Developer Dan Nolan wrote a blog post describing how he found a treasure trove of personal information such as email and mailing addresses from users who downloaded his app, the Paul Keating Insult Generator.
Nolan's concerns highlight something that has been part of Google's Terms of Service since the beginning. Both app developers and consumers agree to the sharing of personal information by accepting the terms.
"If you bought the app on Google Play - even if you cancelled the order - I have your email address, your suburb and in many instances, your full name," Nolan wrote.
"This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it's made crystal clear to them that I'm getting this information."
Nolan said the information could allow developers to "track down and harass users who left negative reviews or refunded the app purchase".
When someone purchases an app via Google Play, it is made through Google Wallet and the payment goes directly to the developer. When users pay the developer, certain information can be sent, ostensibly for billing and taxing purposes. The developer agrees to not use this information for spam or beyond certain terms when they sign up and agree to Terms of Service.
Similarly, when consumers download certain apps, they also agree to terms and are told they may be required to share this type of information.
For iOS, Apple is the merchant of record - not the developers, as with Google Play - when users purchase apps via the Apple App Store. As such, the same kind of automatic sharing of personal information doesn't happen.
"This is an interesting philosophical difference and users who buy something with Google Play are probably assuming they are doing business with Google - not the developer," said Chester Wisniewski, senior security advisor at Sophos.
In addition, Google Play has had a track record for having more malicious apps than the Apple App Store, some of which have phished user information to steal money and identities.
"While I wouldn't panic, it's probably something Google should revisit," Wisniewski said. "A cybercriminal could create an app just to get data, and that is what Google should want to avoid."
Mashable is the largest independent news source covering digital culture, social media and technology.