Purchases made on Google Play disclose users’ personal info to app devs

by: Conan HughesFebruary 15, 2013

Android Security

Google is again under attack for its apparent mishandling of its users’ personal information. Not so long after Microsoft criticized the Search giant’s treatment of email contents of its Gmail users, a new privacy issue has surfaced all over the Internet: too much customer information is shared to app developers.

Australian developer Dan Nolan lambasted Google in his blog post on Wednesday, declaring a ‘Massive Google Play Privacy Issue.’ He found out that when users purchase an app, its corresponding developer obtains personal details such as email and physical address, even real names. Nolan discovered that he has obtained a fair share of customer info himself after logging into his Google Play merchant account to update his payment details.

For a little background, the Paul Keating Insult Generator is Nolan’s sole Android app, a ported version of his iOS app that automatically produces insults that are based on the wit of the titular Australian politician. The app has gained quite a popularity in the App Store, which motivated Nolan to create one for Android.

Google’s use of personal data

That the users’ personal information is shared to developers is not caused by a malware threat or a flaw in Google’s software. Instead, the company is apparently able to do so willingly in compliance with its privacy policy for its app store and Google Wallet payment system. But, according to privacy groups and with careful inspection of the policies, Google does not clearly mention that it is sharing personal information to app developers nor does it create a good deal of effort in informing buying customers.

An anonymous developer told News.com.au that certain information is transferred to devs due to billing and taxing purposes. The main thing that keeps developers from abusing such information is when they signed up and agreed to the “terms of service”. Email addresses are also flagged when users choose to receive marketing and promotional materials. However, Nolan doubts that developers are extremely attentive and obedient to their agreement with Google.

android malware

Possible Consequences

So what this could possibly mean to users? Nolan has a pessimistic answer for that as well:

With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase.

If you are quite alarmed by how Google shares your information in its Play Store, there are always a number of options you can take on your part while waiting for Google to amend its conduct. For instance, the company itself lists in its own privacy policy page some choices such as controlling what information to share and who to share it with, viewing and editing ad preferences and even liberating your data from its services.

For a mobile ecosystem that has become the main target of cybercriminals, Nolan seems right to point out that this has been a “massive oversight by Google.”

“This is a massive, massive privacy issue Google. Fix it. Immediately,” he concluded on his blog.

  • williamworlde

    This was my big fear last August when I was making the tough decision to cross over from iOS to Android: I REALLY DON’T TRUST GOOGLE! Mr. Nolan’s comments have certainly confirmed my suspicion and given me no comfort.

    I never bought any apps for my 3GS in my entire 3-year stint with Apple. In the first couple months I’d already bought 3 apps from Google, and they have my credit card on file! I knew this was wrong, but I was seduced by “convenience” (I do know better). Now I’m kicking myself! But this is even worse information.

    Could Google be sued for this breach of trust? Is it a breach of trust? The terms are not that clear to me, especially since I only skimmed them with my initial purchase. Hmmm…..

    • anoma_dotNET

      You should read Mr Nolan’s blog and then look at the Play Store rating of his only app. It seems to me that Mr Nolan pads his ratings with obvious friends rating it highly.

      He also doesn’t realise this information is for tax purposes and would rather fantasise about how he could harass people with this information.

      I don’t think we need people like Mr Nolan in the community, he seems very childish and the Tax office should probably look into his accounts to make sure he’s claiming the right taxes.

      • paxmos

        What an idiot you are…Idiots like you miss the point entirely. If I buy from Amazon, I know who I am dealing with. When I buy from play store, I am under the impression that I am buying from Goo gel not joe shmook somewhere in a corner in Russia and heck I don’t want that dude or dudette to have my information. It is bad enough that Goo gel collects all your information when you use their services, way bad that it sends that information to the developers. Had I known this, I would have never bought or downloaded anything from Play Store. What is Goo gel thinking? I am so freaking upset. What the hell does the developer need my name and my email address for?, all they need is the $ amount from the sale of their product….Fuck you Goo gel, you say this is a feature?, what kind of feature is this…giving my information to possible rogue developers as if Play Store does not have enough of them penetrated in the store any way…..Fuck you Goo gel

        • Justin Winker

          Don’t buy from shady developers then. It’s not hard. Read reviews; if there are none, don’t buy it. If it looks sketchy, don’t buy it. There are plenty of free apps that this doesn’t happen with.

          • paxmos

            Ratings are all about the apps, how well do we know the developer or their codes? If I want to go to a restaurant, I shouldn’t be asking around if the owner is clean and food healthy, that is the owner’s responsibility to make sure that I get good food and that the chef does not get my credit card number, etc. I hope you get my point. Too many times companies like Goo gel get away with irrational justifications (in this case labeling this a feature) because we do have and intend to be biased and approve such behavior.

          • anoma_dotNET

            you say this “What an idiot you are…Idiots like you… ” and then argue you’re not nasty?

            Get stuffed. No-one needs your insults or rants, speak like an adult.

        • anoma_dotNET

          You’re a nasty person. Sharpen up boy, no-one wants to hear your insults.

          Discuss things like an adult or don’t post at all.

          Don’t quote 1 single online store like Amazon, think about the others, the so called trustworthy online websites (and Paypal) who have access to more info than this.

          Don’t forget the phonebook either.

          If you’re so paranoid, sign off and stay AFK.

          • paxmos

            I am not nasty and am using Amazon just as a reference. I sure hope Amazon does not do what Goo gel does. Let me clear my point. Why does a developer need to know my information. Does your boss give you all the information about his/her company’s customers?. Let’s say that you work at oh a grocery store, do they need to or do you need to have customers’ names, email addresses, and physical addresses on your paystub?. If you answered yes to this questions then I will “sign off and stay AFK”

          • Justin Winker

            Amazon passes along your address in aspirin to the other info, otherwise the 3rd party retailers couldn’t so their products to you. Sorry buddy, but your not going to get around that. If you want anonymity so bad, go get done bit coins and see what you can buy then.

  • Justin Winker

    I disagree completely with this article… When you buy something online (anything, really), you give your name, address, credit card info, and phone number to them. What’s the big deal with a developer knowing you name and city? Nothing. They don’t have your address, they don’t have your credit card, they don’t have your mother’s maiden name. I am perfectly fine with “Joe Schmoe” knowing my information as long as I authorize him to have it.
    And on that note, did anyone read the T&C of the Play Store? It allows them to give that info to developers – it’s used to help with refunds, contacting a customer if there are questions. No need to make such a big deal about little things that happen everywhere and on a daily basis.

    • I guess it depends on how much you trust some unknown developer in some far away country. Russia? China?

      “Apple, however, acts as the sole merchant on record for the company’s App Store. As a result, third-party developers see no personal information”

  • ThunderStick ooo

    I owned a small online business and recieved orders via credit card and paypal all the time. Why is the play store any different than ebay, amazon or any online merchant. It’s not, you buy things from china, india or the middle-east all the time on ebay and they get way more info than what is given on the developer console. If your such a privacy shrude, then go live in cave, grow a long beard and pretend you have a girlfriend named pa(l)m. I just looked at my developer console to see what actual info I could use to convey doom to others,. The most I get possibly the persons real name, email and city and state they live in. Seriously, one account only has his first name listed. Using the name Joe, how is it possible I can possibly use this for harmful purposes.

    Merchant accounts are held by there owners. Owners are subject to fair practice laws and regulations. I believe this is how Google dictates and regulates it’s merchant services. They are services from Google but the uses of them are the responsibility of the users / owners.