Google Play Flaw Gives App Developers Purchaser's Information

from the uh,-why? dept

Google, being the undisputed search engine king, is no stranger to concerns over the privacy of its users. Everything from odd fears over their privacy policy to the images on Google maps has been hurled at them, with most of the intelligent analysis of said concerns amounting to indifferent shoulder shrugs. Privacy is important, of course, but there's yet to be any sense of malicious intent or gross oversight in these cases. Rather, they tend to fall into the category of potentially yet unlikely dangers brought about by the very nature of expanded technology.

Perhaps that's why it feels so strange to learn that Google's Play store is so callous with user data, offering up names, street addresses, and email addresses to app developers when their products are purchased. This, according to developer Dan Nolan in Australia.

"Let me make this crystal clear, every App purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred," Nolan wrote on his blog. "With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase."

If accurate, Google making that information available is at best stupid. As the selling platform, there's simply no reason to do it. Why does the guy or girl who created the Fat Booth app that so delights my friends need to know where I sleep at night? It might be a case where there's confusion about the roles each one is playing. If Google merely views itself as a platform for others to create a store, then you could kind of see where this made sense. App developers are then setting up their own "store" where there are advantages to them having a direct relationship with their customers. The problem, however, is that users don't view it this way. They think of Google as "the store" and this looks like them handing over their private info to the suppliers. And that certainly feels like a pretty massive privacy breach.

More importantly, as the article notes, the implications on how malware creators could exploit this are even more worrisome.

With Google customers' details just sitting in developers accounts, all it would take is a half decent piece of malware software for that information to be accessed. These personal details could then be used to access the users' bank details. That's also more than enough information to be able to access your other devices which could also be mined for more data - insurance information, other credit cards - which could then be used to access your banking credentials.

Due to these very concerns, Nolan expresses his displeasure and discomfort with having that information at all. Worse, if there's any way to opt out of receiving it, he can't seem to find it. Just as worrisome as the flaw is the fact that no one else bothered to report it. Whether this was laziness, ignorance, or the very real possibility that many developers were doing something underhanded with their customers' information is unclear, but all three possibilities are damning to Google, which certainly should have known better. Worse yet, Google is quite clear in their TOS that it can store this information once you provide it, but there's is no mention of their passing along that data to app developers in their privacy statement.

While there's yet to be any response from Google as of the time of this writing, the original article did note that Google had already requested an amendment to the story, meaning what remains of it is likely accurate. The speed with which Google needs to fix this would be mach-infinity.

Filed Under: app developers, apps, google play, privacy, stores, user information
Companies: google