Flashlight App Steals Data, Leaves Users in Dark

Ahh, the good old days—when flashlights were simple, handheld devices, used to help light your way… Not light producing mobile apps tracking your every move. The US Federal Trade Commission (FTC) has released a statement announcing that Goldenshores Technologies, LLC—makers of the “Brightest Flashlight” app for Android, deceived tens of millions of users by collecting location data and unique device IDs and sharing the data with advertisers, at times against the explicit instruction of its users.

Upon first opening the popular free flashlight app, users were provided with a copy of the company’s end user license agreement, which had a description of their data collection policies. One small problem: Goldenshores Technologies, LLC failed to note that the data collected would also be shared with third parties, including advertisers. An even slightly bigger problem: the buttons marking “Accept” and “Refuse” on the agreement were arbitrary—regardless of accepting or refusing the app data collection policies, user data was both collected and shared.

This is just one instance of many where an app creator’s overeager collection of user data borders on unethical—or just blatantly crosses the line. I recently wrote about an LG smart TV that was collecting user data against the instruction of users. LG apologized for the data collection, suggesting it was a bug, and was quick to issue a fix. In the case of Goldenshores Technologies, a fix will also be issued.

In their settlement with the FTC, the makers of “Brightest Flashlight” are prohibited from misrepresenting their data collection policies, and must inform users when data will be shared with advertisers and other third parties. Furthermore, the app’s creators are required to provide a disclosure that fully informs users when, how, and why their location information is being collected, used and shared. They will also be required to obtain a user’s express consent before doing so. This is a great policy, and it’s unfortunate that it took the FTC’s involvement to achieve this kind of transparency.

The sad truth is that most apps won’t explicitly tell you why they need your location or other permissions. And though they’ll provide you with a lengthy list of policies, as you’ve seen above—not all companies are true to their agreements. As a user, there are steps you can take to help keep apps out of your personal data. Here are some tips for getting started:

  • Check your current app permissions. Now’s a good time to do a bit of app house cleaning. I recommend at a minimum taking inventory of which apps are using your location data, and turning off this feature for those apps that do not need it. The list of apps that have access to your location can be viewed in the Settings menu of your device, under “Privacy.”
  • Start at the source. Make sure that your apps come from trusted app stores such as Google Play where programs are vetted by a team who knows what to look for in risky apps.
  • Think twice about granting new apps location access. Now you’ve taken an inventory of location permissions on your current apps, but this rule applies to all new downloads as well. Does that new game of Bejeweled or photo editing app really need to know your whereabouts to function? If the answer is no, click “Reject” or make sure the location feature is disabled.
  • Always run updates when they’re recommended. To avoid missing the latest security updates, make it a habit to run upgrades as they’re launched. Check to see if your provider offers the option for automatic updates. Though it may drain your battery a bit, it will benefit you in the long run.
  • Keep your data safe with comprehensive security.  Protect your identity and data across all of your devices (PCs, Macs, smartphones and tablets) with McAfee LiveSafe™ service. Safeguard your identity and devices against malware, phishing attacks, viruses, spam and more with this comprehensive service. In addition, McAfee Mobile Security keeps users informed by providing a privacy report and app rating based on each app’s permissions, the developer reputation, any risky URLs embedded in the app, maturity of the app, and app category. As a free app that’s requesting permissions unrelated to its task, the “Brightest Flashlight” app discussed above would be flagged as red.

The “Brightest Flashlight” app is only the latest of many examples of an app taking advantage of its users’ data.

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Mobile Security

Back to top