Jump to content
Sign in to follow this  
gf_gollum

android (Archived) R U Spyware?

Recommended Posts

We are not spyware.

When you install our Android client, we ask for permission to your Contacts should you choose to email notes from your account via the Evernote Android client. Any notes emailed are sent via our servers, but we don't "Track" which notes you've sent, or or the content of those notes, etc.

We also need access to your data plan so we can connect to the internet and sync your notes.

No spyware here.

Share this post


Link to post

Sort of timely. I am considering using evernote and was going to download it on my phone. I saw a comment on the android market about the Evernote app being listed in this study about sending phone numbers, call info etc in the background etc.

I guess I am on the fence now. After reading these articles like the one at PC World (http://www.pcworld.com/article/206710/i ... ?tk=hp_new)

Evernote folks: can you specifically address the things brought up in this PC world article? (below)

" * Two thirds of these apps violated user privacy by sharing location data or information that could identify individual handsets.

* Half of them sent user location information to advertising networks like Admob or analytics companies like Flurry without user consent.

* Seven of the apps sent the unique device identification numbers of the GSM user and the handsets' SIM card to its servers.

* Two of the apps captured the users' cell phone number along with the ID number and the users' geographical coordinates.

Nice.

Mind you, if the police wanted this information, they'd need a court order. These apps are doling it out like candy to advertising firms and storing it on their own servers. Per the study [PDF]:"

Share this post


Link to post

Oh, yeah, sorry - I forgot that we also use your GPS/Cell phone triangulation if you don't have one to geolocate your notes - and place this information into your note database. This is also a majorly advertised feature of our mobile clients, and not something we're trying to hide.

We don't share anything with advertisers.

Share this post


Link to post

When you install Evernote from the Market, you see a screen that warns you that the application has access to the following (this is their wording):


    [*:23i98863]Your location (coarse (network-based) location, fine (GPS) location)
    [*:23i98863]Network communication (full Internet access)
    [*:23i98863]Your personal information (read contact data)
    [*:23i98863]Storage (modify/delete SD card contents)
    [*:23i98863]Hardware controls (record audio, take pictures)
    [*:23i98863]Phone calls (read phone state and identity)

If you say "OK" and install our app anyway, then we will install and run normally. If you press the "Snapshot" button on our home screen, we will access the camera. If you press the "Audio note" button, we will (surprise!) access the microphone. If you enable geo-tagging of notes in the settings, we will grab your location when you take a note, and attach that to the note.

If you read the paper (http://appanalysis.org/tdroid10.pdf), you'll see that they took "30 randomly selected, popular Android applications that use location, camera or microphone data" and then monitored communications to see if those applications transmit any of that over a network.

We're only mentioned once, in this table:

post-8171-131906067826_thumb.png

So we're basically in this paper because we're a top-50 app, which legitimately accesses location, camera, and audio features of the phone, and communicates location data to our servers as part of geo-tagging notes. This is, of course, exactly what our application says it will do, and exactly what we brag about it doing. (E.g. http://blog.evernote.com/2009/12/16/eve ... -its-here/)

So the people who wrote this paper lumped us in with a few sketchy apps that send your location to ad networks, etc. Other popular and perfectly legitimate apps like The Weather Channel are in the same boat.

That's because this is a computer science paper explaining their clever technical solution for observing/sniffing Android applications. They weren't making any real effort to separate legitimate uses of these features from nefarious ones ... they just wrote an automated scanner, ran a bunch of apps through it, and then put the raw results in a table, unfiltered and unexplained.

A more responsible group of researchers would have spent a little time separating legitimate uses of geotagging from bad ones, but I guess that would have drastically reduced their list of applications (and made the story a lot less newsworthy).

Irksome.

Share this post


Link to post

Thanks for the info.

I see that there is an option to encrypt any text within Evernote.

What is the encryption algorithm you are using? Is it some proprietary thing or a known standard?

Share this post


Link to post

We don't yet have encryption support on the Android.

You can encrypt from the Mac or Windows clients, and decrypt from there or from iPhone or the web.

We encrypt with a passphrase-derived key (derived via MD5) symmetric RC2 cypher.

Share this post


Link to post

hrm, interesting. I just downloaded the Android and it shows my encrypted notes as "encrypted" just like the desktop client. And it prompts me for a password to decrypt.

So... it is supported?

Share this post


Link to post

Oh, I might be out of date. Yes, if you have an option to decrypt and view the text, then it's supported.

(The encryption and decryption are always performed on your client ... our servers don't even have any way to decrypt this data.)

Share this post


Link to post

@Dave,

I understand why Evernote needs the services you mention. However, would you tell me why Evernote needs access to my Android's contact list?

The whole list is:

o Your location (coarse (network-based) location, fine (GPS) location)

o Network communication (full Internet access)

o Your personal information (read contact data)

o Storage (modify/delete SD card contents)

o Hardware controls (record audio, take pictures)

o Phone calls (read phone state and identity)

Thank you so much,

Patrick B

Share this post


Link to post

If you use the "Email" button to email a note to someone else from within Evernote, you can select contact entries from your contacts list to email the note to. If we didn't have that permission, you'd need to manually type the email addresses of all of your recipients from memory.

Share this post


Link to post
I understand why Evernote needs the services you mention. However, would you tell me why Evernote needs access to my Android's contact list?
If you use the "Email" button to email a note to someone else from within Evernote, you can select contact entries from your contacts list to email the note to.

... as already explained in Heather's initial reply

Share this post


Link to post

Excellent. Thank you Dave.

Sorry juwlz. I had followed the link in Dave's post yesterday in the Android Market and mistakenly thought it was the full explanation about "Evernote doesn't share any data with third parties. Details from CTO: http://forum.evernote.com/phpbb/viewtopic.php?f=51&t=19103#p78857" I should not have made that assumption that those details were all the details.

Patrick b.

Share this post


Link to post
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...