While the music industry as a whole flails about with an identity crisis and its fingers in its ears as to how music fans want to hear their tunes and spend their money, Jay-Z and Samsung tried to showcase how “with it” they are- but failed spectacularly. Jay-Z’s album released as an early access mobile app failed to deliver to his fans, and added insult to injury when the app requested access to fans’ devices and personal information.
#SamsungFail
The web was all atwitter with “#SamsungFail” trending far and wide when fans were upset at losing out on access to the highly anticipated release of “Magna Carta Holy Grail”- Jay-Z’s hot summer release. The app didn’t work, but worse than that… it required users to share:
- Phone status and identifiers
- Contacts/accounts
- Facebook and Twitter logins, plus posting permissions
- Device GPS location, approximate or precise
- Info on other apps running on the device
- Full network access
Promiscuous Permissions
The frisky app delved deep into the lives of fans who downloaded the album app, with the ability to access and gather personally identifiable information (PII) data. The marketing ploy appears from the outside to have failed, but perhaps it was-in actuality- wildly successful behind the scenes. A wealth of information may have been gleaned from fans, exposing that information to third parties as a treasure trove of demographical information about potential customers- “marketing booty” if you will. The app maxed out the permissions it sought, seeking privileges far beyond those necessary to download audio, play it for the user, and provide extras such as lyrics to eager fans. With full network access, the information could be sent back to servers far and wide for collection, collaboration, and collation. This is in addition to any programming errors made along the way, leading to vulnerabilities that could let an attacker intrude into the device. That’s a lot of intrusiveness for one app. Purposeful deception and data collection is pretty bad, but if the issue was developers that just didn’t know any better, it’s highly likely that there are also inadvertent implementation errors leading to mobile app vulnerabilities as well.
CALL TO ACTION!
Step Up!: The solution here- whether or not the invasive permissions were an oversight or deliberately chosen- is for Jay-Z to make a stand and show that he supports his fans and respects their privacy in this day and age of detested domestic surveillance. Limit Permissions: An update to the app should be released that follows the Principle of Least Privilege, and requests as few permissions as necessary to provide fans with access to the album that they were eager to hear. It might not be a bad idea to subject the app to a security design review and penetration test as well. Clean Out Data: Additionally, and perhaps most importantly, any information that may have been collected- whether inadvertently, on purpose, locally on the device, or sent back to the #SamsungMotherShip- should be purged from any systems that host the ill-gotten bounty. Groove: As a bonus, this updated app should ALSO do what it was supposed to do, and let fans hear the music! If the issue was one of a knowledge gap for the app’s developers, we at Safelight are set to debut our Secure Development for Mobile Devices curriculum, with the first module titled “Introduction to Secure Mobile Development” that may be a valuable resource. This course includes a section on “User Privacy” with lessons on “PII”, and “Repercussions”- as well as an interaction to help distinguish between Safe and Not Safe practices.