235 apps attempt to secretly track users with ultrasonic audio

Originally published at: http://boingboing.net/2017/05/04/235-apps-attempt-to-secretly-t.html


Nothing says “slow motion” more than clogging your phone / computer with a bunch of useless apps.


I checked shopkicks website. Not very interesting, but found this:

Kicks for walking into stores
Check the Stores tab in the app for Walk-In Kicks
Turn on bluetooth and enable location services on your device
Walk into participating stores
Open the app at the store entrance

Get Kicks
Get Kicks just for visiting
Kicks = Money
Redeem your Kicks for gift cards


Now I feel guilty for being an early adopter of the Chirp app for iOS devices, back in the day…

1 Like

It should be possible to make an app that warns you when you’re in the presence of a uXDT beacon. No doubt there’s some legal restriction on reverse-engineering their technique.


I’m guessing that it’s totally obvious which apps these are; and whether they are closed or closed closed…


They almost certainly have some clickwrap nonsense about how doing anything they wouldn’t approve of is basically a crime against humanity; but I suspect that they would have a hard time going after mere detector applications.

Even if their audio encoding is larded with patented techniques(not guaranteed; especially if bandwidth isn’t a huge issue; or if they just grabbed some of the techniques used for acoustic modems back in the day for ease and convenience; since most of those patents are late 90s or older; but certainly possible); you don’t need to decode the signal just to determine that there is one present; and any especially proprietary techniques should make it more evident whose signal you are dealing with.

1 Like

Huh. This was unexpected:

MIT license.

BTW, I’m not pointing a finger of shame at these people. There are some cool apps that could be done with the technique so long as it’s done with users’ informed consent. Props for making their libraries available!


Which reminds me to put on my artificial retina contact lenses before I hit the mall.


Well, if any dogs are showing interest in particular apps, you’ll know why.

Don’t worry, they’ll know who you are with facial recognition… Wearing a mask? Gait recognition. Give it a few years and it’ll be DNA profiling…


Sounds like Flooz. Or was that Beenz?


But whose DNA will they capture?


Man, ad-blockers are going to get really expensive and quite… disturbing.


Kicks just keep getting harder to find

The McDonalds app? Dude, if you have the McDonalds app, ultrasonic tracking is the least of your problems.


Thank goodness Android users can finally say no to individual permissions even after the app’s installed.

Another thing - why aren’t​ these app devs just buying my info from Google???

If only there was some way of preventing an app from using your microphone… https://support.google.com/googleplay/answer/6270602?hl=en

I take it I’m the only one who revokes “weird” app permissions when installing a new app?

There was a conference about this subject at the winter hacker congress of the chaos computer club germany. Basically, the code is in a library that some developpers use to display adds. Apparently many developpers of smaller apps did not suspect that the audio function was there.

I also see that in the article that some of the suspected uses are as beacon (like knowing the phone is in a shop or phone to phone communication). There are easier and more efficient techniques for that. Smartphone broadcast their unique MAC address over wifi (all the time, even without connection) and shops are known to have implemented sniffers in their wifi routers. Phone to phone communication can use wlan as soon as they are in the same segment (which would be the case at home, for example).

As to the idea to refuse access to specific channels or infos to your apps. The most data savvy apps will then simply refuse to work. I know that from experience (on an iphone, were permissions have been controllable for a longer time): some apps I tried simply quit with a message “please enable permissions on this or that item”. I chose to simple deinstall them, but most people choose to allow access. It is a real problem if you really need the app, for example I lost contacts with some people because I refused to use whatsapp which insisted on first copying my complete contact list to their US servers (even if their web site says otherwise). Fortunately, I could afford to lose these particular contacts, it would have been different if they were paying customers for example.

I feel guilty for signing up for that BBS account, back in the day.

Shades of BadBios? Maybe this is how it downloads updates!