December 21, 2014

Android security warning: SoundHound transmitting user location and Google account information

Android security

We’ve just gotten a tip about a potential privacy issue with the SoundHound app, a popular music service that users can download from the Market. Apparently, the app transmits a user’s exact location, along with unique device IDs and Google account information back to SoundHound’s servers, and potentially to third-party servers, when the app starts. This also occurs when the device is rebooted, provided that the user has a SoundHound widget on their homescreen. Now I don’t use SoundHound on any of my devices, but this is a major privacy issue.

Not only does this affect users that have installed SoundHound, it also applies to devices that have the service preloaded. One reason this is a big issue is that SoundHound does request GPS access in the Market, but fails to notify users that it’ll be forcibly transmitting their location to remote servers. Now, there is a note in the description that says:

Note: Location is used to store where songs were discovered. It can be disabled from the Options menu.

While this is true, it completely contradicts itself, because users have to open the app to disable this feature. In opening the app, they enable the transmission of their data, which defeats the purpose. SoundHound’s own privacy policy confirms that they reserve the right to share this information with third parties:

When you use the SoundHound applications, your mobile device supplies a unique identifier, which we use to associate search results, your bookmarks, and other information with your device. We improve the relevance of information provided in the applications using location information provided by your device, which you can choose to turn off. If your browser supplies location information (determined by your browser settings), we may use that information to improve the relevance of information provided by the web site. Content provided by advertisers and other third parties may be personalized in a similar manner.

Furthermore, this transmission of personal data also contradicts another clause in its privacy policy

Consistent with the federal Children’s Online Privacy Protection Act (COPPA), we will never knowingly request personally identifiable information from anyone under the age of thirteen (13) without requiring parental consent. Any person who provides their personal information to SoundHound through the web site or applications represents that they are 13 years of age or older.

So, if you have SoundHound installed on your device, this might be something you should look into. There’s no logical reason that the app should collect and transmit personal data like this without the user’s consent. It’s inevitable that this will happen, because users have to open the app to disable it in the first place. Something fishy is definitely going on with SoundHound. We’ve submitted an inquiry to SoundHound about this issue, but they have yet to respond. More on this as it develops.

Does this concern you? What other apps do you think could be transmitting your personal data without your knowledge? Sound off in the comments!

Thanks to Simon for the tip!



  • http://gpstracklog.com/ Rich Owings

    I don’t really care about the location stuff; they do state that they are doing it. But should I be concerned about the other parts? What Google account info is it sending?

    • http://www.simonjstuart.com/ Simon J Stuart

       They’re collecting your Google Account Info (which I believe refers specifically to your Google e-mail address, your real name, and your display name – if different from real name)

      • Guest

         Simon, what permission does SoundHound hold in order to collect your Google account info?

        (It’s a trick question: SoundHound doesn’t hold that permission.)

        • Guest

          I am not a soundhound developer but I am a fan and a user. My take on this thread:

          Simon Stuart wants to draw attention and traffic to his blog and using this as an excuse. Shame on you Simon Stuart. You have no evidence that Soundhound is sending google account info to their server. Even in your blog you said they “likely” do this so you are not sure, but then you proceeded to write everywhere else that they are actually doing this. Obviously it is to your benefit and benefit of your blog for this to be true so that you become more famous. What if you are wrong? Are you ok misleading the whole world and accusing a great app? As for gps info, search engines use that info to improve the result of their search.

  • Dazed and Confused

    “One reason this is a big issue is that SoundHound doesn’t even list GPS position data as a permission in the Market”

    What the hell are you talking about?  Both the free and paid versions of SoundHound in the market indicate that GPS Location, Coarse Location and Phone State & ID permissions are required.

    Do you guys not do any fact checking before posting your drivel?  How can you run this as a story without checking the market and before getting feedback from the developers? 

    Your article literally suggests that SoundHound could be accessing the location and phone ID without having the necessary permission; as such you are suggesting that the developers have intentionally circumvented the Android security and permissions framework.  That’s pernicious and in my view libellous.

    Moreover, the “big issue” you highlight is ops normal for any application using any of the major advertising service providers.  Are you going to highlight this as a big issue for the 100k other applications doing the same thing? WTF?  

    Shame on you Justin.  You don’t appear to have a clue…

    • http://www.simonjstuart.com/ Simon J Stuart

       Yes, Justin is certainly in error saying that SoundHound doesn’t have “GPS” in its permissions list (it absolutely does).

      However, I do contest your remarks about advertising service providers.

      The paid version of SoundHound doesn’t display ads at all, thus your arguement there doesn’t apply.

      Also keep in mind that SoundHound only state that they pair GPS positions with search history, but in collecting GPS coordinates the moment you start your device, what are they pairing that with? No search has taken place at that time!

      Surely you can understand the privacy concerns raised by an app collecting and transmitting your exact GPS location the moment you start your device? No feature of SoundHound can possibly justify this unnecessary collection of such personal information.

  • http://twitter.com/Oletros Oletros

    “One reason this is a big issue is that SoundHound doesn’t even list GPS position data as a permission in the Market.”
    Have you checked the facts becasue is totally false, the permission is listed
    “While this is true, it completely contradicts itself, because users have to open the app to disable this feature.”
    Where is the contradiction?

  • http://twitter.com/myconoclast Dave

    I’ve never really used SoundHound since in my experience it can’t even identify basic songs that Shazam can find instantly. But I’m concerned that more apps are sending Google account information as an identifier on their servers. In other words, they may have a database of your Google account associated with GPS locations where you’ve used the app. That’s not something I would feel comfortable sharing with third parties.

  • H3ky1

    I use PlaceMask to protect my location.

  • Brian

    I am not an expert on this.. but I just uninstalled SoundHound and asked my friends to do the same. We will not tolerate anything that is happening on our phones without our permission :|

  • Anonymous

    This is standard procedure for any app that gives you personalized ads. It’s extremely easy to prevent this from happening in most cases. Simply avoid any app that says it displays personalized ads. The only time this issue becomes a real problem is if your carrier preinstalls the app on your phone and doesn’t allow the removal of preinstalled apps. Then you may have to spend money that you really don’t have to sue the cell phone carrier for forcing this behavior down your throat. On the plus side, this shouldn’t be an issue at all for any phones running Ice Cream Sandwich.

  • Anon

    I didn’t know what all advertising platforms did this.  This is a very useful post for me.

    But… there’s little I can do since both main music identification apps request GPS. 

    Vanilla Android really needs a “selective permissions” model for apps so that we can install apps while denying some permissions

  • Pingback: Android Market App Sound Hoind Kostenlos | COMEBUY ASK