Many free Android apps are violating Google Play Store guidelines by sharing user information?

posted by Alan F.

Dec 02, 2016, 12:07 PM

Many free Android apps are violating Google Play Store guidelines by sharing user information?

A study completed by Carnagie Mellon University found that half of 18,000 free Android apps surveyed do not have a privacy policy in place. And many of the apps that do have such a policy are not being truthful with how personal information is collected and disseminated. For example, 41% of the apps with a privacy policy did not mention that they do gather identifiable data, and 17% failed to note that this information is shared.

Most state and federal laws require that mobile apps have privacy policies in place, especially if personally identifiable information is being collected. The apps that need this type of information, but fail to have a policy in place, are violating the written guidelines posted by Google for the Google Play Store.

"If your app handles personal or sensitive user data (including personally identifiable information, financial and payment information, authentication information, phonebook or contact data, microphone and camera sensor data, and sensitive device data) then your app must:

Post a privacy policy in both the designated field in the Play Developer Console and from within the Play distributed app itself.
Handle the user data securely, including transmitting it using modern cryptography (for example, over HTTPS).

The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app collects, uses and shares user data, including the types of parties with whom it’s shared."-Google Play Developer Policy Center

While Carnagie Mellon cites the aforementioned stats as proof that there is some irregularities gong on among Android developers, the problem might not be as widespread as the University says it is. As it turns out, the automated system it employs might not pick up information that would refute the charge that a particular app is sharing data without a posted policy. CMU's own professor of computer science Norman Sadeh says, "Just because the automated system finds a possible privacy requirement inconsistency in an app does not mean that a problem necessarily exists." Checking irregularities by hand would result in a more accurate look at this issue, although it would be time consuming.

Part of the problem comes from developers who are naive about what is required. Take someone who develops an app that uses Google Maps, but fails to mention in the app's privacy policy that location data is being shared. Professor Sadeh points out that "Whenever you’re using Google Maps, you’re effectively sharing personal information with Google."