Are You Using Vlingo? Your Privacy May Be at Risk
Update: 26.01.2012 10:PM (Aaron Tilton)
While this is admittedly not good news for Samsung Galaxy Note customers, concerned with personal privacy, Vlingo is working on a fix, which should become available in the next several weeks. Again, we believe they are working in good faith to correct the problem, but could not provide AndroidPIT with a definite date for a patch.
Vlingo will release an official statement in the comming hours. Check back soon for their offical reaction.
A few days ago, we brought you a story about how Vlingo was sending personal user data to a remote server in the U.S.A. without consent (ie, mentioning they're doing so in the user agreement). Today we've learned that the app actually begins sending this information (including where you are, and your exact device ID or IMEI) to an unencypted URL before you even agree to user agreement.
The revelation comes from AndroidPIT users Jorg V. who has been monitoring the Debug output Vlingo writes to the device using a program called Logcat. The Logcat allows users to view the internal log of the Android system. After deleting the app's data, the app began establishing a connection with multiple servers in the U.S. The information it sent to this server included the phone ID, location and carrier.
Obviously, Vlingo needs some of this data in order to operate, given that it delivers answers to users from their server. This we're fine with; that's how voice apps work. But the fact that the app transmits the device ID number as well as uses WiFi networks to pinpoint user location and sends the information to an unencrypted URL even before terms and conditions are accepted is quite frightening.
For all the techies out there, here's an example of the kind of data packets the app sends
Here's the device information and location data it transmits:
VLG_** vlclient: DeviceMake=samsung;
Did you get all that? It's got everything: the carrier information, the longitute, the latitude, the unique device ID. But that's not, after you've agreed to the Terms and Conditions, the app sends your contacts to that unencrpyted server:
D / HttpRequest: BackgroundHttpManager1 (24 427): <LMTT> <PIM t="w"> <e uid="1384"> <fn> WGKK </ fn> <ln> 10 / 1 </ ln> <c> < / c> </ s> <e uid="147"> <fn> information </ fn> <ln> 118 676 </ ln> <c> </ c> </ e> <e uid = "228" > <fn> taxi </ fn> <ln> 60 </ ln> <c> </ c> </ s >........
And even your music!
D / HttpRequest: BackgroundHttpManager2 (24 427): <LMTT> <SU uid = "58" ttl = "Rebecca and I" type = "Ludwig Hirsch" cmp = "Rebekka Bakken" alb = "Forever and ever Ladies' gen =" "yr = "2006" fld = "/ mnt / sdcard / Samsung / Music "/>........
I/LMTTDBUtil-BackgroundHttpManager2 (24 427): DB VLG_opened. Got android.database.sqlite.SQLiteDatabase @ 405e39f8
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _!! SUCCESSFUL TRANSFER CHUNK!!
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _ chunk lmtt had 52 items
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _ Total for whole transfer is now 52
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _HttpResponse () 'type =' song, playlist "count =" 52.0 "" 'from
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _ALL DONE LMTT UPDATE - SUCCESS
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _ @ response is com.vlingo.client.core.http.HttpResponse 40527cb0
And all of this information is sent, unencrypted, to a Vlingo data server.
Vlingo is installed on more than a million Android devices worldwide...we've reached out to Vlingo and Samsung (which pre-installs the app on many devices, including the Note) but haven't heard back yet with an official comment. While we expect voice-activated apps to use this information when we're accessing contacts or restaurants nearby, it's troubling that the app sends all this information to an unencrypted server before the terms and conditions have even been accepted and before a user has asked the app to do anything!
This article has been updated since its original publication.