When it comes to apps, Android leads the pack with nearly 3 million apps in its official Google Play store. The sheer volume also means that sometimes iffy apps slip through the cracks.
Researchers at the International Digital Accountability Council (IDAC), a non-profit watchdog based out of Boston, found that a trio of popular and seemingly innocent-looking apps aimed at younger users were recently found to be violating Google’s data collection policies, potentially accessing users’ Android ID and AAID (Android Advertising ID) numbers, with the data leakage potentially connected to the apps being built using SDKs from Unity, Umeng, and Appodeal.
Collectively, the apps had more than 20 million downloads between them.
The three apps in question — Princess Salon, Number Coloring and Cats & Cosplay — have now been removed from the Google Play app store, as you can see in the links above. Google confirmed to us that it removed the apps after IDAC brought the violations to its attention.
“We can confirm that the apps referenced in the report were removed,” said a Google spokesperson. “Whenever we find an app that violates our policies, we take action.”
The violations point to a wider concern with the three publishers’ approach to adhering to data protection policies. “The practices we observed in our research raised serious concerns about data practices within these apps,” said IDAC president Quentin Palfrey.
The incident is being highlighted at a time when a lot of attention is being focused on Google and the size of its operation. Earlier this week, the US Department of Justice and 11 States sued the company, accusing it of monopolistic and anticompetitive behavior in search and search advertising.
To be clear, the app violations here are not related to search, but they underscore the scale of Google’s operation, and how even small oversights can lead to tens of millions of users being affected. They also serve as a reminder of the challenges of proactively policing individual violations on such a scale, and that those challenges can land in a particularly risky area: how minors use apps.
At least in the cases of two of the publishers, Creative APPS and Libii Tech (whose apps are built around the cast of characters illustrated at the top of this story), other apps are still live. And it also appears that versions of the apps are also still downloadable through APK sites (like this one). There are also versions on iOS (for example here), but Palfrey said it had not assessed iOS versions so it’s not clear if they are similarly leaking data.
The violation in this case is complex but is an example of one of the ways that users can unknowingly be tracked through apps.
Pointing to the behind-the-scenes activity and data processing that gets loaded into innocent-looking apps, IDAC highlighted three SDKs in particular used by the app developers: the Unity 3D and game engine, Umeng (an Alibaba-owned analytics provider known as the “Flurry of China” that some have described also as an adware provider), and Appodeal (another app monetization and analytics provider) — as the source of the issues.
Palfrey explained that the problem lies in how the data that the apps were able to access by way of the SDKs could be linked up with other kinds of data, such as geolocation information. “If AAID information is transmitted in tandem with a persistent identifier [such as Android ID] it’s possible for the protection measures that Google puts in place for privacy protection to be bridged,” he said.
IDAC did not specify the violations in all of the SDKs, but noted in one example that certain versions of Unity’s SDK were collecting both the user’s AAID and Android ID simultaneously, and that could have allowed developers “to bypass privacy controls and track users over time and across devices.”
IDAC describes the AAID as “the passport for aggregating all of the data about a user in one place.” It lets advertisers target ads to users based on signals for preferences that a user might have. The AAID can be reset by users. However, if an SDK is also providing a link to a users Android ID, which is a static number, it starts to create a “bridge” to identify and track a user.
Palfrey would not get too specific on whether it could determine how much data was actually drawn as a result of the violations that it identified, but Google said that it was continuing to work on partnerships and procedures to catch similar (intentional or otherwise) bad actors.
“One example of the work we are doing here is the Families ad certification program, which we announced in 2019),” said the spokesperson. “For apps that wish to serve ads in kids and families apps, we ask them to use only ad SDKs that have self-certified compliance with kids/families policies. We also require that apps that solely target children not contain any APIs or SDKs that are not approved for use in child-directed services.”
IDAC, which was launched in April 2020 as a spinoff of the Future of Privacy Forum, has also carried out investigations into data privacy violations on fertility apps and Covid-19 trackers, and earlier this week it also published findings on data leakage from an older version of Twitter’s MoPub SDK affecting millions of users.