Privacy Encroachments From Your Favorite eBook Reader: Amazon Kindle

Although we blog often about security and the importance of protecting information at rest and in transit, we often forget why security is important in the first place: the privacy of the individual.

Kindle Privacy PermissionsThis morning, while doing my typical 10 stationary (bike) miles, I decided to grab my new Samsung Galaxy S5 and catch up on some reading. Just as I went to open up my Kindle App, I saw a notification alerting me to update the app to the latest version.

Figuring that updating mobile apps is a worthwhile pursuit when confined to a stationary bike, I clicked “Update” and was then presented with the following screen explaining that Amazon’s Kindle needed access to the following on my smartphone:

 Device & app history
 Identity
 Photos/Media/Files
 Wi-Fi connection information
 Device ID & call information

I hate to admit that I was just about to click on the big Accept button at the bottom when I said, “hum, I should look a little deeper.”

 

Device & app history

I touched the first line and opened up the first “category” of permission requests. I have to say, this is a very clever way of obfuscating the details that might otherwise cause a normal person to say, “whoa, wait a minute.” It says:

Allows the app to view one or more of: information about activity on the device, which apps are running, browsing history and bookmarks

For the uninitiated, please allow me to translate:

You just gave Amazon permission to track everything you do on your device, which apps you use and when you use them. In addition, the permission request goes even further to request information on what sites you’ve visited, when you visited them and which sites you’ve bookmarked. Wow! Keep in mind that this is supposed to be a simple eReader app.

 

Identity

IdentityThis is the one request that is perfectly reasonable. Who are you? In my view, if you’re downloading and using their software, it’s reasonable for them to know who is downloading and using their app.

 

Photos/Media/Files

Ok, the app can access and render files other than kindle eBooks. Fair enough. But why on earth would anyone want to do this via the Kindle app? Keep in mind that the phone has native photo, video and file manager apps that are far superior to accessing those file types via the Kindle app. Is the functionality worth granting access? Not even close.

 

Wi-fi connection information

Why does an eBook application need permission to examine my Wi-fi connection?

 
 

Allows the app to view information about Wi-fi networking, such as whether Wi-fi is enabled, and names of connected Wi-fi devices.

Connected Wi-fi devices? Why would my eBook reader app need to know about “OTHER” devices connected to Wi-fi. Bizarre.

 

Device ID & call information

Kindle AppThe last category is perhaps the most egregious.

Even though we already asked for your identity (see above) we’d also like to get our hands on your phone number and all specific ids that can be used to identify your device, whether or not you’re in the middle of making a phone call and, unbelievably, what the phone number is of the person on the other end.

I’d love to hear how on earth this could ever be used to help the user’s experience.

After a long love affair with Amazon’s Kindle app, I could no longer tolerate the infidelity and this morning I was forced to kick her to the curb.