If you have a flashlight app on your phone you may be unwittingly sending your personal data, privacy information, and other sensitive details to cybercriminals around the world—doesn’t this just sound like the plot of some dystopian novel? A world brought to its knees by hackers invading your life through something as innocuous as a flashlight app could strike fear in anyone, and thanks to a whole lot of Internet fear-mongering the idea has done just that.
Flashlight apps have been around as long as smartphones themselves, so why are we just now hearing about their seemingly obvious dangers? You can thank SnoopWall, which bills itself as a privacy firm looking out for your best interests. The company released what it called a “Threat Assessment Report” earlier this month investigating flashlight apps on Android, iOS, and Windows Phone.
According to SnoopWall’s report, all of the top 10 most popular flashlight apps on the Google Play store are requesting permissions for things they shouldn’t, like GPS location data and media stored on the device. “Some appear designed to collect and expose your personal information to cybercriminals or other nation states,” the report boldly claims.
It all sounds pretty scary, but before you go culling your flashlight apps in one massive purge you should know that there’s very little to fear. While SnoopWall’s report makes things sound pretty dire, the company offers no actual proof that these apps are a threat to your personal security or—in the worst possible case—a danger to national security. Not one single shred of evidence is presented to support the company’s claims because none actually exists.
The closest thing SnoopWall is able to provide as proof of any wrongdoing is the FCC’s case against the makers of Brightest Flashlight, an app which was found to be collecting users data against their wishes. But there’s a big difference between what SnoopWall alleges and the case against Brightest Flashlight: The app’s creators weren’t sharing user data with an enemy of the state or a seedy cybercriminal, they were sharing it with advertisers for ad purposes.
The one thing that connects virtually all of these apps is that they’re free, which means that their developers are finding their paychecks in ways that don’t involve you directly paying for their products. In most cases that means offering what little information the app is able to glean from your location and app habits to advertisers so they have a better shot at presenting you with an ad you’ll find enticing.
This ad strategy isn’t exactly revolutionary, and it’s the same basic gameplan used by virtually every other free service on the Web, including social networks like Facebook. If you fear advertisers learning your habits—and, by the way, it’s probably too late anyway—flashlight apps certainly won’t be the first thing you need to delete.
The saying goes “If you’re not paying for a product, you are the product” and that remains true when it comes to something as simple as a flashlight app. It’s also true of SnoopWall itself, which has been pushing its own flashlight app (as a replacement for all the ones that are trying to overthrow the U.S. government, naturally) and the oddly named Privacy App which is designed to highlight any other apps on your Android device that are a security risk and could do you harm.
The end goal here is to score licensing deals with app makers to include the company’s Privacy Shield software in their own apps. Just like the flashlight apps using you as ad fodder, SnoopWall wants your support which it can leverage in order to pay the bills. Companies need paychecks too, after all.
But that’s not the only thing that appears a bit hypocritical about SnoopWall’s agressive attack against “dishonest” app developers. In researching SnoopWall’s generically named Privacy App I found that users almost universally agree that the app simply doesn’t work.
While the app promises to “find all the apps that are spying on you,” the user reviews suggest it’s not doing much good. The entire front page of the app’s Google Play listing is filled with reviews saying that the app produces nothing but false positives. SnoopWall’s app highlights the Google Play Store app, the Google Maps app, and even proper antivirus software apps as being huge risks. If Google Maps is a virus, we’re all in big trouble.
In fact, with so many negative written reviews it was shocking to see that the app still holds an overall solid rating of around 3.5 out of 5. I did a bit of digging and found the reason for SnoopWall’s above average Play Store status. It seems the app score is being buoyed by a massive chunk of ratings that all landed at the same time, including one day where the app received nothing but perfect five-star reviews.
The majority of the app’s review history consists of extremely negative reviews written with great detail, explaining all the of the problems the app seems to have. By contrast, a three-day window where the app got nothing but great reviews looks a good bit different, with most “users” submitting their thoughts in five words or less, and never mentioning the app’s name or even what it does.
The most interesting part about this is that the suspiciously glowing—and horribly written—reviews do not appear in the Google Play Store at all, but are only readable when viewed in App Annie’s analytics tool. App Annie provides extremely thorough app metrics and holds on to the data from apps even after they’ve been deleted from the market, meaning that it’s also holding on to app reviews after they’ve been similarly culled for a variety of reasons.
If you’ve been using apps and browsing the various app stores for long enough, spotting fake reviews becomes very easy. When one of the many unscrupulous ratings boosting companies is hired to provide fake reviews and ratings, it’s increasingly likely that they will use software to do the dirty work. A virtual robot will be the one that actually “writes” each review and provides the rating, which is why they very rarely make sense and oftentimes fail to pass even a casual examination.
These fake reviews—which always appear in bursts of several reviews at a time—are always very generic in nature, not citing any of the app’s features or even its key purpose, but simply packing a few positive comments in as small a space as possible. “Amazing This app is the best for its purpose” and “Get it! Great app I use all the time” are perfect examples—both of these happen to appear in the five-star review list for Privacy App, along with dozens of others that hold the same robotic tone.
Google’s Play Store policy strictly forbids the practice of purchasing or providing fake app reviews, as you might expect, and after a few emails with a Google representative I was told that the policy is actively enforced, though no specifics could be offered. Google, of course, couldn’t confirm whether the reviews in question were detected as being fake, but I believe that’s why they can’t be found in the live version of the Play Store, and now only reside in App Annie’s cached review list.
To be clear, I’m not accusing SnoopWall of buying fake reviews for its poorly-received app. Even if the reviews are fake, as I believe they are, proving who actually purchased them or why would be impossible, so there’s not much point in digging any deeper into it.
What I am suggesting, however, is that SnoopWall appears to be doing everything in its power to make itself seem like the only honest app developer, while stepping on the toes of other app makers in a way that contrasts sharply with its manicured image.
And also, you can reinstall your flashlight app.