September 22, 2014

Android security warning: SoundHound transmitting user location and Google account information

Android security

We’ve just gotten a tip about a potential privacy issue with the SoundHound app, a popular music service that users can download from the Market. Apparently, the app transmits a user’s exact location, along with unique device IDs and Google account information back to SoundHound’s servers, and potentially to third-party servers, when the app starts. This also occurs when the device is rebooted, provided that the user has a SoundHound widget on their homescreen. Now I don’t use SoundHound on any of my devices, but this is a major privacy issue.

Not only does this affect users that have installed SoundHound, it also applies to devices that have the service preloaded. One reason this is a big issue is that SoundHound does request GPS access in the Market, but fails to notify users that it’ll be forcibly transmitting their location to remote servers. Now, there is a note in the description that says:

Note: Location is used to store where songs were discovered. It can be disabled from the Options menu.

While this is true, it completely contradicts itself, because users have to open the app to disable this feature. In opening the app, they enable the transmission of their data, which defeats the purpose. SoundHound’s own privacy policy confirms that they reserve the right to share this information with third parties:

When you use the SoundHound applications, your mobile device supplies a unique identifier, which we use to associate search results, your bookmarks, and other information with your device. We improve the relevance of information provided in the applications using location information provided by your device, which you can choose to turn off. If your browser supplies location information (determined by your browser settings), we may use that information to improve the relevance of information provided by the web site. Content provided by advertisers and other third parties may be personalized in a similar manner.

Furthermore, this transmission of personal data also contradicts another clause in its privacy policy

Consistent with the federal Children’s Online Privacy Protection Act (COPPA), we will never knowingly request personally identifiable information from anyone under the age of thirteen (13) without requiring parental consent. Any person who provides their personal information to SoundHound through the web site or applications represents that they are 13 years of age or older.

So, if you have SoundHound installed on your device, this might be something you should look into. There’s no logical reason that the app should collect and transmit personal data like this without the user’s consent. It’s inevitable that this will happen, because users have to open the app to disable it in the first place. Something fishy is definitely going on with SoundHound. We’ve submitted an inquiry to SoundHound about this issue, but they have yet to respond. More on this as it develops.

Does this concern you? What other apps do you think could be transmitting your personal data without your knowledge? Sound off in the comments!

Thanks to Simon for the tip!

Deals, Discounts, Freebies, and More! Click here to save today!