Mobile and Web Apps have long been known for leaking user information to the internet or via unencrypted plain text files held on devices however normally the information is considered harmless or sever, very rare is it smack bang in the middle where the information being leaked could either be very severe or useless (as is the current case with Aviate).

If you haven’t yet hear, Aviate is a replacement Home Screen application that has an invite only beta scheme running just now via Google Play and for the past month it has been growing hugely in popularity.

Today it has been found that the company, via their API, has customer data visible on the web. The good thing though is that this information is really hard to find as you need to know a users device ID before you can get that information.

The information being leaked contains users home location and installed applications on the device though it’s unsure what other infomation the company may be harvesting and storing on-line as their directories are private.

[toggle title=”Information Example” state=”close” ]

{“home_latlng”: “52.6297784,9.2342882”, “id”: “ead6b990510e4d9d”, “installed_apps”: [“com.google.android.gm”, “com.dropbox.android”, “com.socialnmobile.dictapps.notepad.color.note”, “com.google.android.apps.docs”, “tunein.player”, “com.google.android.apps.maps”, “com.google.android.youtube”, “com.ebay.mobile”, “com.google.android.music”, “com.google.android.apps.plus”, “com.devhd.feedly”, “com.ideashower.readitlater.pro”, “com.noinnion.android.greader.reader”, “com.google.android.googlequicksearchbox”, “com.google.android.apps.books”, “com.adobe.flashplayer”, “com.android.chrome”, “com.adobe.reader”, “com.hemispheregames.osmos”, “com.alensw.PicFolder”, “com.touchtype.swiftkey”, “com.amazon.kindle”, “com.estrongs.android.pop”, “com.paypal.android.p2pmobile”, “com.citc.wallbase”, “com.mhuang.overclocking”, “com.alarmclock.xtreme.free”, “com.blizzard.bma”, “com.teslacoilsw.launcher”, “com.genina.android.blackjack.view”, “cn.wps.moffice_eng”, “com.whatsapp”, “com.citc.weather”, “com.github.mobile”, “com.wunderkinder.wunderlistandroid”, “com.google.android.gallery3d”, “com.sand.airdroid”, “jackpal.androidterm”, “com.keramidas.TitaniumBackup”, “com.googlecode.android.wifi.tether”, “org.wordpress.android”, “com.jwsoft.nfcactionlauncher”, “com.android.calendar”, “com.nianticproject.ingress”, “com.dsd164.snake97”, “com.s0up.goomanager”, “org.adaway”, “de.digitalesschwarzesbrett.dsblight”, “uk.co.nickfines.RealCalcPlus”, “eu.thedarken.sdm”, “com.android.keepass”, “coolcherrytrees.games.reactor4”, “com.speedsoftware.sqleditor”, “com.android.vending”, “com.android.providers.downloads.ui”, “com.android.browser”, “com.android.mms”, “com.android.settings”, “com.google.android.talk”, “com.android.stk”, “com.fingersoft.hillclimb”, “com.android.deskclock”, “com.android.calculator2”, “com.android.soundrecorder”, “com.android.development”, “com.trello”, “com.amazon.venezia”, “com.niksoftware.snapseed”, “com.bel.android.dspmanager”, “com.chrislacy.actionlauncher.pro”, “pl.solidexplorer”, “fishnoodle.canabalt_humble”, “com.halfbrick.jetpackjoyride.amazon”, “com.jensdriller.contentproviderhelper”, “com.jv.falcon.pro”, “com.androidemu.gbc”, “de.arvidg.onlineradio”, “pl.submachine.gyro”, “com.cih.game_cih”, “eu.chainfire.perfmon”, “com.nexus4displaycontrol”, “com.gabrielittner.timetable”, “com.drinkdrankwasted.android.cvt”, “com.quoord.tapatalkHD”, “com.distractionware.superhexagon”, “com.drummerGames.px14”, “com.android.contacts”, “com.google.android.gms”, “com.crescentmoongames.slingshotracing”, “com.oasisfeng.greenify”, “com.android.dialer”, “com.google.android.play.games”, “com.google.android.googlequicksearchbox/.VoiceSearchActivity”, “com.google.android.apps.plus/.phone.ConversationListActivity”, “com.google.android.gallery3d/com.android.camera.CameraLauncher”, “com.inappsquared.devappsdirect”, “com.tul.aviate”, “com.astuetz.android.adia”, “com.chlap.neverhaveiever”, “com.jiubang.browser”, “com.nordicusability.jiffy”, “com.john.plasmasky”, “com.imgur.mobile”, “com.ryanmkelly.me.flatro”, “at.markushi.expensemanager”, “com.slim.filemanager”, “air.kenney.trid”, “lost.cart.games.circulo”, “com.kludgenics.android.notes”, “com.laurencedawson.reddit_sync”, “com.countercultured.irc.slim”, “it.evilsocket.dsploit”, “oliver.ehrenmueller.dbadmin”, “com.owentech.DevDrawer”, “com.tapchatapp.android”, “com.noodlecake.velocispider”, “com.leihwelt.android.write2”, “com.fallentreegames.amazon.quellreflect”, “com.futonredemption.android.widgetpreview”, “com.abewy.klyph_beta”, “de.skilloverflow.moneytracker”, “com.felixheller.sharedprefseditor”, “com.iwobanas.screenrecorder.free”, “com.rockolabs.adbkonnect”, “net.teknoraver.imageoptimizer”, “com.cgollner.flashify”, “kov.theme.nox”, “ch.bitspin.timely”, “com.patternedsoftware.viewsharedprefs”, “com.nerdyoctopus.gamedots”, “se.feomedia.quizkampen.de.lite”, “de.skilloverflow.gitlab”, “com.bd.gitlab”]}

[/toggle]

If you are concerned about your information being available then we would suggest you contact the app developers via email on help@thumbsuplabs.com

[toggle title=”Response to Concerns by Thumbsuplabs” state=”open” ]Arvid,

Welcome to the Aviate Community! My name is Paul and I’m a Co-Founder of Aviate. I would personally like to thank you for being a part of our alpha community. Sorry for not responding sooner, we’re working hard to make Aviate as awesome as possible.

Thank you for reaching out to us regarding the privacy concerns you have. Privacy is very important to us and it is great to hear the specific requests from you.

As you probably know we use the app data to organize your collections and predict what spaces to show you. We need to send it to our servers so that we can use our algorithms to predict what your context is. That being said it always important to be clear with the users.

Thanks again for letting us know. I’ve shared these requests with our team.

Please let me know if you have any other questions / concerns.

Best,

Paul

Co-Founder @ Aviate[/toggle]

Sadly though un-installing #Aviate won’t help much as +Jon F Hancock says, the data will remain on their server no matter if you remove the app. We are told however that the new level of API doesn’t store the users home location though we are also aware that the app requires this for location switching so it’s still stored, we just hope it’s now secure.

Further update:

[toggle title=”From the co-founder” state=”open” ]

Paul Montoy-WIlson

Shared publicly – 20:38

>I’m one of the co-founders of Aviate. This is our top priority for our team and we are putting in a fix. If you have further questions/concerns, please don’t hesitate to reach out to me directly.

[/toggle]

Via: Arvid Gerstmann (Google+)