Techies Say Vlingo App Leads To Security Breaches

According to a report on www.androidpit.com, a Samsung Galaxy Note user recently found that the pre-installed Vlingo voice-recognition app was collecting user data, including names from users' contact lists.

"One of our users, admin Jörg, recently discovered an entry in the logcat readout of his Samsung Galaxy Note that gave him pause….He quickly set up a filter, which organized each process by it's process ID (PID) to help him get a handle of odd requests. After several hours of work poring over his Galaxy Note he had his answer, and it seems Vlingo knows more about its customers then it's letting on,” androidpit.com said.

After analyzing the filtered logcat readouts Jörg found that user data was being collected every four minutes and sent to an unencrypted URL and that the transfer of user information occurs even when voice control is inactive. Jörg said the data collection is not mentioned in Vlingo user agreements and when voice control loads and users agree to the user agreement, the app begins to send all names from user contact lists to Vlingo in the background. He also said lists of all music titles, including song information from titles saved on the SD card, are collected.

"Even if the first user warning indicates that user data will be collected, it does not give a true picture of the scope of collected information nor an accurate picture of how secure the transferred data really is," said Jörg. "Vlingo's data collection policy is an invitation for abuse of user information and private data."

Jörg advised disabling the "use my location" option in the Vlingo settings to prevent locational information from being associated with the data collected by Vlingo. He said if users delete Vlingo's associated data via menu application Vlingo will no longer collect information, but noted that it also means users can't use voice control any more. Additionally, Jörg said that if a user has root access to their phones, the app can also be deleted, "but it's hard to say if this will impact the performance of your device in other areas."

Vlingo, in the meantime, has acknowledged the problems, and promises that fixes are on the way.

"We take any claims about our customers' privacy and security very, very seriously," says John Nguyen, co-founder and head of product at Vlingo, which was recently acquired by Nuance Communications. "We certainly appreciate that we have individuals who are passionate enough about Vlingo's products and about their own privacy rights to conduct this sort of in depth investigation." 

Nguyen said the company has found several bugs that are causing Vlingo to send more data than it intended. The Vlingo application is currently including the device location information with device information like contact names and song titles. The company’s intention, Nguyen said, is to only send location with a speech recognition request, and the location should be omitted from background device-information transmissions.

"To be clear, Vlingo does make use of information about each device in order to improve the quality of our service," he said. 

According to Nguyen, Vlingo uses the current location of the device to improve search results, for example, to display nearby restaurants when the user does a restaurant search. Vlingo also uses the device make and model to improve recognition accuracy since microphone characteristics can vary from one device to the next. Vlingo uses names from the address book on the device to improve speech recognition accuracy and to spell them correctly when users say tyhem in voice dialing or SMS dictation. Song titles and artist names from music stored on the device are used to improve speech recognition when users requesting that specific music be played. Carrier information is also used to work around some issues the company found on some carrier-specific wap gateways.

"While we transmit and store this information, Vlingo itself does not store any user-identifiable information, meaning we have no way to associate a list of songs or contact names to the user they came from," Nguyen said. "Even though we intend to be very transparent about what information we are using in our privacy policy, we have discovered that our privacy policy is somewhat out of date. For example, we are not mentioning the fact that we are sending song titles and artist names from the device. We will be updating the privacy policy to reflect this."

Additionally, Nguyen said Vlingo is in the process of migrating its communication protocols from HTTP to more secure HTTPS, and said some of its client applications are using HTTPS, and new versions of the applications will be using HTTPS in the future.

Users who want to stop using Vlingo and are concerned that its servers can still contain data from a device can contact support@vlingo.com with the IMEI, and the company will remove sensitive information, such as contact names, from its servers.

"These issues are errors and are by no means intentional," Nguyen said. "We plan to fix them as soon as possible and will release updates to the user community as well as through our OEM partners. In addition, we will be improving our processes to ensure that our application behavior with respect to privacy matches our intention."

SpeechTek Covers
for qualified subscribers
Subscribe Now Current Issue Past Issues