Modernizing Authentication — What It Takes to Transform Secure Access
Software developer Dan Nolan recently discovered that he was able to view the e-mail addresses, locations and often the full names of anyone who had purchased his app on Google Play.
"With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase. ... This is a massive oversight by Google," Nolan wrote. "Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it’s made crystal clear to them that I’m getting this information."
"Mr Nolan told News.com.au that sometime before October last year, Google used to provide developers with 'alias' email addresses of people that had purchased apps in Google Play, rather than their real address," writes News.com.au's Claire Porter. "'Sometime around the end of October or November they stopped generating that email and just passed on the real details of the users,' Mr Nolan told News.com.au."
"Google had no official comment on the matter, but a source familiar with Google Play and Android policies confirmed in a phone interview that Google Play does indeed give this information to developers but explained that this is nothing new," writes Threatpost's Brian Donohue. "On Google Play, Android developers are merchants of record, therefore, the source said, developers need certain information for tax purposes."https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
"Apple's App Store operates in a different way with Apple performing the sale, managing the sales taxes and being merchant of record," The H Security reports. "It then pays the developer in a separate transaction and therefore the developer doesn't need to see, or get to see, any of the purchaser's details."
"The problem isn’t that Google is providing developers with this kind of information, it is the fact the company gives no indication to users that such information is being transferred," writes BGR's Dan Graziano. "Even worse, there is no way to opt out and keep your personal information private."