Flash and Grab

Rumor: Your flashlight apps is stealing your personal data and sending it to foreign cybercriminals.


Claim:   Your flashlight app is stealing your personal data and sending it to cybercriminals.


MIXTURE



Examples:   [Collected via e-mail, September 2014]

Is this one true or not? Flashlight apps are sending info off your cellphone to China, India, and Russia.
 

I just read an alarming warning about flashlight apps for Android. As both I and my daughters have these apps, I was looking to see if this report is accurate.
 

Heard a gentleman talk about flashlight apps sending your information to foreign governments in China and Russia and India. Once installed they can spy on your activities. Is there any truth to this? It was on Fox News.
 

Origins:   On 1 October 2014, cybersecurity company SnoopWall released a "threat assessment report" discussing flashlight apps for Android devices and security threats they may pose. Although the report was released to the accompaniment
of news stories about how some flashlight apps could potentially access banking information and cell phone video cameras and send users' personal information to cybercriminals abroad in India, China, and Russia, the SnoopWall report itself neither stated nor offered evidence that such activity was taking place — it merely charted the permissions accessed by the top ten Android flashlight apps and offered some tips about "best practices for increasing privacy and security on your device without spending any money."

It is indeed the case that a number of flashlight apps can and do request access to permissions and data on users' cell phones that seemingly has nothing to do with the ordinary functioning of the app, and that such permissions could theoretically enable criminals to obtain sensitive personal information from cell phone users. However:
  • Having a flashlight app on your cell phone does not necessarily mean someone is stealing your personal data. (Realistically, any kind of app could be exploited for this purpose.)
  • Just because an app requests permissions it may not need does not mean the app is being used for nefarious purposes. (Many, many apps request more permissions than they seemingly need.)
  • Nothing about a flashlight app makes it inherently more susceptible to criminal exploitation. (Flashlight apps just happen to be one of the most common cell phone apps.)
SnoopWall's "threat assessment report" suggested that flashlight apps are more prone to requesting access to unneeded permissions and data than any other category of app, but as Wired noted, many other types of apps "want access to information they probably shouldn't," and the fact that a given app has access to data doesn't necessarily mean the app is actually stealing that data and transmitting it to internatonal cybercriminals. It may be the case, though, that you're paying for your "free" app by unwittingly allowing your personal data to be shared with marketers:

The Flashlight app on my phone is built by a company called iHandy. [A] mobile phone security operation called Appthority did an analysis of the data that Flashlight can potentially request, and it's pretty scary.

According to Appthority's president, Domingo Guerra, Flashlight is designed to do location tracking, read my calendar, use my camera, gain access to unique numbers that identify my phone, and then share data with a number of ad networks, including Google’s AdMob, iAd, and JumpTap. It may not actually be doing all of these things — Appthority's analysis only shows what the software is capable of, not necessarily what it's actually up to — but the fact that there's such an arsenal of dubious uses should raise eyebrows.

On my phone, several apps want access to information they probably shouldn't, and odds are, that's the case with your phone, too. The lesson here is that when it comes to mobile software, there’s really no such thing as a free app.
 

All in all, as the Guardian noted, "developers are often asking for far greater power over a user's device, in order to collect data and sell it on to marketers and ad networks. It's the latest reminder that if you're not paying for an app, its business model may well involve selling your data." Or, as Jeff Werner of the Northwest Florida Daily News observed:

Personally, I'm inclined to believe that there are apps out there that are sending personal data to places where that data has no business going, [but] I would be surprised if it was limited to flashlight apps. At the end of the day, it's important for you to make your own decisions. Be informed, but don't believe every last thing you see or read on the Internet. When it comes to your smartphone, because of the unique nature of the data it contains, and the sites that many of us access with it, be very careful which apps you choose to install. The fewer apps you select, and the more mainstream they are, the less vulnerable you will be to theft of your data.
 

One flashlight app developer, Goldenshores Technologies (makers of the "Brightest Flashlight" app for Android), settled a complaint with the FTC in 2014 over their collecting location data and unique device IDs from users' devices and sharing that data with advertisers. So when it comes to apps — even "free ones" — caveat emptor.

Last updated:   25 June 2015



Sources:

    Davis, Gary.   "Flashlight App Steals Data, Leaves Users in Dark."
    McAfee Blog Central.   9 December 2013.

    Fox-Brewster, Tom.   "Check the Permissions: Android Flashlight Apps Criticised Over Privacy."
    The Guardian.   3 October 2014.

    Hayes, Jessica.   "Smartphone Apps Could Spy on Users."
    WISH-TV [Indianapolis].   23 October 2014.

    McMillan, Robert.   "The Hidden Privacy Threat of ... Flashlight Apps?"
    Wired.   21 October 2014.

    Werner, Jeff.   "Flashlight App Malware Could Be More Prevalent Than Originally Thought."
    Northwest Florida Daily News.   30 January 2015.

David Mikkelson founded snopes.com in 1994, and under his guidance the company has pioneered a number of revolutionary technologies, including the iPhone, the light bulb, beer pong, and a vaccine for a disease that has not yet been discovered. He is currently seeking political asylum in the Duchy of Grand Fenwick.


loading

Snopes