. I don't see where the problem is for "honest developers",
I really don't.

Selling an app on the web is different because the user doesn't know who you
are. In real life, they can make assessments about your scaminess based on a
whole host of (possible irrelevant) factors: is your shop clean and tidy? Is
it in a dodgy part of town or on the main high street? This makes them feel
more comfortable trying your thing out.

On the Internet, no one knows you're a dog. Or worse, a contact-list sucking,
location-tracking, SMS-scanning scammer.

------
mrtksn
Those permissions are just like an "EULA" or any other legal writing that the
users just skip as fast as they can.

This is why I switched back to IOS, I had really hard time finding apps with
permissions that are not ridiculous. Whats worse, most of the people I know
just didn't care and used these apps, making em popular and high rated.

IOS as awesome in this regard, after all, my phone is the most privately used
device. I think am not a paranoid type but I am not O.K. with somebody out
there accessing my location and contacts.

I am actually surprised we don't have big scandals with rough apps spreading
all kind of private data all over the internet.

~~~
m_mueller
Exactly. Allowing users to deny apps access at runtime rather than install
time is the better approach, since apps will usually still do something useful
even if you deny them access to your address book or location. Only the dialog
and maybe the granularity itself could be improved.

------
ars
This is why you should install
[https://play.google.com/store/apps/details?id=com.googlecode...](https://play.google.com/store/apps/details?id=com.googlecode.droidwall.free)
and only let aps that actually need it access the internet.

~~~
Groxx
I've been running XPrivacy[1] lately - I really really like it. Extremely
granular permissions (down to individual method calls), fakes data so things
don't crash, and tells you when permissions were last accessed.

[1]: [http://forum.xda-
developers.com/showthread.php?t=2320783](http://forum.xda-
developers.com/showthread.php?t=2320783)

------
andymcsherry
This is really the status quo when it comes to free Android utility apps. Most
users skip quickly past the permission when installing, and as a result, you
can generally stuff anything you want in there. To compliment this, the app is
ad supported and ad networks will pay a premium to target on that. The number
of users that notice, care and don't install is insignificant compared to the
increase in revenue they see by passing this extra information along.

iOS may be better about notifying users when it comes to accessing location
and contact information, but Android has a much more robust system of
permissions. Users can see nearly every component of the system the device
wants to interact with, determine whether that is satisfactory and choose to
install the software or not. Unfortunately most users are more concerned about
finding their keys in the dark or hanging a picture straight to care.

~~~
mangotree
When you start a project in eclipse, I automatically grabs all permissions,
whether you use them or not. You actually have to go in and edit the manifest
to remove all the permissions you don't use.

~~~
raverbashing
Well, crap.

This is too much "developers, developers, developers"

If the person can't be bothered to manually edit the permission list (and I
think this changed, because I remember having to add a permission when I did
an Android test project), then they shouldn't use the resource!

But yeah, let's add all permissions to any crappy app.

~~~
myko
mangotree is mistaken. This is not true.

------
r0h1n
> _In fact, before they could accept or refuse the app 's terms of agreement,
> the FTC said Brightest Flashlight was already collecting and sending
> information._

Somewhat OT, but I could've sworn Google does this on new Android installs. I
updated my Nexus 4 via CM a few days back to 4.3, and as I went into the
account settings to turn off Google sync (contacts, Gmail, calendar etc.) I
saw the sync icons spinning for all of them. I don't recollect allowing Google
to sync any of my data.

Of course I subsequently turned off sync for all Google services.

------
Sir_Cmpwn
CyanogenMod ships with a "privacy guard" feature that shuts off any intrusive
permissions for an app unless you whitelist it, regardless of what the app
claims to want from you.

------
MAGZine
Definitely used this app for quite sometime. I did notice that it had required
a number of permissions, so one day I decided to ditch it out of principle.

For those looking for an alternative, I've been using the Telsa light, and
loving it. Highly recommend. The author even outlines the exact permissions
that he's using, and why he's using them.

[https://play.google.com/store/apps/details?id=com.teslacoils...](https://play.google.com/store/apps/details?id=com.teslacoilsw.flashlight)

~~~
dubyah
I personally use Nexus Flashlight Widget: Only works with camera flash LEDs
and only supports 4.2 or newer, but also only requires "Camera: take pictures
and videos" permissions and simply exists as a widget (on/off).
[https://play.google.com/store/apps/details?id=com.flashlight...](https://play.google.com/store/apps/details?id=com.flashlightwidget)

------
wankerrific
Look - its just a crappy permissions system in the OS. I'm looking at my app
and we have all these scary-sounding perms:

android.permission.WRITE_EXTERNAL_STORAGE ==> needed to write images to
external storage android.permission.ACCESS_NETWORK_STATE ==> pretty much
anything that needs to have a working internet connection
android.permission.READ_PHONE_STATE ==> link tracking
android.permission.GET_TASKS ==> crash reporting android.permission.READ_LOGS
==> also crash reporting but probably doesn't work in 4.3
android.permission.GET_ACCOUNTS ==> Google Cloud Messaging...seriously
android.permission.WAKE_LOCK ==> also GCM

etc.

And when you add ad networks it gets worse. And, they also pay more for
gender, location, and age so thats why everyone wants you to sign in with
Facebook, etc, because otherwise you can't pay the bills.

I don't know why this is a big deal. Isn't Google already vacuuming up this
information from their Android users anyways via "Google Play Services".

------
001sky
(1) Its free. You're fucked.

On the other hand,

(2) Why aren't these people put in jail?

~~~
ctdonath
(1) When it's free, you're probably not the customer - you're the product.
Hard lesson for most people. Pay a little and be the customer.

(2) Every single user was asked for permission to access the information, and
they all gave their approval. Give your consent to (1b) because of (1a), and
(2) isn't an option.

~~~
001sky
The article outlines how the company asymetrically broke its own terms of
service. So there was no consent under (1). I don't disagree withou you that
its better to pay and avoid giving consent in the firstplace, but even then
what would be the difference? That's the deeper issue...

------
casca
For those on a jailbroken iPhone, firewallIP[1] is the best way to control
apps' access to the network. Every time a network connection is requested, you
get a system popup that controls access to individual destinations, wildcards,
whatever.

As long as there's nothing equivalent for Android (after Whispercore was
shelved), I'm stuck on IOS.

[1]
[http://yllier.webs.com/firewall.html](http://yllier.webs.com/firewall.html)

~~~
shrikant
Android Firewall doesn't do what you want?

[https://play.google.com/store/apps/details?id=com.jtschohl.a...](https://play.google.com/store/apps/details?id=com.jtschohl.androidfirewall)

~~~
casca
Sadly not. For example, for an individual app I might want to block access to
the analytics services like Flurry but allow access to necessary services.

------
mukundmr
I really wonder how much companies earn by selling information about their
customers, their contacts lists, their location, etc. Is it that lucrative?

------
JoeAltmaier
SO, their penalty is, promise to not do it again? That's it? Not, for
instance, erase all the data and pay a fine?

------
ricg
I always wonder what is going on when the YouTube app wants to access the
microphone while I'm browsing videos.

------
salem
So apparently there was no fine. Amazing.

[http://www.usatoday.com/story/tech/2013/12/06/ftc-
flashlight...](http://www.usatoday.com/story/tech/2013/12/06/ftc-flashlight-
app/3889949/)

------
jgalt212
This is why, from the consumer perspective html5 apps must win, but from the
producer perspective they won't.

For example, it's much easier for a company to spam your entire address book
using a native app than using a web interface.

------
rcthompson
I you have root in your Android device, there's a nice app called LBE Privacy
Guard, which lets you selectively deny specific permissions to specific apps.

------
amouat
"But this flashlight app left them in the dark about how their information was
going to be used"

Is the joke intentional?!

------
emmelaich
Some flashlight apps come with the phone and are system -- uninstallable,
start at boot, access to everything.

~~~
Crito
Are there any that abuse that position, and if so, who is selling these
phones?

~~~
andymcsherry
If they are included on the device, they're usually meant to enhance the
experience of the phone. Also, as of Android 4.0, you can disable system apps
if you choose. If the hardware maker really wants to spy on you, I'm sure they
could do it without including a flashlight app.

------
samweinberg
There are laws against this, right?

------
CalRobert
TANSTAAFL

------
xyver
nothing to hide, please find me i may be lost!!

------
static_typed
My old Nokia phones had a flashlight mode built in, very quick to activate and
use, not as a separate app. Even if it does need to be an app on Android, at
least include it in the base or core, as it is such a popular and useful thing
to have.

~~~
phyalow
Because Goog wouldnt want to be responsible for burning out a users camera
flash. Old school Nokia phones are GOAT and had special tested LED's that
obviously wouldn't expire after 20mins of run time.

------
twobits
The whole permissions thing in android is just smoke screen. A talking point
about giving power to users, respecting them, etc.

