Amazon’s Ring has been under a microscope for the last couple of months for the lack of privacy. The company did release a couple of updates to fix the different vulnerabilities found in the app and their whole system.
While the company has been working on fixing vulnerabilities, it looks like all that was just a facade. A new investigation by EFF has found a whole bunch of third-party trackers used by Ring to collect and send customer data including PII. This comes just days after Avast was caught red-handed collecting and selling customer data to other companies.
EFF noted that Ring has been collecting and selling information including names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers. As with the Avast case, these data pointers alone are harmless but when combined together, they can paint a pretty good picture of the user including their shopping, and browsing behaviours.
The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device. This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it.
EFF used Ring’s Android App version 3.21.1 for their investigation. The app revealed PII delivery to branch.io, mixpanel.com, appsflyer.com and facebook.com.
Facebook’s GraphAPI allows the company to track when the app is opened and upon device actions such as app deactivation after screen lock due to inactivity. The information collected by Facebook includes time zone, device model, language preferences, screen resolution, and a unique identifier (anon_id), which persists even when you reset the OS-level advertiser ID.
Information delivered to Facebook (even if you don’t have a Facebook account) includes time zone, device model, language preferences, screen resolution, and a unique identifier (anon_id), which persists even when you reset the OS-level advertiser ID.
Branch, which describes itself as a “deep linking” platform, receives a number of unique identifiers (device_fingerprint_id, hardware_id, identity_id) as well as your device’s local IP address, model, screen resolution, and DPI.
Next up is AppsFlyer which is a huge marketing and analytics company focusing on the mobile platform. Ring gave AppsFlyer access to a plethora of customer data including your mobile carrier, when Ring was installed and first launched, a number of unique identifiers, the app you installed from, and whether AppsFlyer tracking came preinstalled on the device. Ring even allowed AppsFlyer to access sensor data which includes data from your magnetometer, gyroscope, and accelerometer.
If you thought that was bad then take a look at the amount of data MixPanel is receiving from Ring. The data given to MixPanel includes Users’ full names, email addresses, device information such as OS version and model, whether Bluetooth is enabled, and app settings such as the number of locations a user has Ring devices installed in. EFF found that MixPanel is briefly mentioned in Ring’s list of third-party services, but the extent of their data collection is not.
EFF noted that Ring is also sending data to Google’s crash logging service Crashalytics. While EFF wasn’t able to determine the data sent to Google, we assume it could just be logs related to app crashes.
Ring’s latest revelation should be enough to ditch the service for good. While Ring has had incidents in the past, those were caused mainly by bad actors trying to harass users or retrieve sensitive data. This, however, proves with certainty that Ring is indeed collecting and selling/sharing data with third parties and they are not even making an effort to hide the PII. If you’re interested in checking out mitmproxy flow files then you can see them from the links below. You can also head to EFF’s website to read the full investigation and the methodology they used to come to the aforementioned conclusion.