Spotify Music

Retest Observations

We retested this app on 19.02.2019. The app doesn’t contact Facebook as soon as the app is opened.

Disclaimer: the tested app may still share data with other third parties. This is outside the scope of this work.

Read more

From the Google Play Store page:

"With Spotify, you have access to a world of music and podcasts. You can listen to artists and albums, or create your own playlist of your favorite songs"

Observed Behaviour

 This documentation demonstrates actions taken by the test user and the apps subsequent responses.

Test user action 1: The user taps on the application icon, which opens the application
Response from app: The application is initialised and the following data is sent and received by the app:

Immediately after the app is opened, the app sends the following HTTP GET request to graph.facebook.com

GET https://graph.facebook.com/v2.11/174829003346?fields=supports_implicit_sdk_logging%2Cgdpv4_nux_content%2Cgdpv4_nux_enabled%2Cgdpv4_chrome_custom_tabs_enabled%2Candroid_dialog_configs%2Candroid_sdk_error_categories%2Capp_events_session_timeout%2Capp_events_feature_bitmask%2Cseamless_login%2Csmart_login_bookmark_icon_url%2Csmart_login_menu_icon_url&format=json&sdk=android HTTP/1.1

The app receives the following response from graph.facebook.com:

 {
  "supports_implicit_sdk_logging":true,"gdpv4_nux_enabled":false,"gdpv4_chrome_custom_tabs_enabled":true,"android_sdk_error_categories":[ {
    "name":"login_recoverable","items":[ {
      "code":102
    }
    , {
      "code":190
    }
    ],"recovery_message":"Please log in to this app again to reconnect your Facebook account."
  }
  ],"app_events_session_timeout":60,"app_events_feature_bitmask":5,"seamless_login":1,"smart_login_bookmark_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yh\/r\/HyQ4Fq_iGUX.png","smart_login_menu_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yR\/r\/xi3BPJ134MF.png","id":"174829003346"
}

Without any further user action, the app sends the following request to graph.facebook.com

format:                       json
sdk:                          android
event:                        MOBILE_APP_INSTALL
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZfacf20e7-bc74-4e93-8418-cf8cf04644e6
application_tracking_enabled: true
extinfo:                      ["a2","com.spotify.music",39587729,"8.4.82.664","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name:     com.spotify.music

The app receives the following response from graph.facebook.com:

 {
  "success":true
}

 

Without any further user action, the app sends the following request to graph.facebook.com

Form data:
format:                       json
sdk:                          android
custom_events_file:           [{"_eventName":"fb_sdk_initialize","_eventName_md5":"d470d22f237aee69843355edba5a8178","_logTime":1543787044,"_ui":"unknown","_implicitlyLogged":"1","core_lib_included":"1","login_lib_included":"1","share_lib_included":"1","applinks_lib_included":"1"},{"_eventName":"fb_mobile_activate_app","_eventName_md5":"cb7f3b6cd294afce05ece615d43ea7b9","_logTime":1543787044,"_ui":"MainActivity","_session_id":"60d05961-b5c9-4892-afe3-0589b2e5a730","fb_mobile_launch_source":"Unclassified()"}]
event:                        CUSTOM_APP_EVENTS
advertiser_id:                474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled:  true
installer_package:            com.android.vending
anon_id:                      XZfacf20e7-bc74-4e93-8418-cf8cf04644e6
application_tracking_enabled: true
extinfo:                      ["a2","com.spotify.music",39587729,"8.4.82.664","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name:     com.spotify.music

The app receives the following response from graph.facebook.com:

 {
  "success":true
}

 

Response from app: The user is asked sign in
Test user action 2: The user doesn't sign in, and eventually quits the app

Test user action 3: The user closes the application
Response from app: No futher data is sent or received by the app from graph.facebook.com

Notes and Commentary

Note 1: In the videos below, the clocks between the VirtualBox Virtual Machine and the Phone handset are not synchronised.
Note 2: Due to the way Spotify renders, it appears that it is unable to be screenrecorded using ADB, video is included for comprehensiveness only

Company Response

Spotify, 11 February 2019 (via Email to Privacy International

"Thank you again for the well-researched report and heads up to the Android community on the default behaviour of the Facebook Android SDK.  We wanted to let you and our users know that we have updated the Spotify Android app to address the issues raised.  The update is available starting in version 8.4.89 (Jan 12, 2019)."

 

Spotify, 27 December 2018 (via E-Mail to Privacy International) 

“Thank you for bringing this matter to our attention. Spotify is committed to transparency and fairness in how it processes personal data in connection with the Spotify app and service. We are currently working to evaluate Privacy International's technical findings (the details of which shared by Privacy International are quite brief) and to understand the context of data being transmitted to graph.facebook.com. If necessary, we will also evaluate whether changes should be made as part of this Facebook integration. However, as this is a technically complex and important matter, our technical evaluation is unlikely to be complete prior to your organisation’s publication of its report.”

Date Tested
03/12/2018
App Version
8.4.82.664
Number of App Installs (according to Google Play Store at time of analysis)
100,000,000+
Facebook SDK Version
4.31.0
Opt out of Ads Personalisation (Google Settings)
Not Enabled (Default Setting)