Android Pay

Android Pay? I mean, really, what the hell is this app?

from This vaguely, creepily, reminds me of Shepard Fairey‘s Obey prank.

This is now part of the Android Operating system and cannot be uninstalled, even if you do not use it, do not want to use it. And it is insanely invasive.

First, what it is supposed to do: it takes your credit cards, bank cards, even bank accounts for which you do not have a card, and lets you spend money from them via your phone. It acts as a Man In The Middle[en.WP], ‘protecting your privacy’ by not letting your the retailer know information about your bank/credit, and presumably by not letting the bank know about the retailer.

Second, what it does: it does let you spend money from your phone, and it also collects information about every transaction you conduct. Presumably, like Apple Pay, it also accesses as much transaction history as it can with your banking/credit services provider, so it also collects information about most of your financial transactions – how much you earn, who you get money from, where you spend it. Assuming the people writing it are bright people (and they are very bright people) they will also interpolate your contacts, your calendar, your physical location (and history) and your physical and financial health to sell you to corporations.

Don’t believe me?

Keep in mind this is a payment app – all it says it is going to do is make financial transactions via NFC. But here is the partial list of permissions it wants:

  • Camera (video and picture)
  • Microphone
  • GPS and Network based location
  • Read, modify, delete usb storage, measure app storage space
  • Control NFC
  • Full network access
    • receive data from internet
    • view network connections
    • view wifi connections
  • Activity recognition (body sensors)
  • Prevent phone from sleeping
  • Read Google service configuration
  • Run at startup
  • Add additional permissions within each permissions group

That last one appears to mean the script can automagically give itself more permissions in the future when it is upgraded, without asking.

Never mind that whipping out my phone is actually not as convenient or secure as whipping out an RFID credit/debit card from my Faraday wallet. Never mind that I do not want to give some unknown third party my credit card numbers. It is like some stranger arrived with my phone and said “Hey there, I will now reach into your wallet and pull out your card and hand it to the clerk because, well, because it’s better that I do this than you do it yourself.” uh-uh. Not feeling good about this.

I mean, seriously? How many times do corporations get hacked, even the ones who give me something when I give them my credit card? and somehow I should give Google the card and get nothing in return because I should just trust them?

But tell me, why does a payment app need to know what I am doing? That is part of what the ‘Activity recognition’[doc] permission is about. It is checking if I am in a vehicle, on a bicycle, on foot (or walking or running, states 7 or 8), sitting still (or the device was set down), doing something unknown, or tilting (which indicates the device was picked up, or I stood up, or otherwise suddenly changed the screen’s orientation.) It is a part of the system which allows the phone to track how many steps I take, how many flights of stairs I climb, even (experimentally) what my pulse rate is when I am holding the device in my hands or it is in my back pocket.

The answer is a payment app doesn’t. But the ‘free’ payment is just a small part of what this app really does – it spies on me. Anything free on the internet, or on your phone, means you are the product being sold.

And I cannot uninstall it.