Shazam forced to back down after app revealed to be constantly listening
Shazam is one of the most popular music recognition services on the market. Source: Shazam
Developers of popular music app Shazam are scrambling to introduce a new patch for their Mac iteration after it was discovered the app always kept the device’s microphone on.
Even when Shazam is set to ‘off’ on Macs, the microphone is still active, but just not “processing” or storing the data, prompting security fears.
This version of the service, which uses audio recordings to identify songs, was introduced two years ago but the flaw was only exposed earlier this week after cyber security expert Patrick Wardle received a tip-off.
After reverse-engineering the app, the former NSA hacker wrote a blog post expressing his concerns. He concluded that the recording did not appear to be processed but that it was still enough to prompt concerns.
“I still don’t like an app that appears to be constantly pulling audio off my computers [sic] internal mic.” he said.
“In other words what ‘OFF’ appears to mean, is simply, ‘stop processing the recorded data’ …not cease recording.”
The audio that is processed by Shazam (when the app is set to ‘on’ on Mac or activated by a user on smartphone) is done so through acoustic fingerprinting, a common method of condensing audio information into a digital summary that allows for similar items to be quickly identified in a database.
It’s regarded as being a safe way of transmitting audio without it being able to be listened to or intercepted for malicious use, but it doesn’t resolve the concerns many have regarding the microphone being constantly active on their computers.
The New Daily attempted to contact Shazam Australia for comment, but a response was not received by the time of publication.
Shazam global also did not respond to questions asked, but the VP of global communications James Pearson sent a statement calling the discovery “rumours”.
“Shazam accesses the microphone on devices for the exclusive purpose of obtaining a small fingerprint of a subset of the soundwaves, which are then used exclusively to find a match in Shazam’s database and then deleted” he said.
The Mac version of Shazam is constantly recording, even when not visible on the desktop. Source: Shazam
Melbourne University senior lecturer and IT privacy expert Dr Vanessa Teague described the privacy issue as “terrible”.
“There’s a real complexity about interacting with the user and making sure they’re setting the permissions that they actually want to,” Dr Teague said.
“What I would like to see is a lot more direct user control. If you think you’ve turned your mike off, you should have turned your mike off.”
Shazam’s VP of global communications James Pearson told Motherboard that the app didn’t keep the microphone on for surveillance reasons, but for efficiency and user experience.
“If the mic wasn’t left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users ‘miss out’ on a song they were trying to identify.” Mr Pearson said.
The company was forced to backflip on this stance only hours later after Mr Wardle’s ability to reverse-engineer the app suggested the potential for vulnerability.
“Even though we don’t recognize a meaningful risk, the company will be updating its Mac app within the next few days,” Mr Pearson said in a statement.
A specific date for the update was not revealed.