Spotify Music
We retested this app on 19.02.2019. The app doesn’t contact Facebook as soon as the app is opened.
Disclaimer: the tested app may still share data with other third parties. This is outside the scope of this work.
From the Google Play Store page:
"With Spotify, you have access to a world of music and podcasts. You can listen to artists and albums, or create your own playlist of your favorite songs"
This documentation demonstrates actions taken by the test user and the apps subsequent responses.
Test user action 1: The user taps on the application icon, which opens the application
Response from app: The application is initialised and the following data is sent and received by the app:
Immediately after the app is opened, the app sends the following HTTP GET request to graph.facebook.com
GET https://graph.facebook.com/v2.11/174829003346?fields=supports_implicit_sdk_logging%2Cgdpv4_nux_content%2Cgdpv4_nux_enabled%2Cgdpv4_chrome_custom_tabs_enabled%2Candroid_dialog_configs%2Candroid_sdk_error_categories%2Capp_events_session_timeout%2Capp_events_feature_bitmask%2Cseamless_login%2Csmart_login_bookmark_icon_url%2Csmart_login_menu_icon_url&format=json&sdk=android HTTP/1.1
The app receives the following response from graph.facebook.com:
{
"supports_implicit_sdk_logging":true,"gdpv4_nux_enabled":false,"gdpv4_chrome_custom_tabs_enabled":true,"android_sdk_error_categories":[ {
"name":"login_recoverable","items":[ {
"code":102
}
, {
"code":190
}
],"recovery_message":"Please log in to this app again to reconnect your Facebook account."
}
],"app_events_session_timeout":60,"app_events_feature_bitmask":5,"seamless_login":1,"smart_login_bookmark_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yh\/r\/HyQ4Fq_iGUX.png","smart_login_menu_icon_url":"https:\/\/static.xx.fbcdn.net\/rsrc.php\/v3\/yR\/r\/xi3BPJ134MF.png","id":"174829003346"
}
Without any further user action, the app sends the following request to graph.facebook.com
format: json
sdk: android
event: MOBILE_APP_INSTALL
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZfacf20e7-bc74-4e93-8418-cf8cf04644e6
application_tracking_enabled: true
extinfo: ["a2","com.spotify.music",39587729,"8.4.82.664","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name: com.spotify.music
The app receives the following response from graph.facebook.com:
{
"success":true
}
Without any further user action, the app sends the following request to graph.facebook.com
Form data:
format: json
sdk: android
custom_events_file: [{"_eventName":"fb_sdk_initialize","_eventName_md5":"d470d22f237aee69843355edba5a8178","_logTime":1543787044,"_ui":"unknown","_implicitlyLogged":"1","core_lib_included":"1","login_lib_included":"1","share_lib_included":"1","applinks_lib_included":"1"},{"_eventName":"fb_mobile_activate_app","_eventName_md5":"cb7f3b6cd294afce05ece615d43ea7b9","_logTime":1543787044,"_ui":"MainActivity","_session_id":"60d05961-b5c9-4892-afe3-0589b2e5a730","fb_mobile_launch_source":"Unclassified()"}]
event: CUSTOM_APP_EVENTS
advertiser_id: 474364c6-e9cf-4971-8dd2-b1dc3c605450
advertiser_tracking_enabled: true
installer_package: com.android.vending
anon_id: XZfacf20e7-bc74-4e93-8418-cf8cf04644e6
application_tracking_enabled: true
extinfo: ["a2","com.spotify.music",39587729,"8.4.82.664","8.1.0","Nexus 5","en_GB","GMT","",1080,1776,"3.00",4,13,6,"Europe\/London"]
application_package_name: com.spotify.music
The app receives the following response from graph.facebook.com:
{
"success":true
}
Response from app: The user is asked sign in
Test user action 2: The user doesn't sign in, and eventually quits the app
Test user action 3: The user closes the application
Response from app: No futher data is sent or received by the app from graph.facebook.com
Note 1: In the videos below, the clocks between the VirtualBox Virtual Machine and the Phone handset are not synchronised.
Note 2: Due to the way Spotify renders, it appears that it is unable to be screenrecorded using ADB, video is included for comprehensiveness only
Spotify, 11 February 2019 (via Email to Privacy International
"Thank you again for the well-researched report and heads up to the Android community on the default behaviour of the Facebook Android SDK. We wanted to let you and our users know that we have updated the Spotify Android app to address the issues raised. The update is available starting in version 8.4.89 (Jan 12, 2019)."
Spotify, 27 December 2018 (via E-Mail to Privacy International)
“Thank you for bringing this matter to our attention. Spotify is committed to transparency and fairness in how it processes personal data in connection with the Spotify app and service. We are currently working to evaluate Privacy International's technical findings (the details of which shared by Privacy International are quite brief) and to understand the context of data being transmitted to graph.facebook.com. If necessary, we will also evaluate whether changes should be made as part of this Facebook integration. However, as this is a technically complex and important matter, our technical evaluation is unlikely to be complete prior to your organisation’s publication of its report.”