One of our users Admin Jörg recently discovered an entry in the logcat readout of his Samsung Galaxy Note that gave him pause. One of the running process on his Note kept bringing up the following request “I/HttpRequest-BackgroundHttpManager323(10019) …” He wasn't sure what to make of the curious request and quickly set up a filter, which organized each process by it's process ID (PID) to help him get a handle of the odd request.
But before we get into what Jörg found out, some information regarding the app in question: Vlingo is a preinstalled app on the Samsung Galaxy Note and can also be downloaded in the Android Market.
Service: com.vlingo.client.userlogging.UALService <- the service in question
After analyzing the filtered logcat readouts Jörg was able to determine the following:
1) User data is being collected
D/UALService:Timer-323(10019): VLG_transmitting user activity data <– Collection Process starts here
D/HttpManager:Timer-323(10019): VLG_Queing background http request: ActivityLog
D/VLServiceUtil:BackgroundHttpManager323(10019): VLG_** vlclient: <– Device Data collection starts
D/AndroidLocationUtils:BackgroundHttpManager323(10019): VLG_Getting location <– user location data is collected
D/AndroidLocationUtils:BackgroundHttpManager323(10019): VLG_Found provider : network <– network wifi location is collected
D/AndroidLocationUtils:BackgroundHttpManager323(10019): <– location data is compiled
D/HttpUtil:BackgroundHttpManager323(10019): VLG_extraHeaders: <– The http header is prepared
X-vlsoftware=Name=SamsungVoiceUI; Version=2.9.0.B1104; AppChannel=Preinstall Free,
DeviceOSName=Android; DeviceModel=GT-N7000; DeviceOS=2.3.6;
Language=de-DE; ConnectionType=DirectTCP; Carrier=T-Mobile A;
CarrierCountry=AT; DeviceID=359532540167434; AudioDevice=Android,
I/HttpRequest-BackgroundHttpManager323(10019): VLG_** Getting new http connection. method POST hc com.vlingo.client.android.core.http.custom.AndroidVStreamConnection@40625f00
D/HttpRequest:BackgroundHttpManager323(10019): VLG_** postData=<user-log><user-id>359532540167434</user-id><setup started="
D/HttpRequest:BackgroundHttpManager323(10019): VLG_** GZip compressing post data...
D/HttpRequest:BackgroundHttpManager323(10019): VLG_** response code: 200 <– Hier wird geprüft ob der Server auch antwortet
D/CookieHandler:BackgroundHttpManager323(10019): VLG_** domain: samsungvuiasr.vlingo.com
01-21 23:37:46.705: D/CookieHandler:BackgroundHttpManager323(10019): VLG_** done extracting
01-21 23:37:46.705: D/HttpRequest:BackgroundHttpManager323(10019): VLG_data len: 68
01-21 23:37:46.715: D/HttpRequest:BackgroundHttpManager323(10019): VLG_** finished <– transfer ends
D/UALService:BackgroundHttpManager323(10019): VLG_recv user log response
D/ThreadPoolExecutor:BackgroundHttpManager323(10019): VLG_finished worker execution:
2) The collected user data is collected and sent to the following URL unencrypted :
(The fact that the HTTP protocol is used indicates that data is transferred unencrypted.)
3) The transfer of user information occurs even when voice control is inactive.
4) User data transmission occurs every 4 minutes.
5) The data collection is not mentioned in Vlingo user agreements
If vlingo is collecting user information, it should be listed publicly in its user agreements.
URL for Vlingo's privacy rules: http://www.vlingo.com/wap/privacy/en
URL for Vlingo's user agreement: http://www.vlingo.com/wap/terms/en
Version of the user agreement: Last updated on 11.08.11
Just to be safe, Samsung tries to cover its bases with a user agreement when you start the app up for the first time. The first popup window instructs users to read their privacy rules and user agreement but who actually takes the time to read through those rules after all? Not average users.
Vlingo's user agreement makes the following statements addressing information collected from users:
Statement:We will not use your name or any other personal information without obtaining your express permission in advance.
Commentary: This is patently untrue, as the data collection describe above occurs without direct user concent.
Statement: We collect and store the location of your handset only when you speak.
Commentary: This is also a blatent falsehood. As is demonstrated in the Vlingo transfer parameters, location information is also collected even with the Vlingo service isn't in use. What's more the AndroidPIT user had opted out of the service and information was still collected.
Statement: We do not associate the handset's location with your personal information. We do not know who you are when you use the location-awareness component of our service.
Commentary: This is also a hard line to swallow. Vlingo knows the IMEI and associated location; with that consideration its hard to believe they can't establish a personal connection.
Statement: Vlingo uses physical, technical, and procedural techniques to ensure the security of your personal information.
Commentary: Sounds good, but it's also hard to believe. The user information that is transferred to Vlingo is done through insecure channels, which are also publicly accessible.
For example: http://samsungvuiasr.vlingo.com:80/voicepad/activitylog
How secure the server actually is and how secure the data really is, is quite questionable. Based on our research, it seems safe to say that VLINGO's server isn't up to date in terms of security.
Statement: We do not and cannot use the information we collect from you to identify you as an individual or to identify your device.
Commentary: That is also not true, as the IMEI number is a unique ID number that is used to ID each phone. Vlingo knows the IMEI because of its data collection methods.
But it's not just locational and device specific information that is sent to Vlingo's servers. The very first time a user logs into the service, a whole host of information is transferred to Vlingo's service– of course, unencrypted.
6. All names from users contact lists are collected.
When Voice control loads and users agree to the user agreement, the app begins to send all names from user contact lists to Vlingo in the background.
The information is sent to the following URL:
D/HttpRequest:BackgroundHttpManager1(24427): <LMTT><PIM t="w"><e uid="1384"><fn>WGKK</fn><ln>10/1</ln><c></c></e><e uid="147"><fn>Auskunft</fn><ln>118 676</ln><c></c></e><e uid="228"><fn>Taxi</fn><ln>60</ln><c></c></e>........
7. Lists of all music titles, including song information, from titles saved on the SD card are collected.
Similar to contact information, information regarding all media files on the SD-card is communicated to Vlingo.
D/HttpRequest:BackgroundHttpManager2(24427): <LMTT><SU uid="58" ttl="Rebekka und ich" art="Ludwig Hirsch" cmp="Rebekka Bakken" alb="In Ewigkeit Damen" gen="" yr="2006" fld="/mnt/sdcard/Samsung/Music"/>........
I/LMTTDBUtil-BackgroundHttpManager2(24427): VLG_opened DB. got android.database.sqlite.SQLiteDatabase@405e39f8
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _ !!!! SUCCESSFUL CHUNK TRANSFER !!!!
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _ chunk had 52 lmtt items
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _ total for whole transfer is now 52
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _HttpResponse() from 'type="song,playlist" count="52,0""'
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _ALL DONE LMTT UPDATE - SUCCESS
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _ response is com.vlingo.client.core.http.HttpResponse@40527cb0
8. What can you do about it?
- First and foremost, you should disable the “use my location” option in the Vlingo settings. This prevents any locational information from being associated with the data collected by vlingo.
- If you delete Vlingo's associated data via menu > application> Vlingo then Vlingo can no longer collect your information. Of course, this also means you can't use voice control any more.
- If you have root access to your phone you can also delete the app. But it's hard to say if this will impact the performance of your device in other areas
Even if the first user warning indicates that user data will be collected, it does not give a true picture of the scope of collected information nor an accurate picture of how secure the transferred data really is. Vlingo's data collection policy is an invitation for abuse of user information and private data.