You can’t trust Amazon Underground

I’m no tinfoil-hat-wearing privacy zealot. However, I don’t think it’s unreasonable to have fine-grained control over the data the device in my pocket is sharing about me.

To this end, I wiped the stock operating system of my Sony Xperia Z3 Compact and installed CyanogenMod. This isn’t as good as building from the source code of the Android Original Source Project (AOSP) but its a reasonable compromise.

One of the most invasive things of Android phones is Google Play Services. This comes by default on the version of Android you get when you purchase a smartphone, but has to be installed separately if you build from source or use CyanogenMod. I don’t install it, which means I can’t use the Google Play Store.

Hence, I have to get my apps from somewhere else. The bulk of my apps I get from the (open source) F-Droid repository. But there’s still some apps I want/need on my phone that I can’t obtain from there. For those, I’ve been using the Amazon Underground app store. 

I like Amazon and use their Prime service on an almost daily basis. When I saw that Amazon Underground offered premium apps for free, I assumed this was a loss-leader. I eagerly installed apps that cost real money on other app stores when I should have known better. Always question the business model!

One of the great things about CyanogenMod is the Privacy Guard feature. By default, I block installed apps’ access to my location, contacts, etc. unless I deem it absolutely necessary that they need them in order to work properly.

I installed the ‘actually free’ Weather+ app from Amazon Underground. This is an app I’ve paid for on my iPad Mini.

As usual, I was asked if I’d like Weather+ to be able to access my location. I decided that no, I can just type in where I am, so I pressed Deny and checked ‘Remember my choice’. I happily used the apps for a few weeks without any problems.

Yesterday, I got this pop-up for the first time. Now, I’m not allowed to use the app because Amazon wants to continually track my use of it. This is potentially even more invasive than Google Play Services as users, without really knowing it, have ‘opted-in’ to this tracking. I only found out about it because I have a relatively-exotic setup compared to the bulk of Android users.

I’m sure this is all buried in the small print somewhere, but I have to wonder whether the average Android-owning user has any idea what they’re trading for their ‘actually free’ Amazon Underground premium apps.

Discuss this on Hacker News