Three children's apps contained tracking advertising code that collected data on users even if they switched phones
The three dangerous children's apps removed from the Google Play Store had accumulated more than 20 million downloads in all. Causing the chaos and controversy is the fact that the three apps in question were aimed at children, but behaved in total contrast to Google's data collection policies.
The three Android apps allegedly violated the data privacy policy by accessing the user's Android ID and AAID, Android Advertising ID. These apps violating the user's personal data policy were discovered by IDAC, the International Digital Accountability Council in Boston, which found in all three software development kits from Unity, Umeng and Appodeal. Once the security flaw was detected, IDAC, a non-profit app and platform monitoring body, promptly notified the Mountain View giant so that the games for younger children could be removed from its store immediately. This news comes as a blow to Google, after 21 infected gaming apps were discovered in the Play Store just a few days ago.
Dangerous Android apps for kids: what the breach is about
IDAC president Quentin Palfrey explained what the risk would be in the offending software development kits. The Unity 3D, Umeng and Appodeal SDKs would have the ability to access user data and cross-reference it with other types of data, such as geolocation data.
While IDAC didn't specify whether the type of data breach was present on all SKDs used, it did want to specify how it actually happens in some versions of the Unity kit, which is capable of collecting both Android ID and AAID code. By overriding Google's privacy controls, this would allow developers to track users over time and even after a device change.
By collecting both data, developers would have full access to user information. In fact, despite the possibility of resetting the AAID, the identification number that links each user to their advertising preferences, the registration of the Android ID would leave ample freedom of movement to possible data transfers, given its nature as a static identifier capable of reconnecting the identity of the app user to their preferences at any time.
Dangerous Android apps for children: what are they
The three apps at the center of the controversy are Princess Salon, Number Coloring and Cats & Cosplay. The first and the last have been removed by Google from the Play Store, while the second is still there, despite Google claiming that it has been removed as well. The app has probably been republished without the tracking SDK.
Creative APPS and Libii Tech, two of the developers of the offending apps, are reportedly still present on the store with other games also dedicated to children. In addition, the apps are still freely downloadable from other APK sites, leaving the door open to the risk of data theft.
The problem does not affect the iOS versions of the apps. The problem doesn't affect the iOS versions of the apps, however, as IDAC itself confirmed, at least initially, but has reserved the right to investigate the matter further.
It's certainly a dark period for Google, which after being sued by the US Department of Justice for anti-competitive monopolistic behavior in search, has been sued for another (yet another) serious privacy and security issue that could potentially affect millions of users worldwide.