In a promotion for its Galaxy phones, Samsung announced it would deliver a million free copies of Brooklyn rapper Jay Z's new album days before its official release. But it did so using a spyware Android app designed to track your location and harvest phone numbers you call, your device ID and which apps you use.



Source: Google Play

Samsung's free Android mobile app "JAY Z Magna Carta" only works with select models, specifically the new Galaxy S 4, Galaxy S III, Galaxy Note II. But as New York Times music critic Jon Pareles wrote, "Itâs an ugly piece of software."

"Itâs an ugly piece of software." Samsung paid $5 million for the early distribution rights of the "Magna Carta Holy Grail" album, which ironically comes from an artist with lyrics that are "indignant about phone surveillance and bribing witnesses," Pareles stated.

The singer's 2010 track "Jayâs Back ASAP" complained, "They tap, them feds donât play fair/They pay rats to say that theyâre part of your operation."

Samsung-style Free and Open

Taking advantage of Google's "Trojan Horse" Android security model, the Samsung app simply demands access to a broad range of rights on the user's phone before allowing installation, even though all it really does is play back the album. It does not add the songs to a user's music library.

This includes tracking users' "precise GPS location." The app permissions page is so unnecessarily invasive that fellow rapper Killer Mike tweeted in response, "I read this andâ¦ 'Naw I'm cool.'"

I read this and........"Naw I'm cool" pic.twitter.com/x8fXPG1tvC â Killer Mike (@KillerMikeGTO) July 2, 2013

Unlike Apple's iOS, installed Android apps don't have to alert the user or ask for permission when they want to track the GPS location or access contacts or social network accounts, and there's actually provisions for apps to access users' phone call information and running apps. iOS is an app platform, not an ad platform.

Free love, NSA

Pareles added, "it demands permissions, including reading the phoneâs status and identity." On Android, this includes obtaining a unique device ID that can be used by advertisers like a web cookie (but not eased by the user), but also includes collecting the user's phone number, tracking when the phone is in use on a call, and even "the remote number connected by a call."

In contrast, Apple has been incrementally working to increase users' privacy on iOS, warning developers in 2011 that they needed to stop relying upon iOS users' Unique User IDs because they would no longer be available. iOS 6 removed UUID access, effectively terminating OS-wide user tracking by ad networks.

In place of UUID, Apple's iOS 6 turned the tables to introduce an "Advertising Identifier," which serves as "a non-permanent, non-personal device identifier, that advertising networks will use to give you more control over advertisers' ability to use tracking methods."

I will tell your friends you love us

Samsung's new app "also gathers 'accounts,' the e-mail addresses and social-media user names connected to the phone," Pareles added. "When installed, it demanded a working log in to Facebook or Twitter and permission to post on the account."

In order to "unlock" lyrics within the app, users must tweet out a promo for each song on the album they want to read.

"Itâs telling that Jay-Z â who boasts regularly about his millions of sales â and Samsung didnât simply trust fans to post or tweet on their own," Pareles wrote.

Additionally, the app also demands permission to "retrieve running apps," which means it can "discover information about which applications are used on the device," another feature Google supports as a common permission on Android apps.

Why Samsung's "free" album app would need to track the GPS location, phone numbers, phone calls, social accounts and installed apps on users' phones is questionable enough, but even more interesting is that Android supports and enforces such invasive "app distributor's rights."

Fed-style surveillance on your open platform

"On some level, Jay-Z knows better. A streak of paranoia has been running through his lyrics for years," Pareles wrote, citing a line from âSomewhere in Americaâ that says, âFeds still lurking/They see Iâm still putting work in.â

"Yet now, itâs Jay-Z whoâs lurking â in my phone," he added. "Another song, 'Nickels and Dimes,' insists, 'The greatest form of giving is anonymous to anonymous.' For the gift of the album, fans arenât anonymous to Jay-Z now. Heâs another data miner, gathering more than half a million e-mail and social-media accounts. Maybe he should send us an apology."

The app's rollout wasn't without flaw either, Pareles noted. "The app didnât deliver my album for more than hour after it was supposed to be available. Jay-Zâs sponsors at Samsung proved themselves not only intrusive, but technically inept."

With official Samsung Android apps like these, who needs malware authors?

Earlier this week, Bluebox Labs noted a security flaw that can enable anyone to surreptitiously replace a vendors' trusted installed apps with a rogue version that the Android OS can't identify as corrupted, therefore gaining widespread access to spy on the user.