Would You Like Spies With That?

Spies, fries. tuh-MEY-toh, toeh-MAH-toe. What are the permissions that go with that restaurant rewards app?

Would You Like Spies With That?
Photo by Christian Bolt / Unsplash

I'm old enough to remember needing a "membership card" for all my memberships. I had a plastic card for my grocery store discounts, for my hotel loyalty programs, for my lunch places (though those were often card-stock punch cards where once I got enough holes in it I got a free lunch item), for car rentals, airline loyalty programs, and the like. It got so that I had a secondary wallet in my laptop bag for all the ones I might need on my business trips. Some bright spark realized that those cards did take up too much space, so they started making smaller ones that could fit on a key ring. In the early 2000's I knew people who had between 5 and 10 on their key chains regularly. But those cards have given way to online accounts. And that's an arguably good thing right? I mean, those plastic cards became bulky if you had enough of them, and they weren't particularly environmentally friendly. They also nearly always required reading a long number off of them over the phone or typing it in to a website every time you tried to use your card's value.

Then those online accounts started being accompanied by a mobile app on our phones. This further improved convenience: we didn't have to log in every time we needed to use our cards, and we could get a scanable code for optical readers to appear on the screen, as well as full access to all the cloud based data about our accounts, and life was good.

But somewhere along the line the data became more and more valuable to the rewards program managers, and we ended up with apps full of snoopers.

App Permissions

Any app installed on your mobile device needs permissions to do things. Here's an example of all the permissions one particular app requests:

Does that app really need all those permissions?

That's a laundry list of permissions requested. Fortunately this particular app doesn't insist that all these permissions must be granted in order to even work - I've seen too many apps that insist on permissions that don't seem appropriate in order to just carry out their activities. Each of these permissions is a potential privacy intrusion waiting to happen.

Interestingly missing from this list: network access. It seems that's assumed to be a default requirement.

Take a minute and check the app permissions for your favorite restaurant loyalty app. I'm willing to bet it wants to at least have access to your location and notifications, perhaps also to your NFC system (tap-to-pay is part of that). Location, paired with network access (remember, that's a default allow) means that your app may well be continually sharing information with your favorite restaurant chain. There's no guarantee that they are, but what proof do you have that they are not? It is this lack of transparency that that makes loyalty apps a threat to your privacy. That little plastic card could never do that.

App Fingerprinting

I've discussed this in previous posts, but it seems a great many apps attempt to fingerprint you and your device beyond what you may be aware of.

Yup, these fingerprinting events seem to happen a lot: the totals above are from a 7 day period.
Data that is, by default, available to any app on your device and can be used to fingerprint you

So given that your app already (by default) has network access, and all of this sort of data is available to it by default, we again see that every installed application on your mobile device has a wealth of information to share with the app's owners, creators, and whomever they choose to share that data with. Again, I can't tell you that they are sharing all of this data, but I can tell you they have the capacity to do it without your knowledge. This becomes an issue of trust, as in most cases US based companies face impressively lax oversight when it comes to profiting from sharing traceable data about you.

Countermeasures

All is not lost. There are two primary strategies for fighting this data drain.

Use a Browser and Uninstall the App

While not every capability available in an app is directly accessible through a website, a great many of them are. Bookmarks can even be added to your phone or tablet's home screen, or you can use them in browser. Choosing a privacy focused browser, such as DuckDuckGo, is helpful as well for it's anti-cookie, anti-tracking capabilities. Let's face it, you can order pizza from a website, you don't have to have an app to do it, and the loyalty program can still track you and offer you rewards if you log in.

Will this stop all tracking? No, but unlike an app a webpage stops running completely when you close the tab or browser it was running in, meaning you can better control when it has the chance to gather and share data.

Block App Tracking Attempts

You're not going to get rid of all your apps, and unless something significant changes with regard to the law or legislation, companies are going to continue to attempt to profit from surveilling you. So finding a solution that blocks more of those tracking attempts can help. It just so happens that DuckDuckGo's mobile app for Android does that. The iOS version does not, and that's something you can take up with Apple.

Sorry, this isn't a politics free zone kids. But at least the politics are relevant to the topic at hand

Is a Free Burrito Every Few Months Worth It?

This is a "choose your own adventure" situation, maybe being tracked to within an inch of your life is worth it for the feeling of that free smoothie every few weeks, or that free size upgrade on your mocha-frapa-latte thing. But if reading this has taken all the fun out of those rewards for you, consider yourself better informed and better able to take action to protect yourself, your data, and your privacy.


⚠️
I have first-hand experience with these concepts on Android based devices. I freely admit I don't have the same experience with iOS devices, however conceptually they are similar, even if iOS has some better (and some worse) protections for these concerns.
💡
Whenever I make product recommendations or endorsements please remember that I have no financial ties to the products, solutions, or companies mentioned unless I've explicitly said otherwise. My recommendations are based on my personal experience and may not meet your needs specifically. Make your own choice based on your own needs, but you could do worse than starting with the recommendations I've made.