Apple’s Shazam App Boots Facebook Ads and Other Third-Party SDKs | Threatpost | The first stop for security news

Shazam, the handy app that uses audio recognition to tell you what song is playing over any given set of speakers, has reportedly eliminated all third-party software developer kits (SDKs) in its iOS version except for one: HockeyApp.

Apple, which bought the startup for $400 million last year, has dismantled Facebook Ads, Doubleclick ads, Facebook Analytics and a raft of others, according to analysis from appfigures.

Microsoft’s HockeyApp is still active though. The app collects live crash reports for apps, gets feedback from app users, distributes betas and analyzes test coverage.

“I’m not entirely sure what to think about them leaving HockeyApp in place,” said Thomas Reed, director of Mac & Mobile at Malwarebytes, speaking to Threatpost. “On the one hand, HockeyApp isn’t exactly what I would classify as a tracker, as its intended purpose (as far as I’m aware) is to help with publishing apps. It’s got a lot of really nice features, and though it does send data, that data’s purpose is for understanding crashes, understanding how the user is interacting with the app, etc.”

He added, “On the other hand, I’m a little surprised that Apple would use a third-party SDK for this. HockeyApp is owned by Microsoft now, and Apple and Microsoft aren’t the same rivals they once were, but I would still expect Apple to want to control the flow of data, so that they could ensure its handled properly…perhaps it was so deeply integrated into Shazam’s code that pulling it out was a non-trivial task. But I could be wrong.”

Appfigures, which keeps tabs on mobile apps, also noted that on the Android operating system Shazam removed AdColony, AdMob, Amazon Ads, Facebook Analytics in the latest update. But others, such as Facebook Login and Google Maps, are still enabled. HockeyApp meanwhile was removed from the Android version more than a year ago, it said.

There are a few reasons Apple could be making this move. For one, third-party SDKs, while they can provide important plug-in functionality for mobile apps, also have a tendency to harvest or leak data where they shouldn’t. Ad-targeting and tracking has been a privacy hot potato of late as well, and Apple in general has taken some high-profile steps this year to be perceived as coming down on the side of consumer.

“As a user, I am happier to know that my use of Shazam is not accessible to other apps because knowledge of my musical preferences could be used to develop a social engineering attack, which is becoming increasingly common,” Mike Banic, vice president of marketing at Vectra, told Threatpost. “It is very likely that this is part of Apple’s continued crackdown on Facebook and other third parties that don’t have the same view on protecting their customer’s data privacy.”

In January, Apple revoked Facebook’s enterprise iOS developer certificate on the heels of finding a “Facebook Research” VPN app that was being distributed to consumers; the app paid teens and Millennial users in exchange for being able to track their phone and web activity. Apple said that the app’s consumer distribution was done in breach of the iPhone giant’s enterprise developer policies.

Earlier this year Facebook’s Onavo Protect app was also barred from Apple’s App Store. It was a similar case: Onavo Protect is a mobile VPN app that encrypts users’ personal information and monitors their data to help customers manage their mobile data usage and limit apps that use lots of data. However, the app was reporting to Facebook when a user’s screen was on or off as well as its cellular data usage. As such, Apple said that the app violated its data policies.

“We’re beginning to see a trend where there is additional focus on and an understanding of personal privacy,” said Praveen Jain, CTO at Cavirin, speaking to Threatpost. “Apple has been one of the more vocal advocates of a national privacy regulation, so this is no surprise. And just two days ago, the GAO released a report calling for GDPR-like legislation. Whether it is the responsibility of the FTC, as the GAO and some in Congress have called for, or some other agency is to be determined. Also note that Apple is headquartered in California, where our own Consumer Privacy Act will take effect in July 2020.”

Aside from privacy ramifications, the third-party SDK move also fits in with Apple’s pledge to make Shazam ad-free – a plan it announced during the acquisition. Shazam has been downloaded over 1 billion times around the world and is used over 20 million times every day, according to Apple; that’s a vast install base that could fit perfectly into the Cupertino giant’s vertically integrated content strategy. Its ability to allow a user to “listen” to a song that’s playing for a few seconds before returning the track and the artist could be a valuable driver of Apple Music downloads, for instance.

Threatpost reached out to Apple and will update this post with any comments.

Interested in learning more about mobile security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Join Threatpost senior editor Tara Seals, Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon.