Google cracks down on apps that snoop on you, even if they’re not in Play Store
Google is introducing significant changes to how it enforces its Unwanted Software Policy, which should result in better privacy and transparency for the world’s two billion Android users.
Google is giving developers two months to ensure their apps don’t deviate from its Unwanted Software policy. If an app continues to stray from the policy, users are likely to see its Safe Browsing full-page warnings, which will probably drive users away from the offending software.
The crackdown is a new effort to combat malicious and harmful Android apps and will apply to software distributed through the Play Store as well as third-party Android app markets.
The Safe Browsing warnings will appear “on apps and on websites leading to apps that collect a user’s personal data without their consent”, Google notes on its security blog.
In other words, the warnings may be applied to sites and software that promote apps that violate its policy, as well as the offending apps themselves.
If an app uses a user’s phone number or email address or device data, it will need to prompt the user and provide a privacy policy within the app.
Developers will also need to offer a way for users to give their “affirmative consent” if an app collects and transmits personal data that’s unrelated to the functionality of the app. The app also needs to prominently explain how user data will be used.
“These data collection requirements apply to all functions of the app. For example, during analytics and crash reporting, the list of installed packages unrelated to the app may not be transmitted from the device without prominent disclosure and affirmative consent,” Google explains.
The changes reflect an update in August to the Personal and Sensitive Information section of Google’s Developer Policy Center. The amended policy introduced a requirement for an app to provide prominent disclosure if it collects and transmits personal user data unrelated to the app’s main functionality described in the Play Store listing.
The section covers requirements for how an in-app data-usage disclosure must be displayed and how the app needs to request user consent.
For example, the in-app disclosure must be shown within the app itself and not just the Play Store listing or on a website.
It must also be displayed within the normal usage of the app and not be buried in settings. It also can’t be placed in a privacy policy or terms of service and must not be bundled with non-privacy disclosures.
The affirmative consent request dialog needs to be presented in a clear and unambiguous way. To gain consent, the user will need to tap to accept or tick a check-box.
Google notes that two common violations are when an app doesn’t treat a user’s installed apps as personal or sensitive user data and when an app doesn’t treat the user’s phone or contact book as personal data. The apps will be considered to violate Google’s policy if they don’t follow the rules for prominent disclosure.
Websites owners that attract a Safe Browsing warning will need to follow the usual processes in the Search Console if they want to resolve the warnings. App developers caught by the new Safe Browsing warnings can request an app review on the App Verifications and Appeals support page.
In October, Google will begin phase two of its plan to label all HTTP pages as non-secure.
