Hacker News new | past | comments | ask | show | jobs | submit login

This was indeed discovered because as per GPDR, they had to specify why they were using the mic and GPS. As soon as the update hit the store (after the GPDR entered into effect) and some users saw the changelog and user permission requests disclosing this use, it started to hit the news here in Spain.

The Spanish regulator, AEPD, has stated that preliminary steps to begin an official investigation are being conducted already: https://twitter.com/AEPD_es/status/1006115567227559936

For those who understand Spanish, here's a good technical analysis: https://reversecodes.wordpress.com/2018/06/12/analizando-la-...

Thanks for sharing! Entertaining read.

The app uses rot(4) to obscure data, includes a debug link with the collected data, and has the Fluzo service api key hardcoded, among other gems.

Of course the API key is hardcoded... how else would the app contact the server?

At some point the app needs to have some credential hardcoded, but you can make it more obscured by getting the API key from your own server with some kind of challenge/response. This makes it easier to rotate third party API keys and cut off unauthorized usage, by including information in the challenge request that could be used to correlate unauthorized requests.

Your hardcoded credential could then become a cryptographic key that you could rotate on app upfates.

I am not sure how many apps actually go through this trouble.

You mean they were using the mic to see if you were watching the game?

Yes. Then, they would try to pinpoint your location and if you were watching the game at a bar that doesn't have a license from them, they would sue the owner.

Now that they need your consent, they have named this feature "protect your team!" since the teams get royalties from bar licenses...

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact