Android App Maker Says Google Shares Customers' Private Data
Whenever you buy or download an Android app, Google gives the app's maker your email address, location and sometimes even full name.
So says Dan Nolan, an Australian software developer who was surprised to be receiving such personal information about his customers.
"Every app purchase you make on Google Play gives the developer your name, suburb and email address with no indication that this information is actually being transferred," wrote Nolan on his blog last week.
Nolan is the creator of a popular Android and iOS app called the "Paul Keating Insult Generator," named after a former Australian prime minister famed for his colorful put-downs.
Although the practice of sharing customers' more benign information with developers isn't new, what developer Dan Nolan discovered could be problematic.
"Each Google Play order is treated as a Google Wallet transaction, and, as such, software developers get all of the information (sans exact address) for an order of an app that they would get from the order of something physical," Nolan wrote.
Nolan told News.com.au's Claire Porter that until recently, Google gave developers "alias" email addresses of customers instead of the real things.
"Sometime around the end of October or November, they stopped generating that [alias] email and just passed on the real details of the users," Nolan told Porter.
An unnamed source told Kaspersky Lab's Threatpost blog that sharing customer information with developers is not a new practice.
Threatpost's source explained that in Google Play, developers are the merchants of record, and thus need customer information for tax purposes. The source said in Apple's iTunes Store, Apple itself is the merchant of record.
That may be little more than cold comfort to the millions of users who download apps from Google Play and are never notified that their personal details are being shared.
Google Play's Terms of Service forbid developers from misusing customer data, but anyone with $25 and a Gmail account can easily register as an Android app developer.
With such a low bar to entry, it would surprise no one to discover if an unscrupulous developer were to be found abusing such data.
An email sent to Google's press office seeking comment was not immediately returned.
"With the information I have available to me through the checkout portal, I could track down and harass users who left negative reviews or refunded the app purchase," Nolan wrote. "This is a massive, massive privacy issue Google. Fix it. Immediately."