1. From the data I collected, the content of each message of is roughly 1000-2000 bytes. This is not much on it's own but over the course of a day it could end up. It appears as messages are queued and send in bulk when applicable, therefore I can't comment on bandwidth over time as the app may chunk its request. It may not even send messages when the screen is closed.
2. Everything is secured with HTTPS! All the analytics messages, messages to boses servers and firmware checks are all over HTTPS (The firmware file its self is downloaded over HTTP, but the URL is provided over HTTPS and the firmware may well be signed)
3. A good question that needs further investigation :)
4. The anonymous id doesn't have any glaring information at least not immediately from the analytics platforms documentation https://segment.com/docs/spec/identify/ however yes the other meta-data defeat the purpose of an anonymous id.
5. It is definitely sending the data while the app is in focus, and i believe while the app is open but not in focus. I am not 100% sure here as it was a very quick test.
In this case I used fiddler, all I had to do generate a custom root certificate (Be warned this is not a good idea in general, look up super fish if you want an example of why installing custom root certificates can be bad), install that certificate on my device and then proxy my device through the computer running fiddler.
(Created an account to post this) I downloaded the app on android and listened to a few songs on Spotify to find out what information was being sent.
While the app is running, the app sends a HTTP (edit: HTTPS) request every time the track information changes or the volume changes.
When the track information changes it sends the artist, album and song name. When you change the volume it sends the new volume level.
Every request includes standard meta-data such as
* An _anonymous-id_
* Device serial number
* Information about whether wifi or cellular are connected and carrier name
* Device name, model and manufacturer
If there is interest I will write a blog post about potential ways to stop the data collection without removing the app :)
2. Everything is secured with HTTPS! All the analytics messages, messages to boses servers and firmware checks are all over HTTPS (The firmware file its self is downloaded over HTTP, but the URL is provided over HTTPS and the firmware may well be signed)
3. A good question that needs further investigation :)
4. The anonymous id doesn't have any glaring information at least not immediately from the analytics platforms documentation https://segment.com/docs/spec/identify/ however yes the other meta-data defeat the purpose of an anonymous id.
5. It is definitely sending the data while the app is in focus, and i believe while the app is open but not in focus. I am not 100% sure here as it was a very quick test.
6. Again something else to investigate :)