Google Puts a Ban on Twelve Data-Stealing Apps
Google has removed over a dozen apps from the Play Store after discovering that these apps were using hidden software to harvest data from the users. As per the reports, Measurement Sytems, a company linked to a Virginia Defense Contractor that works for U.S. national security agencies, has allegedly written the code.
According to the official statements, Measurement Systems paid developers worldwide to add their code to their apps via SDKs or Software Development Kits. This code allowed the company to collect user data without the knowledge of the developers or the users.
Data-harvesting apps banned by Google.
Google has banned several Muslim prayer apps with a cumulative download count of over 10 million. Other apps include a highway-speed-trap detection app, a QR code reader, and other popular consumer apps.
According to Scott Westover, a Google spokesman, these apps were removed from the Play Store on March 25, 2022, for collecting users’ data outside the rules that Google has set. Westover also added that Google could relist these apps if the respective companies removed the software code. After meeting company guidelines, the search engine giant has already relisted a few apps.
What kind of data have Measurement Systems harvested so far?
Measurement Systems have collected a large amount of user data, including precise location, personal information like email and phone numbers, and data related to nearby devices.
Measurement Systems can also collect information stored in the phone’s clipboard using the software development kit (SDK). The code can potentially harvest passwords when the phone user uses the cut-and-paste feature. The SDK can also access the phone’s file system, including the files stored in the WhatsApp downloads folder.
Serge Egelman, a researcher at the International Computer Science Institute and the University of California, Berkeley, and Joel Reardon of the University of Calgary and the Federal Trade Commission, brought this issue to light in March 2022. The researchers also shared these findings with Google, after which the company investigated the matter and took prompt action.
Reardon explained the consequences of this breach in a blog. He stated that this example of database mapping personal identifiers such as email IDs and phone numbers with their precise GPS location history is frightening. Additionally, third parties can use sensitive information like this to target journalists, dissidents, or political rivals.
Egelman says that such an incident showcases the importance of the saying, don’t accept candy from strangers. Developers utilizing the SDK in return for monetary gains have put countless Android users’ data at risk.
According to their findings, Google delisting the apps from Play Store won’t prevent Measurement Systems from collecting data from the phones which have the apps already installed. Egelman and Reardon also added that the SDK stopped collecting data shortly after the pair started circulating their findings.
Measurement Systems was paying the developers anywhere between $100 to $10,000 a month, depending on the number of active users. According to the document shared with the developers, Measurement Systems was interested in the users who had enabled the app to access their location. It has also come to light that the company didn’t require such permission to collect the data.
Note to the developers across the globe.
As a developer, you need to abide by the rules and regulations set by Google for all the apps Play Store hosts. Kindly go through the SDKs or software code before adding it to your applications. These kits can be dangerous for app users, and breaches occurring due to your SDK choice will eventually affect your credibility.
Join a network of the world's best developers and get long-term remote software jobs with better compensation and career growth.