A security researcher has uncovered a potentially creepy feature of the popular app to discover music.
What's that song? On your cellphone, the popular app Shazam is able to answer that question by listening for just a few seconds, as if it were magic. On Apple's computers, Shazam never turns the microphone off, even if you tell it to.
When a user of Shazam's Mac app turns the app "OFF," the app actually keeps the microphone on in the background. For the security researcher who discovered that the mic is always on, it's a bug that users should know about. For Shazam, it's just a feature that makes the app work better.
"There is no privacy issue since the audio is not processed unless the user actively turns the app 'ON.'" James Pearson, the VP of global communications for Shazam, said in an emailed statement. "If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify."
Patrick Wardle, a former NSA hacker who now develops free Mac security tools, discovered this issue thanks to his latest software OverSight, which is designed to alert users when apps use their webcam and microphone. After he released OverSight, Wardle received an email from a user who noticed that the security app alerted him that Shazam was still listening even after he had switched the toggle to "off."
Curious about this discovery, and worried his own software might be issuing a false alarm, Wardle reverse engineered the Shazam app to figure out what was happening. After a few hours analyzing the code, Wardle found out that, in fact, Shazam never stops listening, as he explained in a blog post published on Monday.
While this sounds creepy, Wardle said he doesn't believe there's "any malice" in it. In other words, Shazam is not really spying on you, but the app certainly fails to disclose how it works, and "users should know," according to him.
"When I turn something off, 'off' should be 'off,'" Wardle told Motherboard. "It's nice of them to stop processing that data, but yeah, they are still recording all the time."
Pearson confirmed that the app keeps the mic on at all times, but disagreed with Wardle, saying that "there is no bug," as Shazam doesn't save or send audio samples but only "digital fingerprint summaries of the audio."
Pearson said in a statement that the mic is kept on "for technical reasons" but "no audio is processed, so the user's decision not to leverage our app's functionality is fully respected."
For these reasons, Pearson said Shazam won't change anything in the app, as "we do not have any reason to make changes."
"When I turn something off, 'off' should be 'off.'"
Studying the app's behavior, Wardle was able to confirm that the app doesn't appear to process audio when it's turned off.
"I saw no indication that this recorded data is ever processed (nor saved, exfiltrated, etc)," Wardle wrote in his blog post, which he shared with Motherboard in advance. "However, I still don't like an app that appears to be constantly pulling audio off my computer's internal mic."
For Wardle, that's not good because a piece of malware could inject into the app and piggyback on this feature to surreptitiously record the user, without prompting an alert. And Shazam could change the way the app works and ad "as users we are just going to have to trust they won't."
So is Shazam keeping your mic always-on—even when you switch the app off—a feature or bug? That's up to you to decide. Far what it's worth, Wardle said he deleted the app.
UPDATE, 11/15/2016, 3:30 p.m. ET: Shazam changed its mind on Tuesday, announcing a fix to this issue in the upcoming new version of its Mac app.
"Even though we don't recognize a meaningful risk, the company will be updating its Mac app within the next few days," Shazam's vicepresident of global communications said in a statement.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.