…and Backstitch Reader is probably spyware


So I had installed an insipid chatroom app on my phone, because it was the only reliable way to get the weekly schedule. This went as well as might be expected for a week or two, and then some manager or other came up to me and said there was another app I needed to install.

It was the most reliable way to get the corporate agendas that occasionally have useful info; they didn’t tell me this. Either it or its web portal is the only way for me to see anything resembling a pay stub; they might have mentioned this briefly, in passing, but I don’t remember it. Instead, they told me that I had to sign off on my completed time sheet every week, through this app, or I might not get paid.

I smelled bullshit. None of my eleven previous jobs had had a requirement like this, and I suspected that the “might not get paid” part might not be legal. I have yet to find an official answer and wasn’t able to fully parse the legalese of the oft-cited law itself, but the lawyers and payroll managers I’ve seen citing that law say again and again and again and again and again that my bosses would be in trouble (though, as with a lot of labor laws, enforcement would be extremely unlikely and I’d be definitely unemployed and possibly unemployable afterward).

And, as I’ve mentioned, I’m that guy who looks at an app’s permissions before installing it. I was definitely going to do a little reading before installing a mandatory app that had no purpose management was willing to name…

The permissions weren’t that far out of line, actually, but I also looked at the privacy policy and OH MY GOD SWEET JESUS NO.

– – –

I haven’t linked to this app’s Play Store page like I normally would have by now, and I’m not going to because I still worry about this blog being searchable by my employers. I really don’t have to, though, because, well…

Meet Backstitch Reader, which its devs describe as “a completely white-labeled web and mobile app,” which means that companies can slap their own logo on and call it “their” app. There are a number of these repackaged apps on the Play Store, and their privacy policies are all the same

(This privacy policy is refreshingly blunt, actually. I’d congratulate Backstitch for this, but I suspect it’s less them being honest than them feeling no need to hide their intentions, because their intended victims aren’t the ones deciding whether they have to use this damn thing.)

No, seriously, pick one and read it, if you’re interested, and pay special attention to the part where it wants OAuth access to the user’s Google, Facebook, LinkedIn, Twitter, Instagram, and Tumblr accounts, which is probably the full list of social networks a room full of techies and suits – the kind who use LinkedIn as a social network – could think of in two minutes. (They forgot Reddit, Mastodon, Discord, and whatever the alt-right hope for social media was back in 2019, and they hadn’t fully internalized that Google+ had shut down.)

And sure enough, the first time I opened a PDF through the app, it wanted my Google account. Luckily, I was overdue for a new Google account anyway. Also, I’d had enough warning to be able to pick up the cheapest possible burner phone and install this goddamned app on that, because my employers have no honest reason to access anything on my actual phone.

(I wonder if Clicky and New Relic, the internal analytics tools the policy mentioned, can be repurposed to monitor a phone’s web traffic. I don’t think they can be, but I’m not sure… and that would plug the Reddit- and Discord-shaped holes I metioned earlier.)

– – –

This app sometimes comes up in my conversations with managers; I swear I’ve listed off “Google, Facebook, LInkedIn, Twitter, Instagram, and Tumblr access” to the store manager twice. The second time, when she feigned surprise and asked why corporate would possibly want to monitor that much of my social media activity, I said, “I’m a secret union organizer.”

She and the assistant manager, who was listening, both went very still and quiet.

“Just kidding,” I said, noting for future reference that I’d struck a nerve.

– – –

And I have seen the word “backstitching” or “sitching” in the context of data mining and analytics, in case Backstitch hadn’t made its intentions clear enough yet.

Categories: PiecesTags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: