Vlingo Privacy Breach: Data Sent to Remote Servers Without Consent
One of our users Admin Jörg recently discovered an entry in the logcat readout of his Samsung Galaxy Note that gave him pause. One of the running process on his Note kept bringing up the following request “I/HttpRequest-BackgroundHttpManager323(10019) …” He wasn't sure what to make of the curious request and quickly set up a filter, which organized each process by it's process ID (PID) to help him get a handle of the odd request.
After several hours of work poring over his Galaxy Note he had his answer and it seems Vlingo knows more about its customers then it's letting on.
But before we get into what Jörg found out, some information regarding the app in question: Vlingo is a preinstalled app on the Samsung Galaxy Note and can also be downloaded in the Android Market.
Service: com.vlingo.client.userlogging.UALService <- the service in question
After analyzing the filtered logcat readouts Jörg was able to determine the following:
1) User data is being collected
D/UALService:Timer-323(10019): VLG_transmitting user activity data <– Collection Process starts here
D/HttpManager:Timer-323(10019): VLG_Queing background http request: ActivityLog
D/VLServiceUtil:BackgroundHttpManager323(10019): VLG_** vlclient: <– Device Data collection starts
D/AndroidLocationUtils:BackgroundHttpManager323(10019): VLG_Getting location <– user location data is collected
D/AndroidLocationUtils:BackgroundHttpManager323(10019): VLG_Found provider : network <– network wifi location is collected
D/AndroidLocationUtils:BackgroundHttpManager323(10019): <– location data is compiled
D/HttpUtil:BackgroundHttpManager323(10019): VLG_extraHeaders: <– The http header is prepared
X-vlsoftware=Name=SamsungVoiceUI; Version=2.9.0.B1104; AppChannel=Preinstall Free,
DeviceOSName=Android; DeviceModel=GT-N7000; DeviceOS=2.3.6;
Language=de-DE; ConnectionType=DirectTCP; Carrier=T-Mobile A;
CarrierCountry=AT; DeviceID=359532540167434; AudioDevice=Android,
I/HttpRequest-BackgroundHttpManager323(10019): VLG_** Getting new http connection. method POST hc com.vlingo.client.android.core.http.custom.AndroidVStreamConnection@40625f00
D/HttpRequest:BackgroundHttpManager323(10019): VLG_** postData=<user-log><user-id>359532540167434</user-id><setup started="
D/HttpRequest:BackgroundHttpManager323(10019): VLG_** GZip compressing post data...
D/HttpRequest:BackgroundHttpManager323(10019): VLG_** response code: 200 <– Hier wird geprüft ob der Server auch antwortet
D/CookieHandler:BackgroundHttpManager323(10019): VLG_** domain: samsungvuiasr.vlingo.com
01-21 23:37:46.705: D/CookieHandler:BackgroundHttpManager323(10019): VLG_** done extracting
01-21 23:37:46.705: D/HttpRequest:BackgroundHttpManager323(10019): VLG_data len: 68
01-21 23:37:46.715: D/HttpRequest:BackgroundHttpManager323(10019): VLG_** finished <– transfer ends
D/UALService:BackgroundHttpManager323(10019): VLG_recv user log response
D/ThreadPoolExecutor:BackgroundHttpManager323(10019): VLG_finished worker execution:
2) The collected user data is collected and sent to the following URL unencrypted :
(The fact that the HTTP protocol is used indicates that data is transferred unencrypted.)
3) The transfer of user information occurs even when voice control is inactive.
4) User data transmission occurs every 4 minutes.
5) The data collection is not mentioned in Vlingo user agreements
If vlingo is collecting user information, it should be listed publicly in its user agreements.
URL for Vlingo's privacy rules: http://www.vlingo.com/wap/privacy/en
URL for Vlingo's user agreement: http://www.vlingo.com/wap/terms/en
Version of the user agreement: Last updated on 11.08.11
Just to be safe, Samsung tries to cover its bases with a user agreement when you start the app up for the first time. The first popup window instructs users to read their privacy rules and user agreement but who actually takes the time to read through those rules after all? Not average users.
Vlingo's user agreement makes the following statements addressing information collected from users:
Statement:We will not use your name or any other personal information without obtaining your express permission in advance.
Commentary: This is patently untrue, as the data collection describe above occurs without direct user concent.
Statement: We collect and store the location of your handset only when you speak.
Commentary: This is also a blatent falsehood. As is demonstrated in the Vlingo transfer parameters, location information is also collected even with the Vlingo service isn't in use. What's more the AndroidPIT user had opted out of the service and information was still collected.
Statement: We do not associate the handset's location with your personal information. We do not know who you are when you use the location-awareness component of our service.
Commentary: This is also a hard line to swallow. Vlingo knows the IMEI and associated location; with that consideration its hard to believe they can't establish a personal connection.
Statement: Vlingo uses physical, technical, and procedural techniques to ensure the security of your personal information.
Commentary: Sounds good, but it's also hard to believe. The user information that is transferred to Vlingo is done through insecure channels, which are also publicly accessible.
For example: http://samsungvuiasr.vlingo.com:80/voicepad/activitylog
How secure the server actually is and how secure the data really is, is quite questionable. Based on our research, it seems safe to say that VLINGO's server isn't up to date in terms of security.
Statement: We do not and cannot use the information we collect from you to identify you as an individual or to identify your device.
Commentary: That is also not true, as the IMEI number is a unique ID number that is used to ID each phone. Vlingo knows the IMEI because of its data collection methods.
But it's not just locational and device specific information that is sent to Vlingo's servers. The very first time a user logs into the service, a whole host of information is transferred to Vlingo's service– of course, unencrypted.
6. All names from users contact lists are collected.
When Voice control loads and users agree to the user agreement, the app begins to send all names from user contact lists to Vlingo in the background.
The information is sent to the following URL:
D/HttpRequest:BackgroundHttpManager1(24427): <LMTT><PIM t="w"><e uid="1384"><fn>WGKK</fn><ln>10/1</ln><c></c></e><e uid="147"><fn>Auskunft</fn><ln>118 676</ln><c></c></e><e uid="228"><fn>Taxi</fn><ln>60</ln><c></c></e>........
7. Lists of all music titles, including song information, from titles saved on the SD card are collected.
Similar to contact information, information regarding all media files on the SD-card is communicated to Vlingo.
D/HttpRequest:BackgroundHttpManager2(24427): <LMTT><SU uid="58" ttl="Rebekka und ich" art="Ludwig Hirsch" cmp="Rebekka Bakken" alb="In Ewigkeit Damen" gen="" yr="2006" fld="/mnt/sdcard/Samsung/Music"/>........
I/LMTTDBUtil-BackgroundHttpManager2(24427): VLG_opened DB. got android.database.sqlite.SQLiteDatabase@405e39f8
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _ !!!! SUCCESSFUL CHUNK TRANSFER !!!!
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _ chunk had 52 lmtt items
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _ total for whole transfer is now 52
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _HttpResponse() from 'type="song,playlist" count="52,0""'
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _ALL DONE LMTT UPDATE - SUCCESS
I/LMTTChunkUpdate-BackgroundHttpManager2(24427): VLG_LMTTChunkUpdate: _ response is com.vlingo.client.core.http.HttpResponse@40527cb0
8. What can you do about it?
- First and foremost, you should disable the “use my location” option in the Vlingo settings. This prevents any locational information from being associated with the data collected by vlingo.
- If you delete Vlingo's associated data via menu > application> Vlingo then Vlingo can no longer collect your information. Of course, this also means you can't use voice control any more.
- If you have root access to your phone you can also delete the app. But it's hard to say if this will impact the performance of your device in other areas
Even if the first user warning indicates that user data will be collected, it does not give a true picture of the scope of collected information nor an accurate picture of how secure the transferred data really is. Vlingo's data collection policy is an invitation for abuse of user information and private data.
I was exposed to the same vulnerability by this app. However, my data were sent to: 188.8.131.52:80 that Whois attributes to MCI Communication Services Inc,. I belive that such behavior can only be with intention regardless of any justification the company may produce. My great disappointment was regards Samsung.
Hi there, just registered to share my experience.
Found the suspicious connection by myself, while checking HTTP traffic of my Galaxy S2 running Android 4.0.3 ICS. A quick search for "samsungvuiasr.vlingo.com" drove me to this site.
This is to confirm the problem has not been solved despite what the first commenter, allegedly from Vilingo, promised 6 months ago.
I personally have soved the issue in a much simpler way: redirected the incriminated site to loopback in the hosts file. In other words, if you have a rooted phone, do the following:
1) make sure your phone is rooted
2) install a terminal emulator application
3) from the terminal app, become root and mount "/system" as read/write:
$ su root
# mount -o remount,rw /system
4) edit (vi /etc/hosts) the hosts file and insert this line:
5) save the file and reboot the phone
nothing has been changed after the german ICS 4.0.3 update. Voice Control ("Sprachsteurung") still phoning home in the same way.
Today: I found it after a packet capture on my fritz box.
Good news: "Voice Control" can be disabled in the application managment.
Reead my german post at Heise: http://www.heise.de/mobil/newsticker/foren/S-WARNUNG-Diese-Software-quatscht-staendig-mit-vlingo-com/forum-228609/msg-21847798/read/
Hello. I work at Vlingo and just wanted to let the Android Pit readers know that we're aware of these claims and take them very seriously. We have been investigating them in great detail the last 48 hours, and will make the results of our findings available to the Android Pit community later today. Very much appreciate the patience as we work to gather as much information as is possible.