More often than we would like, security researchers or Google itself discover from time to time applications that violate Google Play policies and, therefore, they end up being eliminated. The last batch is “small”, with three applications, but aimed at children and between the three accumulating 20 million downloads.
Researchers from IDAC (International Digital Accountability Council) informed Google of three apps that violated the policies of data collection, being able to track users regardless of whether they reset their ID for advertisers. The applications were initially deleted, although one of them has already returned, possibly after correcting the previous problems.
The reason: advertising
IDAC, a Boston-based nonprofit watchdog, informed Google that three apps targeting children – Princess Salon, Number Coloring andCats & Cosplay included versions of three SDKs – Unity, Appodeal, and Umeng – that could be used to collect information contrary to data collection policies from Google Play.
Specifically, these three applications could potentially bind the Android unique identifier (Android ID) to the advertising unique identifier (Android AAID). This second is used for advertising profiles and, unlike the unique Android identifier, it can be reset by removing the advertising preferences on mobile.
According to IDAC, this was possible thanks to the inclusion of certain versions of Unity, Appodeal and Umeng incorporated in the applications. Linking Android’s unique identifier and advertising identifier is against Google’s policies, since they allow an advertiser to bypass the control mechanisms: even if a user resets his advertising identifier, it is useless if the advertiser knows which Android identifier he is linked to.
The good news is that Google removed all three apps from its store as soon as he finished his own investigation, although one of them, Number Coloring, has already returned. This generally means that the developer has made the necessary changes to stop violating the rules and that in this case it could be to update or remove the SDKs involved.
Via | TechCrunch
was originally published in