Happy Birthday Angry Birds! Thanks For The (In)Security!
We’ve all done it. We've spent hours flinging birds at pigs, only to be frustrated with that one little piggy that got away. We can all thank the phenomenon “Angry Birds” for this wonderful experience. Today marks the fifth birthday of the release of the original Angry Birds. Since its release, the highly successful mobile game creator Rovio has gone on to sell hundreds of millions of dollars of mobile apps, licenses, and merchandise amassing $216M in revenue in 2013 alone. Who knew that a simple change in game mechanics could gain such a cult foothold with the public? From a business perspective, the team at appfigures did a great write-up on the history of the franchise, along with its successes and failures in the eyes of the public. If you’re interested in the business life cycle of apps in the public app store, I highly recommend you go read their research: Angry Birds Turns Five: What We Can Learn From The Franchise’s Success.
Over the years, there has also been significant research done around the privacy, behaviors, and data collection activities going on with the Angry Birds mobile applications — everything from sending potentially sensitive data to advertising groups without encryption to being one of the most commonly repacked pieces of malware available on the Internet. Even the NSA was in on the game! Angry Birds may have brought people hours and hours of fun, but at what tradeoff to the privacy of its users? And the bigger question is, does the consumer even care?
In the spirit of wishing Angry Birds a happy birthday, I asked a few of the leading mobile application reputation and malware analysis vendors for information about what the Angry Birds mobile apps currently do or have done in the past with regard behaviors and user data collection. Here are some notable data points and comments:
“Rovio uses the Burstly and InMobi analytics/advertising SDKs throughout their Angry Birds properties. These SDKs collect a good deal of information, including information about the device’s carrier and location, which is then sent to Rovio as well as the services themselves.”
“The JumpTap advertising SDK was used in many Rovio applications, and collected the device’s IMSI, which is generally considered an inappropriate identifier for an ad network to use, as it uniquely identifies a mobile subscriber (as opposed to a device), and can't be reset, even if the user switches phones. This would allow the ad network to track the user for a long period of time across multiple applications and get a very detailed picture of him. This SDK was removed in mid-2013, around when JumpTap was acquired by Millennial Media.”
“Over the years, the suite of Angry Birds applications has had access to lots of interesting sensitive data, including: tracking a user’s location; tracking a user’s UDID/IMEI; sharing data with ad networks, analytics frameworks, and third-party crash reporting services; accessing a user’s address book; writing data without encryption; accessing the device’s camera; being able to compose and send email; sharing data with third-party social media; accessing external storage (removable media); and retrieving Android device info.”
Are we living in an era where the general consumer is willing to trade their usage habits, geo-location data, and other sensitive information for a few minutes of pig flinging fun, or is this a case of an uneducated public? According to Forrester research data, it’s not only a pure case of the consumer not understanding the significance. Only 26% of consumer survyed were concerned about their personal privacy, security, and safety when downloading applications (apps) to a mobile phone or tablet. That’s a pretty telling statistic. This laissez faire view toward privacy and security may be a generational or even a geographical issue. I believe it’s primarily a fundamental change, with the consumer indirectly stating they are willing to trade off privacy and security for the extended convenience and fun factor that comes in this small mobile package. Only time will truly tell . . . and until then, Happy Birthday Angry Birds! Please voice your comments and opinions below. I’d love to hear what you think!
Special thanks to Lookout, Veracode, FireEye, and Appthority for their help in providing quotes and detailed application behavior statistics.