While it’s pretty commonly known that the Google Play store is much less restrictive than the iOS App Store, it’s worth realizing that while that does make Android potentially more flexible, it also means users have a much great responsibility to ensure protection of their own data.
Whether or not users have the time, experience, knowledge, and resources to make this trade-off is up to users to decide for themselves, but it’s important to realize that in a lot of cases Google doesn’t care – just as long as you click “I Agree”.
When Free Apps Aren’t Free
I’ve recently found a site called AppCensus that shows the tradeoffs that users might be making when they download and use “free” Android apps.
Instead of reporting on apps with malware (which the Play Store in theory should disallow), this site analyzes data that apps send “back home”, and tries to find those apps that may be sending potentially private or personally-identifiable data to advertising or network tracking companies.
This data can be things like your phones IMEI number, Wi-Fi MAC address, GSF ID, SIM and/or phone’s serial number, Android ID, and more.
First, a quick explainer of these different terms:
Your IMEI, phone serial, and SIM serial number are unique to your phone and SIM card, and can only be changed by buying a new phone. The same goes for your Wi-Fi MAC address – it can only be changed by getting a new device.
The GSF ID is your Google Service Framework identification number – a unique number that can track your account across apps and devices. This number can only be reset by deleting your Google account. Similarly, the Android ID is generated when you set up your Android device for the first time, and can only be reset by factory-resetting your phone.
Companies that are collecting this hardware- or account-level identifiers can then link that information to your Android Advertising ID. While the Android Advertising ID can be reset anytime by users, if this ID is cross-linked to hardware, it’s pretty trivial for the ad networks to follow you despite the Advertising ID reset. With the GSF ID number, it’s also possible to track a single person across a wide variety of devices and even apps.
Google Says No, But…
It’s worth noting that this kind of use is expressly forbidden by Google, but according to a blog post by AppCensus, over 17,000 very popular apps are doing just this.
- Cam Scanner (100 million+ installs)
- Angry Birds Classic (100 million+ installs)
- Flipboard (500 million+ installs)
- Clean Master (1 billion+ installs)
- Temple Run 2 (500 million+ installs)
- Audio books from Audible (100 million+ installs)
- Battery Doctor (100 million+ installs)
While I’m not sure what exactly Google will do with these apps, it pays to be wary of free apps. Even free apps with paid services (like Audible) are apparently not above suspicion.
In the meantime, if you’re going download a free app from the Google Play Store, and you care at all about privacy, make sure you run it through AppCensus before you install.
Remember that the price you pay for Android’s openness and flexibility is increased vigilance and awareness.