Application security company Veracode undertook an analysis of the Pandora app for Android, after Pandora revealed in a regulatory filing that it is among a number of companies contacted as part of a probe by the US authorities. According to the investigation, the app supports five different advertising libraries, including AdMob and Google Ads, with the information accessible by AdMob, for example, including GPS location, application package name, application version information – “additionally, there were variable references within the ad library that appear to transmit the user’s birthday, gender, and postal code information.” Veracode noted that “as more and more ‘free’ applications attempt to monetize their offerings, we will likely see more of your personal information being shuttled out to marketing and advertising data aggregation firms.”

Veracode highlighted that the breaches of user privacy may not be intentional on the part of the developer. “The application developers may not even be aware of the privacy violations they are introducing by using third party advertising libraries. They may merely think they are getting $x per ad impression, not that the ad library is leaking significant information about the user.” With developers looking to maximise their returns by working with one or more ad networks (and even multiple networks simultaneously in the same app), the potential for a large amount of user information to be shared across a wide user base increases significantly.

So far, the US investigation has not been confirmed by the authorities. According to a Wall Street Journal report, the probe is centered on “whether the app makers fully described to users the types of data they collected and why they needed the information – such as a user’s location or a unique identifier for the phone.”