admin on March 10th, 2009

data send out to pinch media

While developing an iPhone App I ran accross Pinch Media. This company is offering free “application usage statistic tools” for iPhone developers. All you have to do is register and integrate a library provided by Pinch Media into your iPhone app and you get live statistics of your application’s usage (sorted by country, time of usage, iphone/ipod type…) on the Pinch Media Website. Sounds pretty good, huh?

I tested Pinch Media’s offerings and found out:

  • Every time you quit an application that integrates Pinch Media, the following data gets transferred to Pinch Media: iPhone UUID (the unique ID of your iPhone), Iphone Software release, iPod/iPhone version, a timestamp when application usage started, a timestamp when application usage ended and (if you allowed it) the longitude and lattitude values of your position. You can see the detailed data that gets send out to Pinch Media in the graphic to the left.
  • If no active internet connection is detected, the usage data gets saved to an sqlite database for every  session. The next time there is an internet connection available all that data gets send out to Pinch Media servers (beacons.pinchmedia.com).
  • This all happens in the background. The user has no clue that data is send out to Pinch Media.

I got curious how many applications in the App Store already integrate Pinch Media. I did a quick check on my iPhone (such a check works only on jailbroken-phones, look for the pinchmedia subfolder in Documents of each applications)  I have currently 30 3rd party applications installed. 9 of them integrated Pinch Media. Your mileage may vary, but it just shows that a lot of applications seem to use Pinch Meda already. Just to note: None of these apps mention anywhere that they are sending out data to 3rd parties (Pinch Media).

While I can see the huge benefit of Pinch Media for me as an application developer, I decided not to integrate it.

Here is why: I have a problem with applications sending out private data to 3rd parties in the background, while the user has no clue that this is happening. Whatever Pinch Media uses this data for (I guess advertising-their other  service), I think its not good practice. While many people are afraid that Google is collecting lots of data, it seems regarding iPhone Applications Usage statistics there is already some other “Big Brother”. The “Pinch Media Analytics Tools” for iPhone Applications are comparable what “Google Analytics” is for Websites. But there is a big difference: You can easily find out, if a website uses Google Analytics by just looking at the HTML source; but thats hard to do with iPhone applications.

While people are critical about what’s going on on their desktop computers (applications phoning home etc.) and can block those activites with firewalls, this awareness seems to be missing when it comes to SmartPhones until now. If you are on a celluar network you have no control to block (e.g. by a firewall) what the application is doing and which servers it is sending data to. You have to trust the application developer, that the application is doing what was announced. As 3rd party applications on smartphones have just started to emerge, this is for sure some problem that has to be solved in the future. Until then developers should explicitly announce somewhere in the application description, if they send out data to 3rd parties and give the user an option to turn this behaviour off.


23 Responses to “Is Big Brother listening in on many iPhone Apps?”

  1. Hendrik,

    I wouldn’t think of us as ‘Big Brother’ – we’re just a small business with a handful of developers, not a large governmental organization. But I want you to know that we take privacy pretty seriously at Pinch Media.

    When it comes to user consent, it’s interesting that you mention web analytics. When a user appears on a web page, they might be able to easily find out that an application is using Google Analytics, but they have no opportunity to consent – simply by arriving on the web page, the JS call is made and the cookie is sent. The only way to avoid consenting is to shut off JavaScript and cookies, impairing the functionality of the web as a whole. Applications are different – on the iPhone platform, the user consents to the use of data as part of Apple’s standard End User License Agreement, which is agreed to before any applications are installed. This agreement gives the application provider the ability to use non-personally identifying information from the device to improve its products or services. So on the iPhone, unlike web analytics, consent has already been given. (On other platforms, without the same EULA, we’ll be requiring developers to get consent in advance.) We do have many developers who mention Pinch Media in their own terms of service or product support materials.

    You might wonder if the data we collect is ‘personally identifiable’. There’s two pieces of data worth discussing – the UDID and the latitude/longitude coordinates. The UDID is tied to a specific phone, but can’t be traced back to a user’s identity – we’ve got no way to get your name or address from it, even if we wanted to, which we most certainly do not. The latitude/longitude coordinates are used only to provide high-level aggregated geographic reporting. So the application developer might learn that he has nine users near Berlin, but never anything about any individual. We also don’t let application developers send back personally-identifiable information using custom actions – in fact, we’ve turned people away who’ve wanted to do this. There’s not a single user’s phone number, name, or e-mail address stored in our system, and there never will be.

    The data isn’t used for any nefarious purpose – instead, it’s used much like web analytics, so developers can understand how their applications are being used and improve their businesses. We’ve thought of using the data for advertising – for instance, since there’s a subset of users that never buy paid applications, we could never show ads for paid applications to them, saving the advertiser some money. But we simply haven’t done this, since ad targeting on the iPhone remains pretty primitive.

    I’ve thought quite a bit about how to best provide an opt-out that won’t be worse than the problem it solves – we care about privacy at Pinch Media, but we also have to balance these concerns against the user’s overall experience and the accuracy of our statistics. Our experiments with asking for consent via an initial pop-up on first load didn’t satisfy the users, the application developers, or us. We’d happily listen to suggestions in this area.

    Regards,
    Greg Yardley
    Co-Founder, Pinch Media

  2. Greg,

    I think it would be only reasonable for Pinch Media to offer the option to “opt out”

    On the Mac there’s a program called Little Snitch that at least give some control as to apps that want to phone home.

    I hope you’ll reconsider your methodology.

  3. Greg,

    As Vincent says above, and as Hendrik elaborated earlier, the only reasonable option is to provide transparency to the user and allow them to opt in or out. Anything less is spyware.

    Regardless of your intentions, your software as it stands absolutely falls into the category of spyware. It is secretly monitoring what a user is doing and reporting back to a 3rd party. That is unacceptable.

    For anyone reading this post, if you want to ensure this type of activity doesn’t spread like wildfire you need to start blogging about it and getting the word out. We also need to start encouraging iPhone developers for something similar to Little Snitch for iPhone/iPod Touch. ObDev, are you listening?

  4. There should *definitely* be an opt-out option.
    I think that one simple yes/no pop-up when you first load an application would be a minor inconvenience to users. Application developers using Pinch Media have no reason to be ashamed of wanting to gather data to help them improve their application, but should not be doing so secretly.
    The UDID is not as anonymous as most IP addresses (per-device rather than per-location), and combinded with location data can build a revealing picture of a user.

    Most users would click OK anyway (most users always click ‘OK’), but those that don’t want to have applications phoning home without their knowledge should be able to block it.

    Is there a list anywhere with all Pinch Media enabled applications? If not, why not?

  5. Its just an analytics tool. You should be equally angry at every site using google analytics. In fact I was subject to spyware on visiting your site. Upon some investigation I found this malicious piece of code reporting all of my actions to some server.

    var gaJsHost = ((“https:” == document.location.protocol) ? “https://ssl.” : “http://www.”);
    document.write(unescape(“%3Cscript src='” + gaJsHost + “google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E”));

    Call the EFF! This is an outrage. This “Google” knows everything thing I did on your blog! What about the children!

    Relax.

  6. Simple solution: leave negative feedback for every app that does this. If enough people care about this (and just a few percent would be enough) this would drive the app developers away from pinch in a hurry. Just look at the ruckus around the digg bar…

  7. John, your solution is simple, but there currently seems to be no way to know which applications are using Pinch Media.

  8. Why not decrease the resolution of the coordinates that you send out? Do you really need to know the precise lat/lon?

    This all seems like a huge, unnecessary drain on the battery anyway.

  9. Mr Yardley seems to be scouring the net for posts on his spyware campaign, and trying to mitigate the damage by posting overly long expositions over why he’s right and we’re all making too much of his underhandedness. I’m sure actually that quite a few developers have thought about writing this sort of stats collection software before, but I guess their morale benchmark was at least a little shy of ‘scumbag’.

    @John, I’m leaving negative feedback on the App store for every app that has pinch media spyware installed.

    @Michael, you need to jailbreak your phone, and run this from the terminal: “find -name pinchmedia -ls” from your mobile user directory. Example:
    iPhone:/private/var/mobile/Applications root# find . -name pinchmedia -ls
    207390 0 drwxr-xr-x 2 mobile mobile 102 Apr 21 17:04 ./0F90F0BA-F02F-4A47-B196-BB22237A1898/Documents/pinchmedia
    155483 0 drwxr-xr-x 2 mobile mobile 102 Apr 11 08:16 ./20EDC90D-7A15-4AF7-8259-0425AF50E3A0/Documents/pinchmedia
    219169 0 drwxr-xr-x 2 mobile mobile 102 Apr 21 16:22 ./5ABE1A71-5BEF-44B9-BB7B-2E12265F043C/Documents/pinchmedia
    etc…

    If you want to know what each app is thats ‘infected’ you need to change into the directory (I did this in terminal on my mac after connecting to my iphone – it’s so much easier) and list the contents. The application name will be one of those files. It’s not easy for a non techie guy, I guess I gotta write an app for cydia that can find them for you, and disable pinch in the app (or fake the data, that would make it real cool Greg, don’t you agree? Thousands of bad datas on your drives… lol).

  10. @mr yardley:

    I do not care for your opinion. I also have read your post elaborating about why you do it. This data is private and if I had known this before, I would not have installed any apps which do this. This is just spyware and you know it! If it walks like a duck, talks like a duck…, you know the drill. (Private) data is being sent without me knowing it and thus without consent. The story would have been different if indeed there was an opt out at start-up as mentioned before. But as it is, there is not and no matter how many words you use to describe it, it is just spyware and needs to be treated as such.

    @john:
    I will!!!just as soon as I find out which apps do/use this.

    @Honza:

    Thank you very much for the information. Even though I am prety far from a techie/programmer… I will try my best to block everything that relates to pinch media. Or even better, I really hope you will be able to write an app for cydia which either fakes the data or doesn’t send anything at all.

    As for me, I will, if I am allowed, post this page/link on all sites I know of where Iphone users come together. And I do whish there will be something similar to little snitch for the iphone also. And noscript etc. etc.

  11. Greg,

    On my computer it is trivial to be able to stop google analytics from doing their spying. I simply install a browser plugin that allow me to decide what domains can run scripts. However, on the iPhone there is no option for this unless you jailbreak (this is another reason the FCC needs to allow the DMCA exemption – but that’s a separate issue).

    As far as not having personally identifiable information, the fact is that as soon as I use an app that requires registration of my name or email address then my UID could be associated with my identity by the developer of this app. What’s to stop you from gathering this information from developers? Even if you don’t have my name, the UID might as well be my name. In fact, I’m thinking about legally changing my name to my iPhone UID… Pinch is definitely spyware.

  12. Can someone list provide a list of applications that use Pinch Media so I can erase that shit?

  13. To anyone that tries to equate my computer usage or phone usage to internet website statistics is an absolute idiot..

    The internet is much like being in public, you can be watched, monitored and bla bla bla, you may not like it, but you can’t do much about it but there are simple things to do to prevent how easy that information is accessed.

    My computer usage and iphone usage is a different matter, they are my private places, what I do on my computer is no one elses business, I don’t care what they think they can do, if I don’t want an app contacting anything, I wont let it.

    Same thing on my iphone, its my private place, what I do and when I do it is no one elses business, let alone some third party AND without me knowing about it.

    Shameful that this has happened, hopefully it’ll be stopped quickly.

    I would love a way to know which apps are using this spyware so I can remove it and leave a rude review.

    We need a list

  14. You guys are paranoid and concerned about iPhone apps profiling you…

    What about everything/everyone else?

    -Do you guys always pay with cash instead of credit cards?
    -Do you avoid using an ISP to get online?
    -Do you avoid making calls on your cellphones?

    Data is being created and retreived, whether you like it or not.

    Most websites, regardless of you having an account there or even having a chance to read the TOS/Privacy Policy, are logging your IP Address and creating cookies to keep track of you. No one is complaining about that?

    Is anyone writing to Google to notify them that they don’t like the idea of Google not providing an option to prevent their IP from being logged or a cookie being set? Sure, if you have an account, there is an option to disable the saving of your web history…but is there really? or is it more like an option to just prevent you from seeing it to give the sense that it is not being recorded?

    The bottom line is you are pretty much always creating data somewhere nowadays, unless you live out in a cabin in the woods without electricity etc….heck even then google maps might spot you?

  15. http://www.pinchmedia.com/blog.....wwdc-2009/

  16. @ Greg Yardley.

    Your spyware is unacceptable. Your explanation fails for the following reasons:

    1) Web site stats about a visitor is info the server already knows about so it’s pointless trying to draw this analogy. The visitor IP, the pages they view, the browser they’re using, their resolution and so on is immediately available to the web server. Things like cookies passed via JS just help the server link stats together (with HTTP being a stateless protocol).

    2) If this is for aggregated info only, why is the lat/long sent precisely? Restricting it to the nearest 100m for example at the very least before it’s passed to your server is not hard to do. Many decent location aware social apps do this.

    3) The device identifier is private info and you have no right storing this on your server without the user’s consent. An app developer using your service only need concern themselves about stats for their own app, not about others apps on the same device. Therefore you do not need a unified identifier for this and you don’t have to worry about the technicality of sharing the same ID between apps either. The only thing you have to identify is the app instance itself. For this, the first time the app is run, it sees it has no ID assigned so requests one from your server. This is all you need to do. There is no reason or excuse beyond this.

    It shouldn’t take mass action to force you to fix these things. If you really cared about user privacy, which is absolutely key in a service like this, you’d have done it upfront.

  17. @ Greg Yardley.

    Your spyware is unacceptable. Your explanation fails for the following reasons:

    1) Web site stats about a visitor is info a web server already knows about so it’s pointless trying to draw this analogy. The visitor IP, the pages they view, the browser they’re using, their resolution and so on is immediately available to the web server. Javascript is usually used if the stats software is running on a different server, but this is a behind the scenes convenience to save the site owner installing the stats on their own server. If they installed it themselves then Javascript isnt needed. The point is, this is info passed to the server by default.

    2) If this is for aggregated info only, why is the lat/long sent precisely? Restricting it to the nearest 100m for example at the very least before it’s passed to your server is not hard to do. Many decent location aware social apps do this.

    3) The device identifier is private info and you have no right storing this on your server without the user’s consent. An app developer using your service only need concern themselves about stats for their own app, not about others apps on the same device. Therefore you do not need a unified identifier for this and you don’t have to worry about the technicality of sharing the same ID between apps either. The only thing you have to identify is the app instance itself. For this, the first time the app is run, it sees it has no ID assigned so requests one from your server. This is all you need to do. There is no reason or excuse beyond this.

    It shouldn’t take mass action to force you to fix these things. If you really cared about user privacy, which is absolutely key in a service like this, you’d have done it upfront.

  18. 4. Consent to Use of Non-Personal Data.
    (a) You agree that Apple and its subsidiaries may collect and use technical and related information, including but not limited to information about your iPhone, computer, system and
    application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you (if any) related to the iPhone
    Software, and to verify compliance with the terms of this License. Apple may use this information, as long as it is in a form that does not personally identify you, to improve our products or
    to provide services or technologies to you.

    (b) Apple may provide certain services through your iPhone that rely upon location information. To provide these services, Apple and its partners may transmit, collect, maintain, process
    and use your location data, including the real-time geographic location of your iPhone. By using any location-based services on your iPhone, you agree and consent to Apple’s and
    its partners’ transmission, collection, maintenance, processing and use of your location data to provide you with such services. The location data is collected in a form that does
    not personally identify you. You may withdraw this consent at any time by not using the location-based features. Not using these features will not impact the functionality of your iPhone.

    source : http://images.apple.com/legal/sla/docs/iphone.pdf

  19. I would love to say this is unbelieveable, but it’s not. There are a billion trash apps out there that people load for no reason, and little do they know that all this data is being sent out about thier habits and NO ONE IS TELLING THEM THAT THIS IS HAPPENING.

    A database should be created to showcase the apps that are using this disgusting technique. I had 2 apps on my iPhone with this garbage in it and I removed them.

    Then I reinstalled one of them, and I’m hacking the sqlLite database to send up garbage information. Hell I’m considering making a JB application that garbage-fies the sqllite databases, skewing all the data to complete uselessness.

    I despise companies like this.

  20. I just happened to stumble across this blog. It just so happens my entire blog is about iPhone applications that “phone-home”.

    You can see it here at : http://i-phone-home.blogspot.com/

    Further to this, I maintain a hosts entry, present a breakdown of each applications traffic and even run a Cydia repo which keeps you up to date and install’s a host file specifically to block this type of traffic.

    If you are concerned, do take a minute to read the blog and spread the word. We have had some marginal success also, after some discussions with one of the Top25 iPhone App developers we were able to convince them to remove PinchMedia from their applications.

    Cheers
    0th3lo

  21. Hi, what tool(s) did you use to view what data is being sent? I’d be curious to know. Thanks, –th

Trackbacks/Pingbacks

  1. Pinch Media: Statistics your iPhone apps may be sending back home | Sugar Mob
  2. Børge (forteller) 's status on Saturday, 22-Aug-09 20:59:22 UTC - Identi.ca

Leave a Reply

You will be able to edit your comment after submitting.