(Image credit: androidpolice)
In a disturbing new report, it is revealed that every person who downloads an application through Google Play has had their personal information including name, email and address passed on to the developer without their knowledge or consent.
While this might be troubling, perhaps even more troubling is the highly secretive relationship between Google and the U.S. National Security Agency (NSA), their ties to the U.S. intelligence community and the lack of transparency in their so-called transparency reports.
Still, this “flaw,” uncovered by an app developer in Sydney, Australia, is no small matter. Perhaps the most concerning aspect of the report by news.com.au is the point that the “flaw” actually “appears to be by design.”
The developer, Dan Nolan, has created an application that hit number one in the Australian app store and he says that he does not feel comfortable being the custodian of all of that personal information.
Furthermore, Nolan says that there is no reason any developer should have all of this highly personal information at their fingertips.
“Let me make this crystal clear, every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred,” writes Nolan on his blog.
“With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase,” Nolan writes.
Nolan argues that the only way app developers should be able to get this information is if the users knowingly opt into it and “it’s made crystal clear that I’m getting this information.”
Currently, none of that takes place.
Claire Porter, the technology editor of news.com.au, points out that the problems posed by malware are even more serious than potential harassment from disgruntled app developers.
“With Google customers’ details just sitting in developers accounts, all it would take is a half decent piece of malware software for that information to be accessed,” Porter writes. “These personal details could then be used to access the users’ bank details. That’s also more than enough information to be able to access your other devices which could also be mined for more data – insurance information, other credit cards – which could then be used to access your banking credentials.”
In other words, this could present a quite attractive target for hackers looking to commit fraud on a massive scale.
According to Nolan, this could impact tens of millions of Google customers who have downloaded apps.
“As far as I can tell this impacts every person who purchased an App on the Play Store,” Nolan said to news.com.au.
“I can’t see any way to opt out of providing that information and it seems to be a feature of the Google checkout process,” Nolan said. “I don’t know whether it applies to free apps, but there are hundreds of thousands of apps that are available for pay on the play store and there are millions of people who buy Android apps out there, I’d say easily millions or tens of millions of people.”
“It’s active in every market that Google accepts payment for apps,” Nolan continued. “That’s a lot of people having their personal information handed over without them knowing.”
Even more disturbing is that Nolan says user information has always been provided to developers as far as he can tell.
Nolan said he thinks the only reason it hasn’t been discovered and exposed until now is “because the people who would have paid attention to it were likely exploiting it and selling users’ personal information, it using it as an extra source of revenue on top of what they were making off their Google Play/Android app.”
According to Nolan, the amount of data provided by Google is ludicrous compared to that provided to developers by Apple.
“In comparison to the information you get from Apple which is just a quantity of sales in a Country and then a check three months later, this is absolutely absurd,” Nolan said.
“I doubt anyone expects to have their contact information, name and suburb sent to a developer purely because they decide to buy an app off the Play Store,” he added.
Porter points out that while the Google terms of service indeed states that the company may store this type of personal information, the Google privacy statement says nothing about giving that information to developers whenever you pay for an app.
That being said, the terms of service does say that Google will hand over your address and other personal information if you purchase a magazine subscription but that is the only type of app mentioned.
“This is a massive, massive privacy issue Google. Fix it. Immediately,” Nolan concludes.
Unanswered questions remain: how many people have had their personal information released to developers without their knowledge and consent? How large is the security risk posed by the huge amount of information in the hands of potentially less-than-scrupulous developers?
Furthermore, how many developers have sold this information to third parties without user knowledge or consent? Will we ever know?
It will be fascinating to see how Google responds to this. They did not respond to news.com.au for comment, although the article was apparently changed in some way as an update reads, “This story has been amended at the request of Google.” without stating how it has been amended.
UPDATE: News.com.au revealed the changes they made to the original piece at Google’s request, they “took out the words “massive” and “huge” – referencing the size of the security ‘flaw’. The word ‘flaw’ was also put into inverted commas.” There is also an update with more information including more quotes from Nolan. Definitely worth a read for those who want to learn more. See that here.
By Madison Ruppert, Editor of End the Lie