Samsung's "free" Jay Z album delivered via Android spyware app
In a promotion for its Galaxy phones, Samsung announced it would deliver a million free copies of Brooklyn rapper Jay Z's new album days before its official release. But it did so using a spyware Android app designed to track your location and harvest phone numbers you call, your device ID and which apps you use.
Source: Google Play
Samsung's free Android mobile app "JAY Z Magna Carta" only works with select models, specifically the new Galaxy S 4, Galaxy S III, Galaxy Note II. But as New York Times music critic Jon Pareles wrote, "It?s an ugly piece of software."
The singer's 2010 track "Jay?s Back ASAP" complained, "They tap, them feds don?t play fair/They pay rats to say that they?re part of your operation."
This includes tracking users' "precise GPS location." The app permissions page is so unnecessarily invasive that fellow rapper Killer Mike tweeted in response, "I read this and? 'Naw I'm cool.'"
Unlike Apple's iOS, installed Android apps don't have to alert the user or ask for permission when they want to track the GPS location or access contacts or social network accounts, and there's actually provisions for apps to access users' phone call information and running apps. iOS is an app platform, not an ad platform.
In contrast, Apple has been incrementally working to increase users' privacy on iOS, warning developers in 2011 that they needed to stop relying upon iOS users' Unique User IDs because they would no longer be available. iOS 6 removed UUID access, effectively terminating OS-wide user tracking by ad networks.
In place of UUID, Apple's iOS 6 turned the tables to introduce an "Advertising Identifier," which serves as "a non-permanent, non-personal device identifier, that advertising networks will use to give you more control over advertisers' ability to use tracking methods."
In order to "unlock" lyrics within the app, users must tweet out a promo for each song on the album they want to read.
"It?s telling that Jay-Z ? who boasts regularly about his millions of sales ? and Samsung didn?t simply trust fans to post or tweet on their own," Pareles wrote.
Additionally, the app also demands permission to "retrieve running apps," which means it can "discover information about which applications are used on the device," another feature Google supports as a common permission on Android apps.
Why Samsung's "free" album app would need to track the GPS location, phone numbers, phone calls, social accounts and installed apps on users' phones is questionable enough, but even more interesting is that Android supports and enforces such invasive "app distributor's rights."
"On some level, Jay-Z knows better. A streak of paranoia has been running through his lyrics for years," Pareles wrote, citing a line from ?Somewhere in America? that says, ?Feds still lurking/They see I?m still putting work in.?
"Yet now, it?s Jay-Z who?s lurking ? in my phone," he added. "Another song, 'Nickels and Dimes,' insists, 'The greatest form of giving is anonymous to anonymous.' For the gift of the album, fans aren?t anonymous to Jay-Z now. He?s another data miner, gathering more than half a million e-mail and social-media accounts. Maybe he should send us an apology."
The app's rollout wasn't without flaw either, Pareles noted. "The app didn?t deliver my album for more than hour after it was supposed to be available. Jay-Z?s sponsors at Samsung proved themselves not only intrusive, but technically inept."
However, given Samsung's first party spyware tool disguised as a free album, users don't have to worry about rogue malware developers snooping on their activities, calls, apps and location. They're already being exploited by their phone's maker and the operating system it runs, which are optimized for data collection and remote monitoring.
Source: Google Play
Samsung's free Android mobile app "JAY Z Magna Carta" only works with select models, specifically the new Galaxy S 4, Galaxy S III, Galaxy Note II. But as New York Times music critic Jon Pareles wrote, "It?s an ugly piece of software."
"It?s an ugly piece of software."Samsung paid $5 million for the early distribution rights of the "Magna Carta Holy Grail" album, which ironically comes from an artist with lyrics that are "indignant about phone surveillance and bribing witnesses," Pareles stated.
The singer's 2010 track "Jay?s Back ASAP" complained, "They tap, them feds don?t play fair/They pay rats to say that they?re part of your operation."
Samsung-style Free and Open
Taking advantage of Google's "Trojan Horse" Android security model, the Samsung app simply demands access to a broad range of rights on the user's phone before allowing installation, even though all it really does is play back the album. It does not add the songs to a user's music library.This includes tracking users' "precise GPS location." The app permissions page is so unnecessarily invasive that fellow rapper Killer Mike tweeted in response, "I read this and? 'Naw I'm cool.'"
I read this and........"Naw I'm cool" pic.twitter.com/x8fXPG1tvC
? Killer Mike (@KillerMikeGTO)
Unlike Apple's iOS, installed Android apps don't have to alert the user or ask for permission when they want to track the GPS location or access contacts or social network accounts, and there's actually provisions for apps to access users' phone call information and running apps. iOS is an app platform, not an ad platform.
Free love, NSA
Pareles added, "it demands permissions, including reading the phone?s status and identity." On Android, this includes obtaining a unique device ID that can be used by advertisers like a web cookie (but not eased by the user), but also includes collecting the user's phone number, tracking when the phone is in use on a call, and even "the remote number connected by a call."In contrast, Apple has been incrementally working to increase users' privacy on iOS, warning developers in 2011 that they needed to stop relying upon iOS users' Unique User IDs because they would no longer be available. iOS 6 removed UUID access, effectively terminating OS-wide user tracking by ad networks.
In place of UUID, Apple's iOS 6 turned the tables to introduce an "Advertising Identifier," which serves as "a non-permanent, non-personal device identifier, that advertising networks will use to give you more control over advertisers' ability to use tracking methods."
I will tell your friends you love us
Samsung's new app "also gathers 'accounts,' the e-mail addresses and social-media user names connected to the phone," Pareles added. "When installed, it demanded a working log in to Facebook or Twitter and permission to post on the account."In order to "unlock" lyrics within the app, users must tweet out a promo for each song on the album they want to read.
"It?s telling that Jay-Z ? who boasts regularly about his millions of sales ? and Samsung didn?t simply trust fans to post or tweet on their own," Pareles wrote.
Additionally, the app also demands permission to "retrieve running apps," which means it can "discover information about which applications are used on the device," another feature Google supports as a common permission on Android apps.
Why Samsung's "free" album app would need to track the GPS location, phone numbers, phone calls, social accounts and installed apps on users' phones is questionable enough, but even more interesting is that Android supports and enforces such invasive "app distributor's rights."
Fed-style surveillance on your open platform
"On some level, Jay-Z knows better. A streak of paranoia has been running through his lyrics for years," Pareles wrote, citing a line from ?Somewhere in America? that says, ?Feds still lurking/They see I?m still putting work in.?
"Yet now, it?s Jay-Z who?s lurking ? in my phone," he added. "Another song, 'Nickels and Dimes,' insists, 'The greatest form of giving is anonymous to anonymous.' For the gift of the album, fans aren?t anonymous to Jay-Z now. He?s another data miner, gathering more than half a million e-mail and social-media accounts. Maybe he should send us an apology."
The app's rollout wasn't without flaw either, Pareles noted. "The app didn?t deliver my album for more than hour after it was supposed to be available. Jay-Z?s sponsors at Samsung proved themselves not only intrusive, but technically inept."
With official Samsung Android apps like these, who needs malware authors?
Earlier this week, Bluebox Labs noted a security flaw that can enable anyone to surreptitiously replace a vendors' trusted installed apps with a rogue version that the Android OS can't identify as corrupted, therefore gaining widespread access to spy on the user.However, given Samsung's first party spyware tool disguised as a free album, users don't have to worry about rogue malware developers snooping on their activities, calls, apps and location. They're already being exploited by their phone's maker and the operating system it runs, which are optimized for data collection and remote monitoring.
Comments
awesome!
Any pre-released free album available from Apple app store? I'll do a search now.
Quote:
Originally Posted by AppleInsider
Taking advantage of Google's "Trojan Horse" Android security model, the Samsung app simply demands access to a broad range of rights on the user's phone before allowing installation, even though all it really does is play back the album.
...
Unlike Apple's iOS, installed Android apps don't have to alert the user or ask for permission when they want to track the GPS location or access contacts or social network accounts, and there's actually provisions for apps to access users' phone call information and running apps. iOS is an app platform, not an ad platform.
You cannot first say that the "app demands access" to location and contacts, and then turn around a few sentences later and claim that it did not "ask for permission". Obviously it DID ask for permission.
As for being a crap app, I'd agree. It smacks of a newbie developer. It sounds like someone took a sample code framework and accidentally left in a bunch of sample permission lines that probably aren't even used. (Or if they are, then the project manager totally failed in oversight.)
In either case, this is not an Android thing. It's a project management cluster mess.
Quote:
Originally Posted by AppleInsider
Source: Google Play
Taking advantage of Google's "Trojan Horse" Android security model, the Samsung app simply demands access to a broad range of rights on the user's phone before allowing installation, even though all it really does is play back the album. It does not add the songs to a user's music library.
This includes tracking users' "precise GPS location." The app permissions page is so unnecessarily invasive that fellow rapper Killer Mike tweeted in response, "I read this and? 'Naw I'm cool.'"
Unlike Apple's iOS, installed Android apps don't have to alert the user or ask for permission when they want to track the GPS location or access contacts or social network accounts, and there's actually provisions for apps to access users' phone call information and running apps. iOS is an app platform, not an ad platform.
Who ever wrote this article has never used an android device before. They are not aware that unlike and iOS device before downloading an app the user is greeted by the permissions of said app. That the permissions list what the app can do. Please do not say its a Trojan horse if you know what it can do.
Quote:
YOUR LOCATION
APPROXIMATE LOCATION (NETWORK-BASED)
Allows the app to get your approximate location. This location is derived by location services using network location sources such as cell towers and Wi-Fi. These location services must be turned on and available to your device for the app to use them. Apps may use this to determine approximately where you are.
PRECISE LOCATION (GPS AND NETWORK-BASED)
Allows the app to get your precise location using the Global Positioning System (GPS) or network location sources such as cell towers and Wi-Fi. These location services must be turned on and available to your device for the app to use them. Apps may use this to determine where you are, and may consume additional battery power.
NETWORK COMMUNICATION
FULL NETWORK ACCESS
Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
PHONE CALLS
READ PHONE STATUS AND IDENTITY
Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
STORAGE
MODIFY OR DELETE THE CONTENTS OF YOUR USB STORAGE
Allows the app to write to the USB storage.
YOUR APPLICATIONS INFORMATION
RETRIEVE RUNNING APPS
Allows the app to retrieve information about currently and recently running tasks. This may allow the app to discover information about which applications are used on the device.
YOUR ACCOUNTS
FIND ACCOUNTS ON THE DEVICE
Allows the app to get the list of accounts known by the device. This may include any accounts created by applications you have installed.
DEVELOPMENT TOOLS
READ SENSITIVE LOG DATA
Allows the app to read from the system's various log files. This allows it to discover general information about what you are doing with the device, potentially including personal or private information.
NETWORK COMMUNICATION
VIEW NETWORK CONNECTIONS
Allows the app to view information about network connections such as which networks exist and are connected.
RECEIVE DATA FROM INTERNET
Allows apps to accept cloud to device messages sent by the app's service. Using this service will incur data usage. Malicious apps could cause excess data usage.
VIEW WI-FI CONNECTIONS
Allows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.
SYSTEM TOOLS
TEST ACCESS TO PROTECTED STORAGE
Allows the app to test a permission for USB storage that will be available on future devices.
AFFECTS BATTERY
CONTROL VIBRATION
Allows the app to control the vibrator.
PREVENT DEVICE FROM SLEEPING
Allows the app to prevent the device from going to sleep.
YOUR APPLICATIONS INFORMATION
RUN AT STARTUP
Allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the app to slow down the overall device by always running.
taken directly from that app. Its not a trojan horse its clearly explaining what it can do. Better then an iOS app where the user does not have any info like this unless it wants to use gps or their contacts.
I swear recently there seems to be alot of articles on here "stretching". Though, like any site they are after clicks and web traffic I suppose.
The app also apparently has you sign into your Twitter or Facebook. But this just in, if you dont agree with the permissions, don't click "accept". Amazing I know lol.
Quote:
Originally Posted by KDarling
You cannot first say that the "app demands access" to location and contacts, and then turn around a few sentences later and claim that it did not "ask for permission". Obviously it DID ask for permission.
The issue is not confusing. There is a picture in the article that makes it really clear that the app quietly demands broad and unnecessary access before installation in a "EULA" style page users ignore, but then does not ask for permission after installation when it actually accesses your location, contacts, ect.
This was clearly explained in the article. Your ability to be confused says more about you than the article, especially when you know what the situation is and agree that it is ridiculous.
Put simply: an app shouldn't sneakily request nebulous, technically opaque "permissions" as a requirement for installation as Android does. It should clearly ask permission when it wants to do something that the user might not want it to do, in clear language the user can understand, as iOS does.
A better question is: why do you have throw up a smoke screen of petty, specious arguments about every criticism of egregious flaws in Android? Is it because you want to muddy the water to make everything sound equally bad? Because it isn't.
Android, as implemented by Google and Samsung, is a tweaked version of Java/Linux designed to spy on and harvest data from users while pretending to be "innovative" by throwing out half finished versions of things Apple has worked on for years.
99 problems and spyware is one.
Wow. Knew who the author was just from reading the headline. No need to read the article, actually.
Quote:
Originally Posted by Corrections
Put simply: an app shouldn't sneakily request nebulous, technically opaque "permissions" as a requirement for installation as Android does. It should clearly ask permission when it wants to do something that the user might not want it to do, in clear language the user can understand, as iOS does.
How is it "sneaky" when it clearly says what the app wants access to? Unless you're illiterate it's pretty straight forward.
Originally Posted by Richard Getz
This is actually very scary. A) That Google is so blatantly overt about data mining, and
Its not just creepy. It's Google-creepy (tm).
Quote:
Originally Posted by Apple v. Samsung
Who ever wrote this article has never used an android device before. They are not aware that unlike and iOS device before downloading an app the user is greeted by the permissions of said app. That the permissions list what the app can do. Please do not say its a Trojan horse if you know what it can do.
Dear copy/paste troll: I love your devotion to an adware/spyware platform, but nobody is confused here. The article clearly says:
"installed Android apps don't have to alert the user or ask for permission"
Once you see a free app and click install, your rights end and Android begins enforcing the adware/spyware's rights.
If you're cool with that, that's fine. Nobody is taking away your Android friend. The point is that throwing some opaque disclosure in a pile of text the user must "agree" to while downloading is not cool with most people. Ever heard of complains about EULA?
The open source community used to care before Google came in and dictated that open source was now going to be all about harvesting the "community" for ads. You're just one of the suckers dependent upon an adware/spyware giant to deliver your iOS knockoff.
Quote:
Originally Posted by SalmanPak
Wow. Knew who the author was just from reading the headline. No need to read the article, actually.
Yes, why concern yourself with facts when you can just demonize the blogger who relayed them to you from the NYT?
Yes, the app displays a list of access rights it claims. and certainly everybody reads this and if not, it's their problem. that's why Trojans, etc are not a problem on PCs anymore. Oh wait....
EULA's and Android's permission request screen are light years apart in length and complexity of terminology. Drawing comparisons between the two is either being ignorant (excusable) or deceitful.
It's interesting how many trollish comments there are on this thread by users with 11, 33, 88 posts.
Newbies all attacking an AppleInsider article. Could just be the latest wave of the misguided "Yay Open!"
crowd lashing out in anger in any and all ways after news of that "master key" Android exploit spread.
The exploit that makes 99% of all Android devices vulnerable. The exploit that can turn any harmless
Android app into a malicious Trojan without changing its cryptographic signature. Yeah. That one.
Or maybe they're getting 10 cents per post from Samsung. You know, to attempt to discredit
any and all negative news about Samsung and Android. For pennies a post. Tough job.
Good luck with that, fellas. Just remember that every time you post here, you're contributing to
AppleInsider's web traffic, which boosts its Page ranking, which increases their ad revenue.
Thank you for helping to keep AppleInsider successful!