I agree, it should be a simple question to answer. They’ve had plenty of time.
All this does is mske the reason for GPS access look more suspicious.
Not just GPS access, also Wyze app can modify Your system. there are literally 2 pages of permissions.
blank cheaque.
Sorry if some of my wording caused a lot of discussions here. I work with the Wyze product/engineering team to help solve customers’ problem here. I am not a lawyer. English is not my first language. I will try my best to be clear and articulate but I can’t guarantee every word I used was always appropriate. We are here to help not trying to mess things up. I hope everyone can understand our initiative.
Android permissions are tricky. For different versions of OS, different phone models, they could be different. Sometimes permissions are grouped together. Sometimes they are not. For example, Android puts Bluetooth permission together with Location permission. We need BTH for several hardware but the OS will automatically pop up for Location permission request. To customers it is suspicious but that is the only way for use to get Bluetooth permission.
My question is - is this thread talking about ‘Location permission’ usage or ‘GPS data’ here. My guess was that my answer was regarding ‘GPS data’ usage but the whole thread was about Location permission. If that was the case, I can see confusion here. Wyze app used Location services in multiple places. Based on each scenario, Location permission can be mandatory or optional. For example, in camera Wi-Fi setup, if we can have Location permission we can search for local WiFi SSID list to help list them in a dropdown box. If the permission is denied the user has to manually enter SSID which is painful. If that counts Wyze using customer’s GPS data, I think that was misunderstood.
Here is a feature level summary:
- Wyze does use location permission for SSID search, Bluetooth connection, Wyze Shop payment (Kount for fraud detection), and Wyze Lock auto-unlock feature.
- Braze is platform Wyze chose for user communication. Several in-app messages like What’s new and Service Advisory are implemented by Braze. I am not aware of any GPS data to Braze.
- We don’t send user GPS data to Facebook,
- The only confirmed feature using GPS info, not location permission, is for auto-unlock.
If there is a path (streaming or any case) which showed unexpected GPS data collection, please let us know how we can reproduce the issue. We will investigate.
Thanks!
Thank you Tao.
Tao: Thank you for the reply, however there are still several issues that remain unanswered.
I shall elaborate on these:
-
The issue I am raising is on the USAGE of location services within android. I understand the permisions/bluetooh requirements, however, what I experienced was the notification that a location usage request was made by the app. (actively being used to get the GPS location)
-
The app was used in it’s basic function to view cam video feeds. nothing else… no setups were done, no other waze products were used, no viewing/recording of timelapse photos.
-
I have tried a new camera setup and a firmware update on the app, and checked the Location Services usage, and there was none, So it’s not related to SSID lists, nor a camera setup/ firmware
-
With regards to Braze, it does use GPS location internal to it’s applicaiton API (as evident in a decompiled application) so while you may not “Send” data implicitly as part of it’s api call, internally it is using the GPS location and sending it to it’s servers (source code can be provided of this if needed)
-
You do use facebook and send it data. that is evident in the decompiled source code which uses Facebook Place Graph API to get information about your current GPS location (under which application/product use is unclear though)… That module is used several places in the source code. (unclear without a lot of time spent on which parts of the app (Lock, Cam, other) that uses it… but it can be determined if I spend quite a bit of time tracing code)
The Issue with Facebook and any use of it’s API’s is that while the API is “Free”, the user gives up the rights/use of the data that it sends to Facebook. (in this case my exact GPS location) Facebook can use that data any way it sees fit as Wyze has agreed to its terms of Use etc. (but I, the end user have not…) Face book combines that data with all the other Facebook data (Facebook analytics, Facebook Web application) to build a complete profile (including the mobile identifier, which it ties to your FB account) so now Facebook now knows, who you are, where you live, when you are at home, and when you are away from home etc). Wyze is providing one small portion of that data (by using the Places API).
right now I have not been able to reproduce when/where in the “CAM” usage that triggered the GPS location lookup, but as others have posted screen caps as well, it is happening to other users as well.
To summarize, I don’t think your reply has resolved the issue and it’s still unclear why GPS locations are being used for “basic” cam use (not setup), and also under “some conditions” you do send location data to Facebook and Facebook can use that data as it sees fit. (I don’t think that use is regular cam use and related to some other product use, but as your statement of “We don’t send user GPS data to Facebook,” this appears not to be correct as per the decompiled source code of the app.
This app code may have passed through many hands before WYZE modified it for their use.
This leads me to believe that there may be code running that WYZE is unaware of.
Edit
I got the feeling that the WYZE developers were struggling with the code because they weren’t the original coders.
I did not mean to imply that other companies had the code.
Which from a security and privacy perspective is a red flag. All that code should go through a “peer review” level of inspection to ensure they are aware of exactly what the app does (as at the end of the day they are responsible for it as they sell it to the end consumer)
We checked our code implementation and verified the Wyze source code doesn’t collect GPS data to send to Facebook. Our interaction with FB is pretty simple which is to allow users to share videos to FB. It is a popular feature for Wyze customers. For Facebook we initialize FB library to get FB in the share target list. Other than that we call the system share API to complete the work.
We didn’t find any unwanted GPS info collection in our app. If you found any of the FB API (or any other APIs) is secretly collecting GPS info without being noticed, we will check again where and how we call the API.
Wyze has full control of our source code. We do have developers come and leave the team but that is normal to all business. And thanks to @angus.black for updating your statement.
I suggest they check the files below… you can see a call to facebook requesting “place” information when passin the local GPS location.
com.huali/sources/com/facebook/places/PlaceManager.java: onRequestReadyCallback.onRequestReady(PlaceManager.newPlaceSearchRequestForLocation(placeSearchRequestParams, locationPackage.location));
and here is a list of all the classes which have references to facebook places in them… (some are 3rd party some are wyze developed modules based on the paths)
com.hualai/sources/bo/app/br.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/bo/app/eg.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/androidx/core/content/ContextCompat.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/facebook/internal/Utility.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/facebook/places/PlaceManager.java:package com.facebook.places;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.internal.BluetoothScanResult;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.internal.LocationPackage;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.internal.LocationPackageManager;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.internal.LocationPackageManager.Listener;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.internal.LocationPackageRequestParams.Builder;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.internal.ScannerException.Type;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.internal.WifiScanResult;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.model.CurrentPlaceFeedbackRequestParams;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.model.CurrentPlaceRequestParams;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.model.CurrentPlaceRequestParams.ConfidenceLevel;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.model.CurrentPlaceRequestParams.ScanMode;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.model.PlaceInfoRequestParams;
com.hualai/sources/com/facebook/places/PlaceManager.java:import com.facebook.places.model.PlaceSearchRequestParams;
com.hualai/sources/com/facebook/places/internal/BluetoothScanResult.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/ScannerException.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/LocationPackageManager.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/LocationPackageManager.java:import com.facebook.places.internal.ScannerException.Type;
com.hualai/sources/com/facebook/places/internal/BleScannerLegacy.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/BleScannerLegacy.java:import com.facebook.places.internal.ScannerException.Type;
com.hualai/sources/com/facebook/places/internal/ScannerFactory.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/WifiScanResult.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/LocationPackage.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/LocationPackage.java:import com.facebook.places.internal.ScannerException.Type;
com.hualai/sources/com/facebook/places/internal/BleScanner.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/LocationPackageRequestParams.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java:import com.facebook.places.internal.ScannerException.Type;
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java: throw new com.facebook.places.internal.ScannerException(com.facebook.places.internal.ScannerException.Type.UNKNOWN_ERROR);
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java: public synchronized void startScanning() throws com.facebook.places.internal.ScannerException {
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java: r0 = new com.facebook.places.internal.BleScannerImpl$ScanCallBackImpl; Catch:{ all → 0x0058 }
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java: r0 = new com.facebook.places.internal.ScannerException; Catch:{ all → 0x0058 }
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java: r1 = com.facebook.places.internal.ScannerException.Type.UNKNOWN_ERROR; Catch:{ all → 0x0058 }
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java: r0 = new com.facebook.places.internal.ScannerException; Catch:{ all → 0x0058 }
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java: r1 = com.facebook.places.internal.ScannerException.Type.UNKNOWN_ERROR; Catch:{ all → 0x0058 }
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java: r0 = new com.facebook.places.internal.ScannerException; Catch:{ all → 0x0058 }
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java: r1 = com.facebook.places.internal.ScannerException.Type.SCAN_ALREADY_IN_PROGRESS; Catch:{ all → 0x0058 }
com.hualai/sources/com/facebook/places/internal/BleScannerImpl.java: throw new UnsupportedOperationException(“Method not decompiled: com.facebook.places.internal.BleScannerImpl.startScanning():void”);
com.hualai/sources/com/facebook/places/internal/LocationScannerImpl.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/LocationScannerImpl.java:import com.facebook.places.internal.ScannerException.Type;
com.hualai/sources/com/facebook/places/internal/LocationScanner.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/WifiScannerImpl.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/internal/WifiScannerImpl.java:import com.facebook.places.internal.ScannerException.Type;
com.hualai/sources/com/facebook/places/internal/WifiScanner.java:package com.facebook.places.internal;
com.hualai/sources/com/facebook/places/model/PlaceSearchRequestParams.java:package com.facebook.places.model;
com.hualai/sources/com/facebook/places/model/CurrentPlaceRequestParams.java:package com.facebook.places.model;
com.hualai/sources/com/facebook/places/model/PlaceFields.java:package com.facebook.places.model;
com.hualai/sources/com/facebook/places/model/CurrentPlaceFeedbackRequestParams.java:package com.facebook.places.model;
com.hualai/sources/com/facebook/places/model/PlaceInfoRequestParams.java:package com.facebook.places.model;
com.hualai/sources/com/facebook/share/internal/LikeActionController.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/wyze/light/pa19/WLAP19Activity.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/service/emergency/http/WyzeEmergencyPlatform.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/service/emergency/WyzeEnterVerficationActivity.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/service/emergency/WyzeNoonlightActivity.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/service/emergency/WyzeExistingPhoneActivity.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/user/model/UserProfile.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/fa/WyzeFactorUpdateNumberPage.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/fa/authapp/validation/WyzeSmsVerficationCodeActivity.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/fa/authapp/validation/WyzeSmsExistingPhoneActivity.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/fa/authapp/validation/WyzeFaSmsPhoneNumberActivity.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/fa/authapp/WyzeFaChooseVerificationPage.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/fa/WyzeFactorVerficationPage.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/fa/WyzeFactorAuthenPage.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/fa/WyzePrimaryNumberPage.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/home/fa/WyzeFactorUpdateVerficalPage.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/socket/weight/DelayTimeSetView.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/hualai/socket/install/ConnectingPage.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/wyzeband/base/WyzeBandConnection.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/google/android/gms/internal/fitness/zzj.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/google/android/libraries/places/internal/zzcm.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/google/android/libraries/places/internal/zzci.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/segment/analytics/AnalyticsContext.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/segment/analytics/android/integrations/appboy/AppboyIntegration.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/segment/analytics/internal/Utils.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/segment/analytics/Traits.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/paypal/android/sdk/onetouch/core/sdk/PayPalScope.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/paypal/android/sdk/onetouch/core/base/DeviceInspector.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/wyze/shop/page/WyzeStoreAddressesActivity.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/wyze/shop/common/WyzeStorePlatform.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/wyze/platformkit/utils/statistics/WpkWyzeStatisticsUtil.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/appboy/support/AppboyFileUtils.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/samsung/android/sdk/internal/healthdata/DeviceUtil.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/yunding/commonkit/util/AppUtils.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/yunding/ydbleapi/manager/h.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/com/ryeex/groot/lib/common/util/SystemUtil.java:import com.facebook.places.model.PlaceFields;
com.hualai/sources/org/joda/time/DurationFieldType.java:import com.facebook.places.model.PlaceFields;
Hi @darrylb, sorry for the late reply! I was OOTO last week. From our developer, there was one old reference to Facebook-Android-SDK which is not being used anymore. We will remove it in v2.13. We checked some (but not all, they are too many) files listed but didn’t find any code importing import com.facebook.places.model.PlaceFields. When 2.13 is release we expect most of them are gone.
For Segment or Braze referencing Facebook, that was beyond our capability to check the source code or remove reference.
I wish location actually worked. Then my wyze lock would auto unlock when I got home. But it never works. Wyze app still shows my location where I was 30 minutes ago.
@WyzeTao The reason you don’t see it is because it’s being used by one of your 3rd party libraries. This is why I see it in the decompiled code, but you don’t see it in your developers code… (you just see the include of the 3rd party library, and not it’s “internals”) So you have a 3rd party library which uses facebook places (which you didn’t know about) and you don’t know how it uses it and what it submits to facebook.
That is a bit concerning