Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Welcome Guest!

Join us now to get access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, and so, so much more. It's also quick and totally free, so what are you waiting for?

BLACK LIVES MATTER! ×
BLACK LIVES MATTER!
Sign in to follow this  
NelsonG

Google removes 3 Android apps for children, with 20M+ downloads between them, over data collection violations

Recommended Posts

When it comes to apps, Android leads the pack with nearly 3 million apps in its official Google Play store. The sheer volume also means that sometimes iffy apps slip through the cracks.

Researchers at the International Digital Accountability Council (IDAC), a nonprofit watchdog based out of Boston, found that a trio of popular and seemingly innocent-looking apps aimed at younger users were recently found to be violating Google’s data collection policies, potentially accessing users’ Android ID and AAID (Android Advertising ID) numbers, with the data leakage potentially connected to the apps being built using SDKs from Unity, Umeng and Appodeal.

Collectively, the apps had more than 20 million downloads between them.

The three apps in question — Princess Salon​, Number Coloring and ​Cats & Cosplay — have now been removed from the Google Play app store, as you can see in the links above. Google confirmed to us that it removed the apps after IDAC brought the violations to its attention.

“We can confirm that the apps referenced in the report were removed,” said a Google spokesperson. “Whenever we find an app that violates our policies, we take action.”

The violations point to a wider concern with the three publishers’ approach to adhering to data protection policies. “The practices we observed in our research raised serious concerns about data practices within these apps,” said IDAC president Quentin Palfrey.

The incident is being highlighted at a time when a lot of attention is being focused on Google and the size of its operation. Earlier this week, the U.S. Department of Justice and 11 states sued the company, accusing it of monopolistic and anticompetitive behavior in search and search advertising.

To be clear, the app violations here are not related to search, but they underscore the scale of Google’s operation, and how even small oversights can lead to tens of millions of users being affected. They also serve as a reminder of the challenges of proactively policing individual violations on such a scale, and that those challenges can land in a particularly risky area: how minors use apps.

At least in the case of two of the publishers, Creative APPS and Libii Tech (whose apps are built around the cast of characters illustrated at the top of this story), other apps are still live. And it also appears that versions of the apps are also still downloadable through APK sites (like this one). There are also versions on iOS (for example here), but IDAC’s tech team said that in an initial analysis, it didn’t immediately see analogous concerns, but will continue to monitor the situation.

The violation in this case is complex but is an example of one of the ways that users can unknowingly be tracked through apps.

Pointing to the behind-the-scenes activity and data processing that gets loaded into innocent-looking apps, IDAC highlighted three SDKs in particular used by the app developers: the Unity 3D and game engine, Umeng (an Alibaba-owned analytics provider known as the “Flurry of China” that some have described also as an adware provider) and Appodeal (another app monetization and analytics provider) — as the source of the issues.

Palfrey explained that the problem lies in how the data that the apps were able to access by way of the SDKs could be linked up with other kinds of data, such as geolocation information. “If AAID information is transmitted in tandem with a persistent identifier [such as Android ID] it’s possible for the protection measures that Google puts in place for privacy protection to be bridged,” he said.

IDAC did not specify the violations in all of the SDKs, but noted in one example that certain versions of Unity’s SDK were collecting both the user’s AAID and Android ID simultaneously, and that could have allowed developers “to bypass privacy controls and track users over time and across devices.”

IDAC describes the AAID as “the passport for aggregating all of the data about a user in one place.” It lets advertisers target ads to users based on signals for preferences that a user might have. The AAID can be reset by users. However, if an SDK is also providing a link to a users Android ID, which is a static number, it starts to create a “bridge” to identify and track a user.

Palfrey would not get too specific on whether it could determine how much data was actually drawn as a result of the violations that it identified, but Google said that it was continuing to work on partnerships and procedures to catch similar (intentional or otherwise) bad actors.

“One example of the work we are doing here is the Families ad certification program, which we announced in 2019),” said the spokesperson. “For apps that wish to serve ads in kids and families apps, we ask them to use only ad SDKs that have self-certified compliance with kids/families policies. We also require that apps that solely target children not contain any APIs or SDKs that are not approved for use in child-directed services.”

IDAC, which was launched in April 2020 as a spin-off of the Future of Privacy Forum, has also carried out investigations into data privacy violations on fertility apps and COVID-19 trackers, and earlier this week it also published findings on data leakage from an older version of Twitter’s MoPub SDK affecting millions of users.

Techcrunch?d=2mJPEYqXBVI Techcrunch?d=7Q72WNTAKBA Techcrunch?d=yIl2AUoC8zA Techcrunch?i=i08TQf0zVPI:tE9WHJ3WWtk:-BT Techcrunch?i=i08TQf0zVPI:tE9WHJ3WWtk:D7D Techcrunch?d=qj6IDK7rITs
i08TQf0zVPI

View the full article

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Our picks

    • Wait, Burning Man is going online-only? What does that even look like?
      You could have been forgiven for missing the announcement that actual physical Burning Man has been canceled for this year, if not next. Firstly, the nonprofit Burning Man organization, known affectionately to insiders as the Borg, posted it after 5 p.m. PT Friday. That, even in the COVID-19 era, is the traditional time to push out news when you don't want much media attention. 
      But secondly, you may have missed its cancellation because the Borg is being careful not to use the C-word. The announcement was neutrally titled "The Burning Man Multiverse in 2020." Even as it offers refunds to early ticket buyers, considers layoffs and other belt-tightening measures, and can't even commit to a physical event in 2021, the Borg is making lemonade by focusing on an online-only version of Black Rock City this coming August.    Read more...
      More about Burning Man, Tech, Web Culture, and Live EventsView the full article
      • 0 replies
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
×
×
  • Create New...