Home

Share this Story

Potential “Google Play Privacy Flaw” is Probably Nothing to Worry Over

google play logo

Last night during the Droid Life Show, we received a tip about a potential security risk through Google Play. Apparently, when you buy an application through Google Play, certain information is sent to the developer of the app such as your full name, billing zip code (sometimes the town as well), and your email address. What has some people worried is that either someone with a malicious intent could be either taking this information and selling it or that your more important information, such as credit card info and banking credentials could be at risk. 

On the show we had Dave Kover as a guest, a developer who sells applications on Google Play, and brought it up to him. He gave us insight into what developers actually see in the developer console and what takes place inside Google Checkout when you make a purchase using your credit card on Google Play. He was also kind enough to share some screenshots with me for the intent of putting people’s minds at ease.

The below shot is a broad overview of what developers see when you buy an application. Without going into an individual sale, you have an order number, the total price charged, order details (name of buyer and what they bought), and the sale date.

order_list

Once you go into a more detailed look of a sale in Google Checkout, this is where some information could be deemed “at risk” if under the right circumstances. We have our very own Kellex’s sale record to look over and as we can see, it is pretty detailed, but only detailed enough to make for a secure buying process on both sides of the table. We see his name, billing zip and town, what he bought, how much it was and that’s it.

Google Play Checkout

A point that was brought up in a recent article from news.com.au, was that say the developer wanted to come harass you if you left a negative remark on Google Play or refunded their app. To them, Google is providing developers with too much personal information that could be used against the buyer. While I do see the potential risk in a crazed developer coming to chop you up over a refunded dollar, I think that’s taking it a bit too far. Furthermore, after looking through the Privacy Policy for Google Wallet, the method used for buying applications off of Google Play, it does state that certain information (such as the kind shown above) is shared.

Such information may also be used to assist third parties in the provision of products or services that you request from them.

I think that the real issue here is that this system is simply not designed for selling/purchasing of digital content. While it works just fine for now, I asked Mr. Kover to give me a better reasoning into why Google Checkout could use some work in this area of buyer/seller information sharing.

The fact that the order system contains references to items being charged and shipped separately. You receive emails about canceled orders, which would make sense if you had physical products which you might not want to mail out. For a digital marketplace, not so much.

To sum it up, we know that bad people will do bad things. Given that logic, should that mean Google needs to rework how much information is shared in order for a buyer to feel safer when buying apps off of Google Play? I think that is something we as consumers should answer on an individual level. Allow users to opt-in or out of a more detailed transaction possibly. As for me, I’m not against a developer having my billing zip or my email address, as long as they don’t stalk me after I give them one star on their crappy app.

Update:  There was a mention that developers could take any type of personal information and still sell it to another party. In fact, there is a very lengthy section in the Seller’s Terms of Service that prohibits such usage of a buyer’s information. This is Section 7 part 1 named “Confidentiality and Proprietary Rights.” You can view that here, since it would take up too much space if I copied and pasted.

What do you think? Is there a potential risk here?

Cheers Michael and Aadi!

  • http://pulse.yahoo.com/_HZDBYT2NJJAS3VXE4MUF2P6A5Y Tommy, tho people usually call

    Here’s an idea: why doesn’t Google explain what information is being transferred to the seller at the time of purchase and allow the buyer to decide whether he/she would like to proceed? No, that’s not gonna happen …

  • CapnShiner

    I do see a potential for abuse here, but I think the risk is minimal. If credit card numbers or social security numbers were being shared, that would be another story. This doesn’t even show a full physical address, just a city, state, and zip code. Now, I do think the process could use some revision because I don’t know why the developer needs to know a name, email, or any part of a mailing address for a digital download sale. If the seller needs to contact the buyer, it can be done through the Google account, especially now that the Play store is tied to Google+. I think Google should have two versions of the screen that sellers see- one for physical items that require shipping info and one for digital downloads/subscriptions. There is no reason to share any more information than is absolutely necessary. Even though the ToS for sellers prohibits abuse of such information, the seller can choose to do it anyway. Once that damage is done, no amount of prosecution can undo it.

    • http://khurtwilliams.com/ Khürt L. Williams

      All I need to get your full street address is your name, city, state and zip code. Try pipl.com

      • CapnShiner

        Ok, that is a little scary. I thought I kept my information a bit more private than that. However, I was still unable to get a full address, at least without paying for it. It got as close as the street name though. That is too close for comfort.

  • Chris King

    how does google get your address if you don’t give it to them?

  • gary

    like Roy replied I didn't even know that any body able to get paid $6626 in a few weeks on the internet. did you look at this site link jump14.om

  • http://twitter.com/TonyGO_DIGITAL Illicit_tweets

    I bought a app a few months ago and I got a thank you email from the developer with a picture of my house attached to it… Thought it was pretty creepy indeed

  • http://twitter.com/spalt Dan

    As an app developer I find it kind of funny when a user decides to contact me with a question or comment about an order by following a link from the order confirmation email, Google seems to go out of their way to disguise the users contact info, creating them a fake @checkout.google.com email address, for instance. I can reply to this and it’ll forward my message to the proper email. But, in the Google checkout tools for app sellers, as shown above, I can see everyone real emails anyway (along with their street address etc). So I’m not sure it counts as a privacy flaw, its more like an inconsistency…

    • http://khurtwilliams.com/ Khürt L. Williams

      So then it would seem that Google already has a system in place for devs and customers to communicate so perhaps they need to stop collecting and sending contact information to devs.

  • CodeToJoy

    No risk here… My address goes to every product I order (Amazon, Kickstarter, eBay), and no problems there. Hell, Apple has my address somewhere in its system from the days I was on the dark side. Not a big deal.

    • http://khurtwilliams.com/ Khürt L. Williams

      I trust Apple and Amazon. Do you trust someone in Russia or China with your info?

  • Stewie

    Not concerned, if a dev was using any of the data aquired in this manner, it would be fairly easy to get him off the play store to begin with, as you pointed out selling or giving that info to 3rd parties is against the terms of usage. It would be like a malicious app, the community would rally pretty quickly against that dev IMHO, then google would step in and investigate.

  • danofiveo

    Everything online is “at risk”. The issue is what level of risk you are willing to take with your personal information. Some services are more risky than others. The only way to really minimize your risk is to disconnect completely from the internet. And who is willing to do that?

  • spunker88

    Any physical item you buy online, the seller sees your address since they have to ship it to you. It appears Google is using the same checkout for apps that they would use for physical items. They probably should hide the name and address from digital content sales, but its not as big of a deal as everyone is making it. Its not like its your SSN.

  • http://twitter.com/webtwoohno Jack

    I’m pretty sure the seller of a product has a legal right to billing information when a credit card is used. This is to protect against chargebacks and other shenanigans. If Google did not provide the seller (developer) that information, they could be breaking commerce law.

    Remember Google is just a man in the middle here, the developer is still the seller of the app you’ve bought. This is no different than Amazon, Walmart, Ebay, etc… retaining billing information.

    • wickets

      if your point is valid tr: commerce law, how come app seller info isnt easily available….everyone knows where amazon and walmart are, but do you know where the dude that made XYZ widget is located??

    • http://khurtwilliams.com/ Khürt L. Williams

      I suggest you post your email address and other contact information on a public web site and then send a notice to the government of China and the developers in Russia since … you know … this isn’t a big deal.

      • http://twitter.com/webtwoohno Jack

        What are you on about? I never said it should be made public, but you entered into a commercial contract with someone. You exchanged money for a good. How dense are you to not understand that. Your ad hominem attack is nothing but a pathetic strawman. Seriously, don’t comment you just sound like an idiot.

        • http://khurtwilliams.com/ Khürt L. Williams

          “Seriously, don’t comment you just sound like an idiot.”

          What a purile response. Name calling. Since you’ve opened the door.

          Dear Jack. You are an ass.

          “This is no different than Amazon, Walmart, Ebay, etc… retaining billing information.”

          Really? Comparing some small unknown to Amazon.com and Walmart? Next you’ll be suggesting that Tigers and house cats are that much different from each other.

          • http://twitter.com/webtwoohno Jack

            A lot of blithering and nothing said. Do proceed.

        • http://khurtwilliams.com/ Khürt L. Williams

          Perhaps Google should open a real store, like the one Amazon.com opened. You know one where the merchant accepts some responsibility.

          “Apple, however, acts as the sole merchant on record for the company’s App Store. As a result, third-party developers see no personal information.”

  • steve30x

    I purchased an app from my well known developer 2 months later I noticed 20 dollars missing from my account and checked that it came from Google then checked that it was an application or should I say 3 applications that I had no interest whatsoever in responded to developer after verifying through Google wallet account that was mine to find out the developers name and he said I did purchase tand that there was nothing he could do.. The Gmail account in the Google wallet account of mine was labeled as another person’s Gmail as well.. Strange. No one ever touches my phone as I live alone and keep it locked and my credit information is always out of reach.

    • moelsen8

      holy punctuation batman

      • duke69111

        What’s the matter? The periods are all there, they’re just bunched in groups of two. :)

        • steve30x

          Thanks you my swift key was reinstalled and its been wacky ever since, i thought this was a phone site not an essay. Sheesh it’s the point I was trying to make since that really happened to me.

          • moelsen8

            sorry man, i don’t mind reading what you have to say, that was just really difficult to get through.

  • Tsabhira

    If a developer has no need of my real name and address — and no developer does — I don’t see why I ought to be made to give it to him or her, regardless of whether a third party believes it’s not an invasion of my privacy. Customer service does not require my full name or address, only my email address. I wish Google would dial back its anti-anonymity stance period. It lost a heavy and fair reviewer in me when it started forcing full names in the market period.

  • Tech Pro

    Come on. Google play is not cash only flea market. Sending basic customer info would allow possible customer service since you are a customer after all. You don’t like it, side load the app.

    • wickets

      why do they need your address etc….they arent sending you anything in the mail.

    • http://khurtwilliams.com/ Khürt L. Williams

      I disagree. Google Play is a flea market. The Amazon.com App Store is more like a mall.

  • Manny

    I know google reads our emails but this too… I think Schmity just went over the creepy line…..

    • TheWhiteLotus

      Google reads our emails? Explain please.

      • Ian Winchell

        Ya they “read” all of our websites too, those bastards.

      • http://geniousatplay.blogspot.com/ Bikram Agarwal

        Bots/robots/AI (whatever you want to call ‘em) scans through every mail in GMail, identifies keywords and shows you matching ads. Not to the extent Microsoft’s “Scroogled” ads would have you believe; but yep, GMail bots read your mail.

        Also, that’s how “Missed attachment” and some other lab features work.

      • Manny

        Dude..where have you been. Open any email in you gmail account. And the ads match what ever email you are reading. You guys seem to forget. Google makes ZERO dollars from android. They make their money from their apps and services. The new microsoft campaing to try and get people to drop gmail and go to outlook is all true. Some folks hate apple b/c of how much they make on each device but that’s really no diffrent than what google does.

    • Nickan Fayyazi

      “Schmity”?

  • http://twitter.com/gamercore Chris Chavez

    Was going to give the Droid-Life app a bad review in the Play Store but now I’m not so sure…

    Wouldn’t want Kellex coming and chopping me up in my sleep. O_o

    • http://www.droid-life.com/ Tim-o-tato

      Off the record, but I feel like chopping up myself when using that thing. We’re looking into making a new one! ;)

      • Alex Farra

        Why bother? I personally find browsing the site through currents to be a very good experience.

        • CapnShiner

          Currents does work pretty well but it is nice to have options. I think Currents should get some integration with Google Now, but that’s beside the point. Personally, I would like the web site to be better optimized for mobile. I mostly follow DL through Twitter and if there something I want to read more of I click on the link from there. The problem with that is that my phone opens the full version of the site and it can be a bit slow to load over 3G. It would be nice if the site would check the browser and automatically load an optimized mobile version if it’s a mobile browser.

          • michael arazan

            Congrats Droid-Life guys for reading the entire Google Play TOS, you guys are probably the first and only to read the agreement in its entirety. I wish it was more like bullet points than legal jargon to read these things

    • Tim242

      Phandroid is only hanging on by a thread. Wouldn’t that be a mercy-chopping?

      • JBartcaps

        Stop hating on Phandroid! They were my first Android news site.

        • Tim242

          Mine too! It has just become irrelevant

      • http://www.droid-life.com/ Tim-o-tato

        Hey now! I love Chris and the work he does. No need for any negative talk like that.

        • Tim242

          He’s a good guy. Y’all should hire him away from that sinking ship : )

          • http://google.com/+derekross Derek Ross

            I don’t think they’re a sinking ship. Everyone seems to be doing fine.

            Site Information for phandroid.com
            Alexa Traffic Rank: 9,385

          • http://www.droid-life.com Kellex B

            Alexa, people don’t actually believe anything that thing reports do they? Haven’t heard that site mentioned in years.

        • LarryVandemeer

          Phandroid went fast downhill when the founder left and Chris came on board. Don’t know if it’s related or merely a coincidence. All I know is that their articles quickly went down hill and that almost half of what is written is garbage mixed with Apple fanboism. It used to read it regularly before and now I don’t even bother.

      • TheWenger

        Low blow. I used to read Phandroid every day until they blocked it at work.

    • http://www.droid-life.com Kellex B

      Poor DL app. Sometimes I forget that thing even exists. WIsh people just wouldn’t use it heh.

      • Ian Winchell

        then you’ll be happy to know i tried, but couldn’t, due to not being compatible with my n7 :)

      • http://google.com/+derekross Derek Ross

        Shh. Our AA app isn’t much better :P I really don’t think any websites app is that great to be honest. I prefer Currents myself.

        • http://www.droid-life.com Kellex B

          Currents or the mobile version of the site heh.

          • JasonIvers

            Your site is slower than molasses on Chrome on my GNex. I hate that I have to leave Reader to see the full story (don’t mind on my laptop, just on my phone).

    • IHATEHIPSTERSSS

      Another flaw in android…add it to the list…

      • Tim242

        You think iOS doesn’t do the same thing? Yeah, OK.

        • http://khurtwilliams.com/ Khürt L. Williams

          iOS does not send your purchase information to ANY dev. Apple is the retailer of record for all App Store purchases.

          This is a serious privacy issue because the average user DOES NOT read the Google Waller or Play Store terms of service. I am sure that users assume that buying on the Play Store is buying from Google. Not some developer somewhere in China or Russia.

          • Tim242

            Oh really? How would you know that? iOS doesn’t even show the user what the app permissions are.

    • Joe

      He can send spam emails or submit your email to get spam. Google shouldn’t give your email away. I know Amazon doesn’t when you buy stuff on their site. Not sure about the their app store though.

  • Marlene Wilkes

    If you think Julie`s story is neat…, last pay-cheque my aunt’s boyfriend basically broght in $4985 grafting a 20 hour week at home and the’re co-worker’s mom`s neighbour has done this for eight months and actually earnt over $4985 in their spare time from there pc. the advice here… jump15.comCHECK IT OUT