Android has a major problem, and it lies at the heart of its most popular application management system. This week, several security firms, in a joint effort with Buzzfeed news, confirmed that six popular Android apps have been unknowingly collecting user data and sending it to Chinese servers.
The apps in question are from one publisher: DO Global, a Chinese-based app developer. The apps collected user data by surreptitiously prompting ad clicks without the users knowing. These clicks occurred even when the app was not active.
This practice flies in the face of both Google’s terms of service for the Play Store and the EU’s General Data Protection Regulation, or GPDR. Under the GPDR, software must make users explicitly aware of when, how, and for what purpose it may collect data. Software must also obtain direct consent from users.
Google has since removed the apps (listed below) from the Play Store, but that has not sated some critics; some Android users have called for punitive measures to be levied on DO Global as an example to other publishers that might attempt similar practices.
The biggest problem highlighted in this investigation is the inordinate amount of permissions that some applications request. As KitGuru pointed out, an app called “Emoji Flashlight” (which is a simple torch application) requests 30 different access permissions upon download. (Google notes that 7 of these are critical.) Why a flashlight would need more than one access permission (the LED light on a phone) is beyond comprehension, unless it is attempting to access user data for one purpose or another.
Be careful when downloading applications, even from trusted sources like the Google Play Store and carefully read through an app’s permission requests before accepting any of them.
