(Created an account to post this) I downloaded the app on android and listened to a few songs on Spotify to find out what information was being sent.
While the app is running, the app sends a HTTP (edit: HTTPS) request every time the track information changes or the volume changes.
When the track information changes it sends the artist, album and song name. When you change the volume it sends the new volume level.
Every request includes standard meta-data such as
* An _anonymous-id_
* Device serial number
* Information about whether wifi or cellular are connected and carrier name
* Device name, model and manufacturer
If there is interest I will write a blog post about potential ways to stop the data collection without removing the app :)
1. What's the estimated bandwidth impact of this data collection? Many users have very limited data use, and chatty messages on play/pause/volume change wouldn't be appreciated.
2. HTTP or HTTPS?
3. How does it work with other apps (like Google Music) that might provide more music details? Like does it send more information when the id3 tags have all the fields filled in? Things like comments, encoding, etc might also be transmitted. Streaming services like Spotify probably try to trim that as much as possible, but local files could have a lot more data.
4. Can you see anything about the anonymous id that might make it not that anonymous? I mean, the device serial number alone kind of defeats an anonymous id. But there's been a fair amount of work in reidentification of anonymous data, and many developers take shortcuts when generating their "anonymous" data. (https://arstechnica.com/tech-policy/2009/09/your-secrets-liv...).
5. It's sending this data in the background, correct?
6. What does it send (if anything) during calls, emails, texts, map navigation, and voice commands?
1. From the data I collected, the content of each message of is roughly 1000-2000 bytes. This is not much on it's own but over the course of a day it could end up. It appears as messages are queued and send in bulk when applicable, therefore I can't comment on bandwidth over time as the app may chunk its request. It may not even send messages when the screen is closed.
2. Everything is secured with HTTPS! All the analytics messages, messages to boses servers and firmware checks are all over HTTPS (The firmware file its self is downloaded over HTTP, but the URL is provided over HTTPS and the firmware may well be signed)
3. A good question that needs further investigation :)
4. The anonymous id doesn't have any glaring information at least not immediately from the analytics platforms documentation https://segment.com/docs/spec/identify/ however yes the other meta-data defeat the purpose of an anonymous id.
5. It is definitely sending the data while the app is in focus, and i believe while the app is open but not in focus. I am not 100% sure here as it was a very quick test.
I'd be really curious to see how this data is actually used on their end. I got my QC35s a few months ago and have been loving them, but was super disappointed when I read the article. I'll probably end up uninstalling the app for the time being, at least until it's resolved.
On another note, I wonder if any other wireless audio manufacturers are doing similar things.
I've been thinking about getting these. Does the app do anything particularly useful (I.e. Any important features I'd be missing out on by not having it)?
As a side note. I can imagine why they'd want this information. Seeing what people are listening to and what volume settings are commonly being used would potentially help them tune future products better for their "average user"
The app allows you to use 1 headphone as a relay to another bose bluetooth headphone to play music from the same source, as well as firmware updates, renaming the device name the headphone appears as under bluetooth and finally changing the language of the voiceover (which announces things like device connections and low battery)
I concur. Have and love QC35 (got them on right now). I only downloaded the app to test some settings change, I think. It's not particularly useful for anything else. Since I don't have to use it to pair, I'm not sure how I'd know when it was "running" or not, short of manually killing it in the iOS task launcher/killer thing. Time to just uninstall.
In this case I used fiddler, all I had to do generate a custom root certificate (Be warned this is not a good idea in general, look up super fish if you want an example of why installing custom root certificates can be bad), install that certificate on my device and then proxy my device through the computer running fiddler.
I recall older versions of one of those (forget which) generated a non-unique custom certificate, meaning anyone who had used it could be MITM'd with the same cert. It was changed later on, but it's a risk if you go with something poorly designed.
I have used the approach of installing wire shark on a pc operating as an access point, and it was easy enough to set up assuming you have the requisite equipment.
This kind of interception is quite easy to setup with https://mitmproxy.org even for https requests and on iOS as well. (I'm not affiliated but have just used the software before for a similar task)
While the app is running, the app sends a HTTP (edit: HTTPS) request every time the track information changes or the volume changes. When the track information changes it sends the artist, album and song name. When you change the volume it sends the new volume level.
Every request includes standard meta-data such as
* An _anonymous-id_
* Device serial number
* Information about whether wifi or cellular are connected and carrier name
* Device name, model and manufacturer
If there is interest I will write a blog post about potential ways to stop the data collection without removing the app :)