Google Play Gives User Data to App Devs

ID THREATPOST:63CD4EE6F084A35B2E639A5758513044
Type threatpost
Reporter Brian Donohue
Modified 2013-05-13T16:10:38


Android application developer Dan Nolan claims that the Google Play store sends software developers the names, approximated locations, and email addresses of every individual that downloads one of their applications.

Nolan created a “Paul Keating Insult Generator” application that is apparently quite popular in Australia. Nolan claims he recently logged into his Google Play account to update his payment options. When he visited the merchant account section, he noticed that Google Play was sending him the email address, approximate location, and, in some cases, full names of every person that downloaded his application.

Google Play orders, Nolan explains, are being treated like Google Wallet transactions, meaning that software developers are receiving all the same information about application orders – with the exception of exact addresses – that merchants would receive about people ordering actual merchandise.

“With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase,” Nolan said on his blog.

Google had no official comment on the matter, but a source familiar with Google Play and Android policies confirmed in a phone interview that Google Play does indeed give this information to developers but explained that this is nothing new.

On Google Play, Android developers are merchants of record, therefore, the source said, developers need certain information for tax purposes. This differs from Apple’s App Store, where developers do not need user information, because Apple is the merchant of record.

Dolan claimed there is no way for users to know this is even happening. The source objected to this, citing the terms-of use while explaining that users are informed that they are required to provide certain information about themselves in order to access the Google Play marketplace.

Developers are bound by their own terms as well, which technically prevent them from misusing any information they recieve about users:

“You agree that if you use the Market to distribute Products, you will protect the privacy and legal rights of users,” the developer agreement reads. “If the users provide you with, or your Product accesses or uses, user names, passwords, or other login information or personal information, you must make the users aware that the information will be available to your Product, and you must provide legally adequate privacy notice and protection for those users. Further, your Product may only use that information for the limited purposes for which the user has given you permission to do so. If your Product stores personal or sensitive information provided by users, it must do so securely and only for as long as it is needed.”

The source would not elaborate on the specific information collected by the Google Play store.