FTC Drops the Hammer On Maker of Location-Sharing Flashlight App

chicksdaddy writes "The Federal Trade Commission announced on Thursday that it settled with the maker of 'Brightest Flashlight Free,' a popular Android mobile application, over charges that the company used deceptive advertising to collect location and device information from Android owners. The FTC says the company failed to disclose wanton harvesting and sharing of customers' locations and mobile device identities with third parties. Brightest Flashlight Free, which allows Android owners to use their phone as a flashlight, is a top download from Google Play, the main Android marketplace. Statistics from the site indicate that it has been downloaded more than one million times with an overall rating of 4.8 out of 5 stars. The application, which is available for free, displays mobile advertisements on the devices it is installed on. However, the device also harvested a wide range of data from Android phones which was shared with advertisers, including what the FTC describes as 'precise geolocation along with persistent device identifiers.' As part of the settlement with the FTC, Goldenshores is ordered to change its advertisements and in-app disclosures to make explicit any collection of geolocation information, how it is or may be used, the reason for collecting location information and which third parties that data is shared with."

Permissions?

[Anonymous Coward]

Who gives a flashlight app permissions to access location, internet, flash drive, etc?

Re:As a user

[MachineShedFred]

I think at this point, the default mode for most Android users is to just allow, as most apps have a laundry list of things they want access to. It's probably the second-least read message from an app install of all time (first being the EULA).

No, that is not wise. But people aren't always wise.

Some Hammer

[TubeSteak]

No civil fines.
No criminal penalties.
No admission of guilt.

Don't be Naive

[A10Mechanic]

This is just the tip of the dirty iceberg here. Thousands of apps do this and far worse for your privacy. Caveat Emptor

Why can't they copy this from iOS?

[dingleberrie]

I have an iPhone 5 and a Nexus 7.
When I download an app on the Nexus, I always feel an uneasiness as I look at all the access it wants to my contacts and other invasively unnecessary permissions. So each time I must make a decision to accept or reject using the app. I've rejected some that just seem overreaching, but I've become less strict over time... like I'm accepting to lose a battle. I assure myself, that my phone has all my real contacts, not my Nexus 7 and then begrudgingly accept the conditions. This is one reason I will not use an android phone and why I rarely download apps on android.
http://yro.slashdot.org/story/13/12/06/1452241/ftc-drops-the-hammer-on-maker-of-location-sharing-flashlight-app# [slashdot.org]
iOS, for those that don't know, will let me decline permissions to track my location or share my contacts on a per-app basis. Even if I enabled it before, I can go into the control center and disable it. I don't benefit from that aspect of the iOS app, but I'm fine with that. For all the control that Android is supposed to give the user, iOS shines here and I wish that is one thing that Android would copy.

The true cost of free

[sinij]

As someone that used to work with mobile security - this is tiny minority that got caught. If you carry your mobile phone with you, then you have no reasonable expectation of privacy. Treat your smartphone as a combination of public WiFi and a court-assigned GSP tracking ankle bracelet.

Re:So No One Thought It Odd

[Mr_Silver]

Their flashlight app was requesting network and GPS privs? There's obviously a fundamental problem with the Android security model, and I'm just going to go ahead and point my finger at people. First off, people assume that just because it's on the Play store, it's safe to install. Obviously not the case. Second, people obviously don't review the privs their apps request and say something like "Why the fuck does a flashlight app need access to my GPS and network?" And third, lazy developers have no incentive not to request every priv in the model.

Not to mention that although for a very basic app (like a flashlight one) it is possible to spot a nefarious permission, once you start looking a much more feature-rich app then it gets very difficult for users to work out the validity of the permission requested.

For example, a mobile banking app wants your location. Is this because:

1. It's sending location data to a server to track you?
2. It's sending it to third party companies for location based advertising?
3. It wants that information so it can tell you where the nearest ATM or bank branch is?

Re:This app never seemed necessary

[safetyinnumbers]

I just hold down the lock switch for a second to turn on the LED, it's a built-in feature on my Nokia.

But why doesn't Android sandbox apps in a way that the app is unaware of? Just present all apps with an empty contact list, a fake GPS location, an empty drive, etc and the user grants permissions to substitute the real ones as needed. That way, all apps could be installed and you'd get a popup such as "this app wants your location" in a similar way to IOS, only this way the app would keep working if you said no.

Re:This app never seemed necessary

[NoNonAlphaCharsHere]

Apparently you're completely unaware of Google's business model.

Re:This app never seemed necessary

[Solozerk]

The "built-in" torch function you're talking about in CM is an app. It's open source - see here: https://github.com/CyanogenMod/android_packages_apps_Torch [github.com] .

You make it an app because it makes no sense to integrate such a feature directly in the OS/ROM - it would take longer, and that way you can update it and have additional features (morse code flashing, for example).

What baffles me is why people would install an app named "Brightest Flashlight Free" (name sounds like a moron-magnet), which probably require network access and include ads, when there are tens of ads-less Open-Source alternatives in the Google market as well as outside it.

Re: Location obviously needed

[iamhassi]

Have to wonder how many other apps are doing this that have not been caught yet

the missing app

[Tom]

What's obviously missing is a Mock App - something that will satisfy all those requests and provide them with the data they want - fake data.

Sadly, I don't expect Google - whose revenue stream is largely based on advertisement - would make that possible in Android.