Surprised at my Android alarm clock

[knoober]

In a recent fit of tinkering with my fancy mobile device I made a surpising discovery: my third party alarm clock app is sending info off to Amazon! My alarm clock? Talking to Amazon? Not on my watch Mr. Alarm Clock, or more properly, not on my phone. Time for Plan A I thought: complain to the company and badmouth the clock and all it stood for, while simultaneuosly replacing it with a non-offending competitor. That might have been an option if atleast 3 other clocks hadnt tested to be even worse. In comparison to its competitors, my chosen clock was fairly tame. The original clock in question was phoning back to an Amazon IP 13 times in a few minute period once a day. The next one I tried called home to 2 different companies (Amazon and a Company called MoPub) 64x in the time it took me to a) set an alarm and b) check the logfile on the firewall. 2nd runner up was calling back to Amazon 35x during the same procedure. The last one tested called home to Google and NIST/. NIST seems like it might be a fair place for a clock to get the time from, but I am not really sure if that is what was going on either (just hoping/guessing).

I might as well clarify a couple things that I might not have stated clearly enough. Im not trying to spread a bunch of doom prophecy or bad vibes, just give a friendly heads up. I didnt list any of the apps I tested because this was a) informal and b) pretty easy to find amongst the clocks I sampled <-- I may continue the search for a clock that doesnt send info to third parties, but the quick results I have already seen show me that it might be a long process to find one, so there isnt any reason to say that Clock A is the devil or that Clock B is awesome yet. Lastly, for anyone who is wondering, I caught all this info because I was auditing my phone firewall and saw no reason to give my clock (which hasnt recived any updates for years) access to mobile data or wifi. After cutting it off from data/wifi the logs showed how many times packets were being sent out and to what IP's.

I was just terribly surprised about this. Out of all the software that you might imagine would be sending off info, my clock is one of the last I would have suspected. I might just have to move to the stock clock after this

 

[EarthDog]

But, what 'info' is it sending off? Where is it going? I can see a time website, makes sense to check in. I appreciate the sharing, but would like to know more before I would worry about it.

 

[Kenrou]

This is the 1st I’m hearing about a clock app sending info, you sure it isn’t simply syncing with the Amazon servers (why Amazon) to keep it on time ?

 

[knoober]

But, what 'info' is it sending off? Where is it going? I can see a time website, makes sense to check in. I appreciate the sharing, but would like to know more before I would worry about it.

I did jump to conclusions when I saw who owned the servers (Amazon, Google, and MoPub). Both Amazon and Google have a reputation for data mining, and MoPub has "app monetization" right in their site header. The general rule of thumb Im following is to not allow permisssions that dont make sense. In this case, a clock doesnt have any reason to contact either the Big A or the Big G. Looking further into NIST shows that they have no easily findable info about ntp (network time protocol), but if I throw Data Mining into their site search bar, there is atleast a few relevant hits. My Search-Fu isnt real strong, so this is as far as Ive gotten. Not pointing any fingers, but the 'info' = data mining isnt an impossible conclusion. Packet capture and analysis is generally something I would leave to wiser folks with more experience, but it is achievable, and I might look into it further in the future. For now I am content with blocking the offending clock from the network.

This is the 1st I’m hearing about a clock app sending info, you sure it isn’t simply syncing with the Amazon servers (why Amazon) to keep it on time ?

The short answer is "No, I am not sure".
A little longer answer is that Amazon does atleast brush against ntp. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html states that

The Amazon Time Sync Service is available through NTP at the 169.254.169.123

and my firewall was not listing any IP starting with 169.x.x.x . It seems odd that oneor more clock apps would use time services from amazon servers rather than ntp.org If I am reading that amazon doc correctly, Amazon themselves get their time through ntp.org as well.

If the mood strikes me I might pick a few apps and throw up some screenshots from the firewall, but honestly I was just messing around on my phone and surprised at what I found and its not a priority. if anyone wants to do their own investigation and post about it, I would love to read it. In the OP I mentions that I tested several different apps that were all worse than my original clock and they came from this list of alarm clocks.

 

[EarthDog]

Id like to see what it actually is before i worry. I can see the writing in the wall, but, need a bit more to buy in and worry.

Whats wrong with built in Android clock/alarm?

 

[knoober]

I agree its premature to worry. If you arent worried about your average everyday data mining (and most dont seem to be), I cant imagine there is anything more nefarious at work here. No real way to tell without examining exactly what is being sent though. I will report back if I actually endevour to capture any packets and read them.

The stock clock is probably sufficient nowadays. I havent really checked it out since KitKat. I started using this one way back in the days of Ice Cream Sandwich when you had to turn to 3rd parties to do stuff like playing an mp3 as your alarm tone. Ive just stuck with it since then because it has worked reliably and -cheapskate that I am- I actually shelled out $1.99 for it.

 

[habbajabba]

Had much the same problem so I finally settled on Clock+ as a replacement. I even switched out my home clock for Simple Digital Clock Widget. It's ridiculous that most if not all preinstalled aps think they need internet access. I use Yalp Store as a playstore replacement so I never have to login to google for anything. Neither uses the net. Lawnchair Launcher just got updated too, good stuff. Google's 'Clock' should be renamed to Crock.

 

[Blaylock]

Id like to see what it actually is before i worry. I can see the writing in the wall, but, need a bit more to buy in and worry.

Whats wrong with built in Android clock/alarm?

The issue I had with the stock Android alarm clock is that you can't change the snooze time from 5 minutes. Maybe not a huge deal but 5 minutes is just enough time to **** me off upset me. Lol

 

[petteyg359]

This is the 1st I’m hearing about a clock app sending info, you sure it isn’t simply syncing with the Amazon servers (why Amazon) to keep it on time ?

I'm 99.99% that's not the case, and the other 0.01% is that the developer is a complete and utter moron and is actually maintaining their own clock instead of using the system clock, which Android itself keeps updated via its own NTP services and the cell network.

@op: What exactly is wrong with the stock Android clock app? Alarm clock apps are one of those things that I don't see their point in existing for anything other than spyware.

 

[knoober]

The stock clock is probably sufficient nowadays. I havent really checked it out since KitKat. I started using this one way back in the days of Ice Cream Sandwich when you had to turn to 3rd parties to do stuff like playing an mp3 as your alarm tone. Ive just stuck with it since then because it has worked reliably and -cheapskate that I am- I actually shelled out $1.99 for it.

It was just missing features in the way back when times. Ive checked it since starting this thread and it has those features now