Tuesday, April 4, 2017

An Update on Verizon’s AppFlash: Pre-Installed Spyware Is Still Spyware

An Update on Verizon’s AppFlash: Pre-Installed Spyware Is Still Spyware


Verizon recently rolled out a new pilot project to pre-install on customers’ devices an app launcher/search tool that, we believe, is really just spyware. This software, called AppFlash, is preloaded on a new model of LG device—the LG K20 V—rather than in all of their Android line as we previously reported. The software allows Verizon and its partners to track the apps you have downloaded and then sell ads to you across the Internet based what those apps say about you, like which bank you use and whether you’ve downloaded a fertility app.

Verizon is touting “AppFlash” as a customer benefit. In reality, it is just the latest display of wireless carriers’ stunning willingness to compromise the security and privacy of their customers by preloading unwanted apps on users’ devices. To see how AppFlash is dangerous, just look at the Privacy Policy. It states that the app can be used to:
“collect information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them. We also access information about the list of apps you have on your device.”
Troubling as it may be to collect intimate details about what apps you have installed, the policy also illustrates Verizon’s intent to gather location and contact information:
“With your permission, AppFlash also collects information about your device’s precise location from your device operating system as well as contact information you store on your device.”
And what will Verizon use all of this information for? Why, targeted advertising on third-party websites across the Internet, of course:
“AppFlash information may be shared within the Verizon family of companies, including companies like AOL who may use it to help provide more relevant advertising within the AppFlash experiences and in other places, including non-Verizon sites, services and devices.”
With the announcement of AppFlash, Verizon has made clear that it intends to start monetizing our private data as soon as possible, if not sooner. In other words, our prediction that mobile Internet providers would start pre-installing spyware on their customers’ phones has come true, even before Congress changed the rule to let ISPs like Verizon, AT&T, and Comcast sell your personal data to advertisers. In our view, the FCC's privacy rules that Congress has voted to roll back would have prohibited Verizon from pre-installing the AppFlash spyware on its phones in this manner—and we can expect Congress' privacy rollback to embolden further privacy-invasive practices by ISPs.

Last week, Verizon sent us a statement about its roll out of AppFlash, asserting that “you have to opt-in to use the app.” While it’s true that the user is presented with a click-through license the first time they launch AppFlash, it’s entirely unclear from that screen what information is being collected or shared. Instead, those crucial details are buried within the fine print of a Terms of Service. That’s hardly a meaningful mechanism for obtaining informed opt-in consent.

What are the ramifications? For one thing, this is yet another entity that will be collecting sensitive information about your mobile activity on your Android phone. It’s bad enough that Google collects much of this information already and blocks privacy-enhancing tools from being distributed through the Play Store. Adding another company that automatically tracks its customers doesn’t help matters any.

But our bigger concern is the increased attack surface an app like AppFlash creates. It is likely that with Verizon rolling this app out on certain new phones, hackers will be probing it for vulnerabilities, to see if they can use it as a backdoor they can break into. We sincerely hope Verizon has invested significant resources in ensuring that AppFlash is secure, because if it’s not, the damage to users’ cybersecurity could be disastrous, especially if Verizon expands its “test” to additional devices.

Verizon should immediately abandon its plans to monitor its customers’ behaviors, and do what it’s paid to do: deliver quality Internet service without spying on users. And in no case should Verizon expand its test of this spyware to additional models of mobile devices.

Source: An Update on Verizon's AppFlash: Pre-Installed Spyware Is Still Spyware | Electronic Frontier Foundation