X

Sign in

Sign in to confirm

Have you forgotten your password?

... or login with Facebook:

Don't have an AndroidPIT account yet? Sign up

Are You Using Vlingo? Your Privacy May Be at Risk

Steven Blum
3

Update: 26.01.2012 10:PM (Aaron Tilton)

We just got off the phone with Vlingo representatives including John Nguyen, co-founder and Head of Products at Vlingo, where we discussed the concern that AndroidPIT members Jörg and Andres had raised regarding personal user data collection on the part of Vlingo. The conversation was friendly and, while a good deal of information is gathered by the app, we have every reason to believe that Vlingo is handling in good faith when it comes to personal user information. However, Vlingo admits that their app does collect certain data types before users agree to their privacy policy. This means before you agree to allow data to be sent to the company the app does, in fact, collect location, carrier and phone identification information, which is then transferred unencrypted to Vlingo's servers. According to their representatives, this is due to synchronization issues with processes that normally run in the background.

They also admitted that the Vlingo version that comes preloaded on the Samsung Galaxy Note also collects names and contact information and music information from users, which isn't stated in their privacy policy. However, they attribute that to an oversight, which will be corrected shortly.

While this is admittedly not good news for Samsung Galaxy Note customers, concerned with personal privacy, Vlingo is working on a fix, which should become available in the next several weeks. Again, we believe they are working in good faith to correct the problem, but could not provide AndroidPIT with a definite date for a patch.

Vlingo will release an official statement in the comming hours. Check back soon for their offical reaction.

A few days ago, we brought you a story about how Vlingo was sending personal user data to a remote server in the U.S.A. without consent (ie, mentioning they're doing so in the user agreement). Today we've learned that the app actually begins sending this information (including where you are, and your exact device ID or IMEI) to an unencypted URL before you even agree to user agreement. 

The revelation comes from AndroidPIT users Jorg V. who has been monitoring the Debug output Vlingo writes to the device using a program called Logcat. The Logcat allows users to view the internal log of the Android system. After deleting the app's data, the app began establishing a connection with multiple servers in the U.S. The information it sent to this server included the phone ID, location and carrier.

Obviously, Vlingo needs some of this data in order to operate, given that it delivers answers to users from their server. This we're fine with; that's how voice apps work. But the fact that the app transmits the device ID number as well as uses WiFi networks to pinpoint user location and sends the information to an unencrypted URL even before terms and conditions are accepted is quite frightening.  

For all the techies out there, here's an example of the kind of data packets the app sends

Here's the device information and location data it transmits:

/VLServiceUtil:BackgroundHttpManager1(25106):
VLG_** vlclient: DeviceMake=samsung;
DeviceOSName=Android;
DeviceModel=GT-N7000;
DeviceOS=2.3.6;
Language=de-DE;
ConnectionType=DirectTCP;
Carrier=T-Mobile A;
CarrierCountry=AT;
DeviceID=359532540167434;
AudioDevice=Android

vllocation=Lat=46.178338204999932;
Long=14.362434382504343;
Alt=0.0;
GSM_MCC=232;
GSM_MNC=03;
CID=2107021;
LAC=58400;

Did you get all that? It's got everything: the carrier information, the longitute, the latitude, the unique device ID. But that's not, after you've agreed to the Terms and Conditions, the app sends your contacts to that unencrpyted server:

D / HttpRequest: BackgroundHttpManager1 (24 427): <LMTT> <PIM t="w"> <e uid="1384"> <fn> WGKK </ fn> <ln> 10 / 1 </ ln> <c> < / c> </ s> <e uid="147"> <fn> information </ fn> <ln> 118 676 </ ln> <c> </ c> </ e> <e uid = "228" > <fn> taxi </ fn> <ln> 60 </ ln> <c> </ c> </ s >........

And even your music!

D / HttpRequest: BackgroundHttpManager2 (24 427): <LMTT> <SU uid = "58" ttl = "Rebecca and I" type = "Ludwig Hirsch" cmp = "Rebekka Bakken" alb = "Forever and ever Ladies' gen =" "yr = "2006" fld = "/ mnt / sdcard / Samsung / Music "/>........
I/LMTTDBUtil-BackgroundHttpManager2 (24 427): DB VLG_opened. Got android.database.sqlite.SQLiteDatabase @ 405e39f8
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _!! SUCCESSFUL TRANSFER CHUNK!!
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _ chunk lmtt had 52 items
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _ Total for whole transfer is now 52
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _HttpResponse () 'type =' song, playlist "count =" 52.0 "" 'from
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _ALL DONE LMTT UPDATE - SUCCESS
I/LMTTChunkUpdate-BackgroundHttpManager2 (24 427): VLG_LMTTChunkUpdate: _ @ response is com.vlingo.client.core.http.HttpResponse 40527cb0

And all of this information is sent, unencrypted, to a Vlingo data server.

Vlingo is installed on more than a million Android devices worldwide...we've reached out to Vlingo and Samsung (which pre-installs the app on many devices, including the Note) but haven't heard back yet with an official comment. While we expect voice-activated apps to use this information when we're accessing contacts or restaurants nearby, it's troubling that the app sends all this information to an unencrypted server before the terms and conditions have even been accepted and before a user has asked the app to do anything!

This article has been updated since its original publication.

Comments

Write new comment:
  • TJ Leonard Jan 26, 2012 Link

    Just wanted to let the Android Pit community know that we are aware of both this post and the original from 1/23. We're been hard at work to address each of the concerns that have been raised. We want everyone to know we take our customers' privacy and data security very seriously. We should have a detailed response ready this afternoon. In the meantime, we certainly appreciate everyone's patience as we investigate each claim fully. Thank you.

    0
    0
  • kerriemaguire Jan 27, 2012 Link

    very good love it

    0
    0
  • Alan Peery Feb 17, 2012 Link

    @Vlingo
    1) Have you completed the work at encrypting all traffic headed to your servers yet?

    2) Have you undertaken a culture change to make security a critical consideration across your development, systems, and marketing staff? It was clearly needed, or the situation above with unencrypted transmission never would have occured...

    0
    0

Author
6

What was the first precious thing you broke ?