Shared publicly  - 
 
I was just saying to +Steve Kondik last night...

"I wonder if this thing (Aviate) is a way to datamine app usage. Should wireshark it."

Yep. Slurping up all sorts of data like your location, installed apps, etc, and made available with absolutely no protection.
 
It's very nice to see so many people enjoying #Aviate  
I think it's time to let you know that your location, and installed apps (and I guess more info) is accessible for free to anybody.

No need of NSA or spying software, just visit this link: http://www.getaviate.com/search/api/v3/devices/ead6b990510e4d9d/

If you are curious, your device ID can be found in your logcat also world readable.

Enjoy and thanks +Arvid Gerstmann for the finding.
184
80
Derek Ross's profile photoKeyan Mobli's profile photoRonojoy Sen's profile photoDavid Dzado's profile photo
99 comments
 
Okay... but how's anybody going to get your device ID via your logcat?
 
I tried it for 15 mins. Not my kind of launcher. Went back to Nova.
 
+Charlie Ranlett Aside from that, I'd love to know why the app developer needs this info and what they plan to do with it...
 
+Charlie Ranlett Does that matter? A person could easily write a script which tries random device ID's and builds a database based on the info.
 
It was pretty obvious that it was meant as an analytic platform. The moment I received app suggestions I expected the worst. :/
Jim Q
+
2
3
2
 
Never received a code for it...it is now uninstalled.
 
FWIW, they're not publishing location data anymore.
App list is still there, though.
 
+Charlie Ranlett The IDs can probably be deterministically generated from the IMEI or something. Would just need to decompile the APK to see how they're generating it.
 
so is uninstalling enough, or should we clear out anything else on our phone?
 
Remember kids, security is hard. It also can't be ignored.
 
They even tell you "home_latlng"... in case you want to stalk someone and you have their device id.
 
The concept of contextual application usage is not something that should be ignored here. I kind of wish that Android API allowed for such a thing apart from being the middleman(like a launcher) to intercept usage stats.

It would make automation applications so much more useful out of the box. Hell, I wanted to design something like that for Quickly.
 
The fact that it's collecting the data isn't really the issue (Considering what the launcher itself does...), the fact that it is being sent in clear text and publicly accessible is the actual concern.
 
Yah, hmmmm, why would a launcher need internet permission? 
 
I feel the same way about GoLauncher, being that its a Chinese company giving away so much for free
 
Uninstalling until they sort their shit out... thanks for the find!
 
I don't like that launcher, but I have nothing to hide, if it was a good launcher id still use it.
 
I received an invite around 5 minutes back and I was trying to make myself like it because of the clean UI. Though the lack features such as creating your own app groups/folders and widget support was going to make me use Nova again. 
 
They get your installed app list to have suggestions to your categories, based on what other people install.

And the API has been fixed to not share location? I bet that location info was used to get their own location mapping ala Google.

Problem?
 
Won't be installing that anytime soon.
 
Wow. Hell of a find +Waza_Be +Koushik Dutta. I'll be honest. I don't care that they know my app usage and my location. That's the point of a contextually aware application, isn't it? I do care about data security though. Having my data being world readable is complete shit.
 
+Keyan Mobli There's no reason to persist or expose that data from a implementation standpoint for categories.

That list could just as easily be sent to the server to categorize, and the server responds with a category per app. You could also make that request entirely without needing to send a device id (or location).
 
So looks like v4 fixed the location being listed issue.?  That just leaves app names in plain text.  Not like it's really useful data for anything else other than offering up other app ideas but they should still be encrypting it and making it private instead of public.  Here's to hoping they fix that quickly because I really do like Aviate.
 
+Keyan Mobli Problem is that it's not a protected API.

I could up a competitor product in a day that utilizes their API, overloads their servers, spends no money on infrastructure and blows the socks off of users who don't expect an application to KNOW about them.

That last point is the biggest qualm IMO. I never gave you my data, why are you able to get it from someone else.

Doing a simple checkin for auth is not difficult.
 
+Mohammed Nma uninstalling won't help unless you recently installed as the older version of the API is still public - we just have to hope that they remove the legacy data
 
Best alternative launcher I've used so how serious is this exactly? 
 
+Will Keaney +Erica Joy Categorization of apps does not require device id or location information. In addition, the installed app data also does not need to be stored or publicly accessible. Pretty fail all around.
 
Oh I agree with you, but people are saying "omgwtfbbq my app list. Why do they need to send that to the internet." Well.. That's why.

I think device ID is necessary so you don't have duplicates skewing the categorization as well as pure numbers. I mean that's why CM stores device ID right?

As for location, I'm fairly sure they tell avaite "this is where I am, what should I display" and they ping yelp or whatever, or just categorize you at home/work if you fall into that umbrella.

Exposing it, however, is a mistake.
 
I'm so glad I have access here on G+ to smart people........without you Id be merrily using aviate without a care in the world!   
 
Oh no someone knows what apps I have installed. So who cares? You're all to paranoid. There are a ton of other apps that do this also.
Waza_Be
+
3
4
3
 
+Tylar Overturf But only a few that makes this data public. Even if that was only the name of my dog, I would be pleased to see it encrypted and secured and protected with a password/secrete key
 
+Keyan Mobli Yeah, there's obvious reasons why they need to send the app list. And the location (when searching nearby). My issue is the unnecessary storage and broadcast of said data.

Categorization deduplication can also be done without leaking a device identifier.
 
+Keyan Mobli The categorization could actually be done entirely anonymously using a bloom filter. There's plenty of ways to do anonymized public interest registries.
 
+Keyan Mobli Granted, the aforementioned is probably overkill, but as it stands, what they currently have wasn't even trying.
 
+Koushik Dutta I'm guessing Themer collects just as much if not more data than Aviate, if you read over their privacy policy they make it pretty clear: http://themerapp.com/privacy

I like the last section about "Unsolicited Ideas and Feedback"
Tl;dr: We welcome feedback but good lord don't give us any original ideas! Who knows what would happen if we had an original idea!
 
Now that they've fixed location, I personally don't see the need to uninstall. My installed apps aren't going to ID me. I would appreciate if they stopped making it public facing. But even then, most don't have my device ID.

Another company that knows the apps you have installed: Google
 
I don't understand why people are getting this crazy. Any app with similar permissions and internet access can upload all this data to their servers. We have no idea what they do with it. 
 
Aviate beta codes like crazy, Ubuntu Touch tomorrow, Firefox OS keeps getting better, yet where is my beta CM installer access ??? .............. ...............
 
+Ron Waldon I was a bit concerned about the location but that doesn't seem to have fixed that now according to comments.
 
+Koushik Dutta  Went ahead and looked into the code and it's using Settings.Secure.ANDROID_ID as the key.
 
+Keyan Mobli
 CM is saving Device ID only on Your allowance...! Pls keep that in mind...!
 
They "fix it". Now you will see a blank page. 
 
+Koushik Dutta, out of curiosity, how would you use a Bloom filter for the app categorization? Wouldn't the false positives ruin everything?
 
Oh noes! Now the world will know I use Grindr!
 
Aren't CM accounts just as bad, if not even worse?
 
+Koushik Dutta Well, sure, but I wrote them a month ago and thought raising awareness now, when everyone use it, is correct, because it's still a security hole which should be fixed. 

And it worked. The issue is posted to a lot of Android News sites, the co-founder +Paul Montoy-Wilson is aware of it and his team will fix it.
 
the link is no longer working...
 
+Ryan Evans The whole point of Aviate is to change the main page depending on what you're doing and where you are. It's supposed to replicate Google Now. How is it supposed to do that without collecting data? 
 
Aviate is my type of launcher, and it is still in beta. That's no excuse to apparently ignore a security concern like this for a whole month, but honestly it wasn't severe enough to get me to stop using it had I known about it.
 
wasnt it somehow obvious? a launcher knowing where you are and referring to needed apps? common looks like throwing all apps in one db put some gps coordinates with it and up the stream :D
 
I love Aviate too much to drop it~
 
+Rishabh Singh, +Reza Shargh: you guys should skim the comments before posting so you don't end up asking the same question that's been asked and answered several times already...
 
Too many permissions asked. What if somebody hacks the server data. They could try to build the usage pattern intelligence on the phone itself. 
 
If more people knew how to use Wireshark - there would be far fewer devs collecting info from our devices!!

Nice work +Koushik Dutta !!
Add a comment...