The Journal tested 101 apps and found that [...] in Pandora's case, both the Android and iPhone versions of its app transmitted information about a user's age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.
As far as I know, the journal stands by their story. The location pushing Tyler details was found in the bundled AdMob code, which does check for ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION. While it would seem to be relying on the bundler to request those, I wonder if there isn't something going on that allows AdMob to grab location information if another application that uses the AdMob code has requested it. Android applications can expose public or private (same signer) APIs to other applications on the same device, and send whatever data out of them they have access to.
Good point! Does the intent system allow for a cross-intent permission misappropriation? With the proliferation of ad-supported apps on Android, this would be quite troubling.
It does, in that you can send any information you want from one app to another.
But there are two reasons it doesn't make sense to me:
1) This is a huge violation of trust - Google specifically says that you shouldn't collect information just to add it to the ad request.
2) It is not enough that the app where the information comes from also uses adMob, it has to be signed by the same key as the app that is reading the information. That is only possible if both apps where developed by the same developer.
Mobile-App Makers Face U.S. Privacy Investigation: http://online.wsj.com/article/SB1000142405274870380630457624...
In it, the journal reported:
The Journal tested 101 apps and found that [...] in Pandora's case, both the Android and iPhone versions of its app transmitted information about a user's age, gender, and location, as well as unique identifiers for the phone, to various advertising networks. Pandora gathers the age and gender information when a user registers for the service.
As far as I know, the journal stands by their story. The location pushing Tyler details was found in the bundled AdMob code, which does check for ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION. While it would seem to be relying on the bundler to request those, I wonder if there isn't something going on that allows AdMob to grab location information if another application that uses the AdMob code has requested it. Android applications can expose public or private (same signer) APIs to other applications on the same device, and send whatever data out of them they have access to.