[tomtalks]

(Created an account to post this) I downloaded the app on android and listened to a few songs on Spotify to find out what information was being sent.

While the app is running, the app sends a HTTP (edit: HTTPS) request every time the track information changes or the volume changes. When the track information changes it sends the artist, album and song name. When you change the volume it sends the new volume level.

Every request includes standard meta-data such as

* An _anonymous-id_

* Device serial number

* Information about whether wifi or cellular are connected and carrier name

* Device name, model and manufacturer

If there is interest I will write a blog post about potential ways to stop the data collection without removing the app :)

[justabystander]

Questions this brings up:

1. What's the estimated bandwidth impact of this data collection? Many users have very limited data use, and chatty messages on play/pause/volume change wouldn't be appreciated.

2. HTTP or HTTPS?

3. How does it work with other apps (like Google Music) that might provide more music details? Like does it send more information when the id3 tags have all the fields filled in? Things like comments, encoding, etc might also be transmitted. Streaming services like Spotify probably try to trim that as much as possible, but local files could have a lot more data.

4. Can you see anything about the anonymous id that might make it not that anonymous? I mean, the device serial number alone kind of defeats an anonymous id. But there's been a fair amount of work in reidentification of anonymous data, and many developers take shortcuts when generating their "anonymous" data. (https://arstechnica.com/tech-policy/2009/09/your-secrets-liv...).

5. It's sending this data in the background, correct?

6. What does it send (if anything) during calls, emails, texts, map navigation, and voice commands?

[tomtalks]

1. From the data I collected, the content of each message of is roughly 1000-2000 bytes. This is not much on it's own but over the course of a day it could end up. It appears as messages are queued and send in bulk when applicable, therefore I can't comment on bandwidth over time as the app may chunk its request. It may not even send messages when the screen is closed.

2. Everything is secured with HTTPS! All the analytics messages, messages to boses servers and firmware checks are all over HTTPS (The firmware file its self is downloaded over HTTP, but the URL is provided over HTTPS and the firmware may well be signed)

3. A good question that needs further investigation :)

4. The anonymous id doesn't have any glaring information at least not immediately from the analytics platforms documentation https://segment.com/docs/spec/identify/ however yes the other meta-data defeat the purpose of an anonymous id.

5. It is definitely sending the data while the app is in focus, and i believe while the app is open but not in focus. I am not 100% sure here as it was a very quick test.

6. Again something else to investigate :)

[f2prateek]

Assuming this app uses the Segment SDK, the SDKs are open source and you can see the implementation details yourself, e.g. https://github.com/segmentio/analytics-android. There's a high level overview at https://segment.com/blog/lifecycle-of-a-mobile-message.

[gmemstr]

I'd be really curious to see how this data is actually used on their end. I got my QC35s a few months ago and have been loving them, but was super disappointed when I read the article. I'll probably end up uninstalling the app for the time being, at least until it's resolved.

On another note, I wonder if any other wireless audio manufacturers are doing similar things.

[pyrophane]

I've been thinking about getting these. Does the app do anything particularly useful (I.e. Any important features I'd be missing out on by not having it)?

As a side note. I can imagine why they'd want this information. Seeing what people are listening to and what volume settings are commonly being used would potentially help them tune future products better for their "average user"

[Tsiklon]

The app allows you to use 1 headphone as a relay to another bose bluetooth headphone to play music from the same source, as well as firmware updates, renaming the device name the headphone appears as under bluetooth and finally changing the language of the voiceover (which announces things like device connections and low battery)

[rconti]

I concur. Have and love QC35 (got them on right now). I only downloaded the app to test some settings change, I think. It's not particularly useful for anything else. Since I don't have to use it to pair, I'm not sure how I'd know when it was "running" or not, short of manually killing it in the iOS task launcher/killer thing. Time to just uninstall.

[jumpkickhit]

Did you packet sniff what is being sent out? Or do you have some intermediary running on the device itself?

Just curious if it was difficult to do. If more people knew how to, maybe this sort of activity wouldn't sneakily happen as often.

[tomtalks]

Unless an android app uses certificate pinning (https://security.stackexchange.com/questions/29988/what-is-c...), it is usually trivial to MITM its traffic passing through your phone.

Provided you own and have physical access to your phone, you can use any number of proprietary/open free/costly tools to do so. (E.g Fiddler http://www.telerik.com/fiddler, Burp https://portswigger.net/burp/ and mitmproxy https://mitmproxy.org/)

In this case I used fiddler, all I had to do generate a custom root certificate (Be warned this is not a good idea in general, look up super fish if you want an example of why installing custom root certificates can be bad), install that certificate on my device and then proxy my device through the computer running fiddler.

This process is far better documented here http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/Conf... if you need any more help or advice let me know

[BoorishBears]

I recall older versions of one of those (forget which) generated a non-unique custom certificate, meaning anyone who had used it could be MITM'd with the same cert. It was changed later on, but it's a risk if you go with something poorly designed.

[pyrophane]

Not the above commenter, but here is a good summary of several ways it is possible to do this: http://stackoverflow.com/questions/9555403/capturing-mobile-...

I have used the approach of installing wire shark on a pc operating as an access point, and it was easy enough to set up assuming you have the requisite equipment.

[tmpethick]

This kind of interception is quite easy to setup with https://mitmproxy.org even for https requests and on iOS as well. (I'm not affiliated but have just used the software before for a similar task)

[jumpkickhit]

Wow, thanks for all the replies!

[throwawaybose]

Oddly enough, my Bose Sound Link speaker requests a "sync contacts" bluetooth permission. Anyone know why?

http://m.imgur.com/JDiNdKz

[callalex]

Does it announce or display who is calling?