April 25, 2017

Bose Connect - jeopardizing privacy?

At the end of last week I’ve read a news article claiming that a lawsuit has been filed against Bose for secretly collecting and sending listening habits of their users using the Bose Connect app for iOS and Android. This app is not required to use the headphones, though there are functions only accessible via the app, for example installing firmware updates, renaming the device or setting the language of voice output.

Since I own a pair of Bose QC35 headphones and the Bose Connect app is indeed installed on my iPhone, I was eager to learn more. However, I initially did not believe a headphone manufacturer was going to collect data on what music I listen to, especially not when paying 379€ for a pair of headphones.

At the time I couldn’t find any technical research backing up the lawsuit’s claim. So I figured - why not have a look myself? At first, I simply monitored all network traffic in- and outgoing my phone. While playing around with Bose’s app I started to notice reoccurring patterns of connections being opened to certain domains. One of them was e.crashlytics.com, another one api.segment.io. As I got really curious what kind of data the app might be sending here, I did some more testing using a Raspberry Pi as a WiFi-NAT-router, essentially performing a man-in-the-middle-attack on my phone to mess with the TLS encryption of these connections. Unfortunately, I wasn’t able to intercept any traffic to e.crashlytics.com, presumably because the app uses certificate pinning on this connection. Since Crashlytics is a crash reporting system, the data transferred to this domain is likely just debug information, though.

Anyhow, the traffic that I was able to listen in to was going to api.segment.io. And well, I think was mistaken. I did find information about me and my habits in there. Dammit!

I was able to reproduce this connection pattern every time the music track changed or I adjusted the headphone’s volume. These infos get sent whether I listen to music from Apple Music, Spotify or even my favorite podcast. Aside from my phone as the source, when listening to Spotify on my Mac and having the Spotify app running in the background on my iPhone while listening on my headphones - you guessed it - data is being sent.

The request (header and body) at the bottom of this page is an example what exactly is transmitted. There is information about the app version, my device, the music/track I listen to and a bunch of IDs.

According to the Segment documentation, the anonymousId is used to track an otherwise unknown user over multiple data batches.

There are certain cases where you don’t actually know who the user is according to your database, but you still want to be able tie them to traits, events or page views. For example, you may not know who a user is when tracking newsletter signups or anonymous page views. In these cases, you should use an Anonymous ID. The Anonymous ID can be any pseudo-unique identifier. For example, on your servers you can use a session id. If you don’t have any readily available identifier, you can always generate a new random one—we recommend UUIDs.

The anonymousId, device id, advertisingId and messageId indeed look like UUIDs to me. As I don’t know how exactly these UUIDs are generated, I can’t tell if they hold any specific information or are just randomly generated - both could be possible.


To sum up, one could say that the Bose Connect app definitely is collecting information on the music being listened to. Also, Bose or a third party analytics provider may be able to create user profiles based on the UUIDs that are embedded within the transferred data. It is also possible that the app collects the serial number of the headphones and sends it over to Bose or a third party analytics provider when the app is being set up, which would allow for a link between the person who bought the headphones and analysis data coming in. However, I was not able to find any evidence that Bose or a third party analytics provider actually creates user profiles with regard to listening habits.

See for yourself what data is transmitted to api.segment.io:

POST /v1/batch HTTP/2.0
:authority: api.segment.io
accept: */*
content-type: application/json
accept-encoding: gzip
content-length: 650
user-agent: bose-connect-ios/1 CFNetwork/811.4.18 Darwin/16.5.0
accept-language: de-de
authorization: Basic MFRmaUpreHVBY3NCTGpXTFRRWjZkcW1VMmQycmZJdzc6

    "batch": [
            "anonymousId": "937246E6-15BA-4396-9979-101BBD339E5B",
            "context": {
                "app": {
                    "build": "1",
                    "name": "Bose Connect",
                    "namespace": "com.bose.boseconnect",
                    "version": "4.0.0"
                "device": {
                    "adTrackingEnabled": false,
                    "advertisingId": "00000000-0000-0000-0000-000000000000",
                    "id": "AEF9D0AD-BB20-45E9-80AD-D9584D7972F5",
                    "manufacturer": "Apple",
                    "model": "iPhone9,3"
                "library": {
                    "name": "analytics-ios",
                    "version": "3.5.7"
                "locale": "de-DE",
                "network": {
                    "carrier": "Telekom.de",
                    "cellular": false,
                    "wifi": true
                "os": {
                    "name": "iOS",
                    "version": "10.3.1"
                "screen": {
                    "height": 667,
                    "width": 375
                "timezone": "Europe/Berlin",
                "traits": {}
            "event": "Now Playing Event",
            "integrations": {},
            "messageId": "131BC9E1-BD12-4B39-98CA-C893DAB6EA63",
            "properties": {
                "Event Name": "Track Info Change",
                "Event Value": {
                    "Album": "Megalithic Symphony",
                    "Artist": "AWOLNATION",
                    "Song Title": "Sail"
            "timestamp": "2017-04-23T16:41:15.997+0200",
            "type": "track"
    "sentAt": "2017-04-23T16:41:21.716+0200"

© 2017 Martin Bock