SoundHound collects GPS location information

SoundHound says that location is used to store where songs were discovered, but SoundHound collects GPS location information, even when the application isn’t running.

What SoundHound Says

“Note: Location is used to store where songs were discovered. It can be disabled from the Options menu.

Explanation of requested permissions:

FINE (GPS) LOCATION
COARSE (NETWORK-BASED) LOCATION
Used to enhance search results and remember where a search took place, which is displayed through History. This can be disabled in app settings.” — Google play application description

“In connection with your use of the SoundHound Service, we may display certain third party advertising based on your current location or your use of the SoundHound Service.” — SoundHound Terms of Service

What Simon Says

In February of this year, Simon J. Stuart blogged that he noticed that SoundHound was collecting your GPS location and transmitting it with your Google account information to their home base. Stuart noticed that if you had installed the application’s widget on your home screen, that the Android application also collected your GPS location every time you booted your phone.

My Update

The android version of the SoundHound application also reports your fine GPS location to home base when you’re not running the application, when ever you install a new application. When the application checks for updates, it reports the following information:

  1. Application version
  2. Device Model
  3. Unique Android ID
  4. Firmware/ROM Version and Build
  5. Android Locale
  6. Mobile Country Code
  7. Mobile Network Code
  8. Network Type
  9. Latitude
  10. Longitude
  11. GPS Horizontal Accuracy
  12. GPS Time (Seconds since epoch)

Also, the Android SoundHound application is sending your location and unique identifying information over unencrypted channels. It’s interesting to note that the SoundHound API is listening on port 443, but there is no SSL implemented.

I don’t know if this was an intentional move by Melodis Corporation, but when they do a “checkForUpdate” and “partners” method to their API, it’s reporting way more information than it should be. Additionally, if Melodis is collecting this type of information and sending it to their home base, they should at least be sending it encrypted.

Perhaps if they had been sending this data over encrypted, no one would have noticed, because I was too lazy to set up an SSL sniffing proxy.

The application appears to be using a BroadcastReceiver on “com.android.vending.INSTALL_REFERRER”, which is meant to help application developers determine the referrer when their own app is installed. However, it seems that the intent can also be used to call your own application whenever a third party application is installed.