Developer discovers Google Play privacy issue

SAMANTHA MURPHY
Last updated 05:00 15/02/2013

Relevant offers

Digital Living

Instagram is the worst social network for young people's mental health Google's focus on AI means it will get even deeper into our lives Computer course helping 'digitally disadvantaged' saves ailing mother's family Online retail giants force NZ businesses to implement digital strategies Cyberattack hits at least 200,000 victims in 150 countries British researcher Marcus Hutchins finds kill switch, 'accidentally' stops malware crippling computers worldwide New Zealand upping digital security after 'massive' worldwide cyberattack New Zealand on watch as cyberattack hits 100 countries Kiwis' bedrooms and businesses broadcast online on compromised CCTV cameras Tech advice for parents

This post was originally published on Mashable.

An Australian app developer has discovered he has access to the personal information of users who download his Android app in the Google Play store, sparking fears of a Google privacy issue.

Developer Dan Nolan wrote a blog post describing how he found a treasure trove of personal information such as email and mailing addresses from users who downloaded his app, the Paul Keating Insult Generator.

Nolan's concerns highlight something that has been part of Google's Terms of Service since the beginning. Both app developers and consumers agree to the sharing of personal information by accepting the terms.

"If you bought the app on Google Play - even if you cancelled the order - I have your email address, your suburb and in many instances, your full name," Nolan wrote.

"This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it's made crystal clear to them that I'm getting this information."

Nolan said the information could allow developers to "track down and harass users who left negative reviews or refunded the app purchase".

When someone purchases an app via Google Play, it is made through Google Wallet and the payment goes directly to the developer. When users pay the developer, certain information can be sent, ostensibly for billing and taxing purposes. The developer agrees to not use this information for spam or beyond certain terms when they sign up and agree to Terms of Service.

Ad Feedback

Similarly, when consumers download certain apps, they also agree to terms and are told they may be required to share this type of information.

For iOS, Apple is the merchant of record - not the developers, as with Google Play - when users purchase apps via the Apple App Store. As such, the same kind of automatic sharing of personal information doesn't happen.

"This is an interesting philosophical difference and users who buy something with Google Play are probably assuming they are doing business with Google - not the developer," said Chester Wisniewski, senior security advisor at Sophos.

In addition, Google Play has had a track record for having more malicious apps than the Apple App Store, some of which have phished user information to steal money and identities.

"While I wouldn't panic, it's probably something Google should revisit," Wisniewski said. "A cybercriminal could create an app just to get data, and that is what Google should want to avoid."

Mashable is the largest independent news source covering digital culture, social media and technology.

Comments

Special offers

Featured Promotions

Sponsored Content