Skip to content
Naked Security Naked Security

Google Nearby: location-aware popup ads for location-aware apps

Forget drive-by installs! Here comes the "walk-by"...

Google just used the offical blog of the Android team to announce a new Android component called Nearby.

Technically, it’s not part of Android itself, because it’s intimately connected to Google Play, which is proprietary to Google.

So we don’t think you’ll see the source code for Nearby in the Android Open Source Project any time soon.

Not that we think Nearby would be hugely popular in alternative builds of Android, because it’s all about pop-up ads.

Simply put, companies that want to advertise their apps or websites using Nearby deploy a tiny Bluetooth-based hardware device known as an Eddystone beacon.

Eddystone is a protocol devised by Google to allow advertisers to find and communicate with your mobile phone as you walk by.

If your phone can receive and process the “here I am” broadcast from one of these beacons, it can use the identifier that is broadcast by the beacon to fetch and display adverts.

The theory is that beacon-triggered ads of this sort will not only be relevant to your interests, but also pertinent in time and space.

The low power and range of Bluetooth transmissions means you’re guaranteed to be nearby (geddit?) to the beacon, and thus in range of the ad, both figuratively and literally.

One of Google’s examples of what it calls “a thing that can be helpful near you” is receiving popup ads for a well-known drugstore chain’s Play Store app…

…just in case you want to print out any of the photos on your phone at that very moment.

But every photo-printing outfit I’ve seen in the last decade or so already lets me print photos from my phone quickly and easily, without installing a special app.

What I stand to gain from installing yet another app in a case like this isn’t clear.

Similarly, Google suggests that:

The right app at the right moment lets you get more done. For example, at a store, you may want a barcode scanner to check prices and reviews for an item.

I don’t know about you, but if I want to get objective price comparisons before I buy an item, and to put myself in an informed position for bargaining, I do my price comparisons before I walk into the first shop.

If I suddenly realised that a price-check app is what I needed, then I wouldn’t install an app promoted by a popup ad paid for by the shop I was in at that moment!

What to do?

According to Google:

To use Nearby, just turn on Bluetooth and Location, and we’ll show you a notification if a nearby app or website is available. Once you’ve opted-in, tapping on a notification takes you straight into the intended experience.

In other words, it sounds as though simply having Bluetooth and Location enabled effectively means you’ve opted in to Nearby.

If so, turning off either or both sounds like your only easy way of preventing the popups.

It also seems that if you have Android 4.4 (KitKat) or later, you’ll automatically get the Nearby component sometime soon, when the next update to Google Play Service happens.

If there is a way of exercising finer-grained control over Nearby, we’ll let you know.

Have your say

An an interesing aside, the Eddystone beacon protocol is named after the Eddystone Light, a famous ship-saving lighthouse off the Southern coast of England.

Ironically, perhaps, the Eddystone Light’s beacon was designed to alert ships so they could stay away from the dangerous rocks on which it was built, not to draw them closer in.

But, then again, the first Eddystone Light was washed away in a storm, while the second burned down.

What do you think?

Is Nearby a bug or a feature?

15 Comments

We need a more accurate name for this.
Nagware, Annoyware, GoogleSX. WTFWGT (What The F Was Google Thinking), LAPS (Location Aware Popups Suck). Got a better one?

“What I stand to gain from installing yet another app in a case like this isn’t clear.”
I submit that Google hopes we’ll find find instant-gratification outweighs annoyance with distractive media–given the trends I’ve observed in apps and human behavior, I’m inclined to believe we’ll give them what they want.

“If I suddenly realised that a price-check app is what I needed, then I wouldn’t install an app promoted by a popup ad paid for by the shop I was in at that moment!”
…which is why you and I–and most folks reading this–are not so much target audience as much as collateral damage. “Oh YEAH, good idea!” [click without critical pre-thought]

“If there is a way of exercising finer-grained control over Nearby, we’ll let you know”
Yes, please keep us apprised. Thanks Duck.

Anyway to make a buck… i would never use it
And if they force. I will go back to non-smart phone.

It already came with an update to the Android chrome app. At least for HTC m9 on 6.0 in the US. It is off by default though, and you can find it in the settings. Not sure exactly when it arrived, just noticed it recently. Then did some homework on just what it was. Probably would have known sooner had I been using Google Now app. But I gave that up years ago. Too bad I can’t include a screenshot.

Nothing new here except the Bluetooth variant. Location-Based Services has been around (at least in concept) for 15 years.

The popup ads that take you straight to specific app installers are new, too, surely?

“And if they force. I will go back to non-smart phone.”
Only last week I went into a store asking for the “best dumb phone” with the intent of buying a high quality phone rather than an el cheapo. None of the store attendants could understand what I mean in that when the smartphone were so much better…

Dear Paul

Nothing to do with the subject of this email

Yesterday, i installed sophos mobile security on my mobile

A notice appeared on my phone that someone other than Sophos had altered the package. It advised me to d-load Sophos from Google Play (where i d-loaded it in the first place)

I d-loaded it 3 times. Same message every time. This is the first time it happens.

It is the best mobile security application out there. Tested it (before) on amtso etc. Perfect scores! 100% detection rate, phishing protection.

Just to let you&Sophos know

kind regards
zeke

[2016-06-13T10:06Z. Update to my earlier comment]

As far as we can tell (following your message we tested a fresh download on a fresh Android, just in case!), the download is intact on Google Play. Indeed, an app that didn’t align with the developer’s own signature wouldn’t be accepted into Google Play in the first place. So that’s a relief.

The message you are seeing is an additional “tamper protection” test that the app does, which requires it to call home to Sophos. You can think of this a bit like “certificate pinning” in the world of HTTPS, where you not only use the regular way of authenticating a digital signature, but also use information of your own (e.g. “who’s allowed to sign? when are they supposed to have signed? if it’s signed but not by someone we expected, what’s going on?”) to authenticate the authentication, if that makes sense.

I *think* that this message can appear if we can’t complete the tamper protection check when you first launch the app. The guys who look after the app are looking into this, so thanks for bringing it to our attention.

I hesitate to say that it’s OK to ignore the message for now, although I think that it is… would you mind launching the app again when you know you are solidly connected, e.g. via Wi-Fi? If that connection is direct, i.e. doesn’t go through a VPN or a proxy, better still.

FYI, for the future, you might want to consider joining our free community forum:
https://community.sophos.com/products/mobile-device-protection/

(You can lurk without logging in but if you want to post questions or add replies of your own you need to sign up.)

Apologies for the confusion.

This technology is being used, to some degree, by waze- the navigation app bought by Google I noticed in Toronto for a long time it has shown places you will be passing or very nearby and the ads generally offer some type of discount. I presume given it is Google it’s some aspects of the aforementioned program. Anyone else notice the ads? So you tho k Google has already been using the tech with the waze app?? (Or is it sent by sent by Google/waze simply based upon gps coordinates without a beacon Btwn the user and the business. Nonetheless…. The outcome is a somewhat similar experience. When driving the untrusive ads/suggestions/coupons are actually quite distracting if u glance at your screen for a purpose to find it covered by an ad.

I doubt that the Eddystone signals would be any good as roadside location beacons signalling to passing cars. IMO they’re just too low-range and low-powered to work in that sort of scenario. The examples given by Google of the way they expect this to be used are when you’re walking around inside a shop, or waiting at a boarding gate at the airport.

Nearby notifications actually works better for not serving ads. After all, why would you opt-in to receive ads? And of course if a person is in a location, an easier way to advertise to them is by placing a sign in the space they are currently occupying. What this can be used for is to provide a notification of a more interactive experience available to the user. For example at the entrance of a restaurant a beacon could direct smartphone users to a reservation list website so they could add their names and even check their estimated wait time anywhere they have internet service. At a museum beacons could be used to allow users to interact with nearby art, or to start audio presentations on the user’s phone. One of the benefits, as I see it, would be not having to have apps to do all these things, after all do I really want to download another crappy app for a restaurant or art museum, or would I rather just use their website?

Anyway, I know a lot of people see this as an ad platform, but which is easier, putting a sign up or getting a user to detect a bluetooth signal, take out their phone (if they have one), see a notification for an ad, and then have them click to open the notification anyway? I think the sign is more effective.

What’s the bet we end up with both – signs at the departure gate (one of Google’s example use cases), or printed on the menu at every table in the restaurant, saying, “Turn on Bluetooth to get a free notification for our app!” (Or, worse still, notification signs reminding you to look at your phone so you don’t miss the notification popup that could have been printed on the notification sign in the first place.)

I’m just interested in this topic. Consider first the place that can invade my privacy however I see that it is a great opportunity for developers and business cases, for the large number of applications and uses. Just thinking about developing applications that recognize the return of a customer to the store, to ask how it was with the latest products purchased or even for the sellers to receive it by calling his name that would be wonderful. although we should centralize the technology in one or a few app’s because we would be filling the phones with dozens of app’s for each store, this would be annoying.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?