back to article Google to crack down on apps that snoop

Google has warned Android developers to give users better warnings about their apps' data collection behaviours, or it will flag their failings. Last Friday, the company announced revisions to Safe Browsing rules and "expanded enforcement of Google's Unwanted Software Policy". If developers don't comply within 60 days, Google …

  1. Anonymous Coward
    Anonymous Coward

    Stop Snooping - That's our job - [Google]

    “Google Safe Browsing will show warnings on apps and on websites leading to apps that collect a user’s personal data without their consent”...

    You could just ban the apps! It would be more effective than hoping users realize! But hey Google run the zoo and take a cut, so that ain't happening!

    1. m0rt

      Re: Stop Snooping - That's our job - [Google]

      Nice to think that the people behind Google, for corporations *are* archvil^W people, did this out of genuine concern. But I strongly think upcoming GDPR is the driving factor...

      1. Khaptain

        Re: Stop Snooping - That's our job - [Google]

        In relation to GDPR :

        I want to know what the devs/companies are doing with the data that they hold and exactly which data they have collected and which third parties also gain access . Only then can you decide if you are prepared to continue or not.

        In any event if you don't accept the access the apps often don't work correctly and if they do they they should not be requesting access.

        Google should also be far clearer about what they themselves slurp and how they use it and to who they give access...

        1. IceC0ld

          Re: Stop Snooping - That's our job - [Google]

          Google should also be far clearer about what they themselves slurp and how they use it and to who they give access...

          Ans : - EVERYTHING and anyone who pays

          FTFY :o)

          1. Richocet

            Re: Stop Snooping - That's our job - [Google]

            ...anyone who pays.

            What are the odds that they have sold this data to organised crime syndicates already?

            It is inevitable that this will happen at some stage thanks to the only criteria in place being the ability to pay for the data.

    2. Mark 85 Silver badge

      Re: Stop Snooping - That's our job - [Google]

      But hey Google run the zoo and take a cut, so that ain't happening

      Either Google doesn't get a cut from ads, etc.. or they're pissed that the apps won't share the data with them. Probably both. A pox on both their houses.

  2. Anonymous Coward
    Anonymous Coward

    This should be "entertaining". Well, for certain definitions of the word. Pretty much a stock set for years here so it should be interesting to see if any get outed.

  3. macjules Silver badge

    Google has warned Android developers ..

    Dear Kettle app developer, we would like to introduce you to the Pot app developer. They call you 'Black'.

  4. Teiwaz

    All these nasty, privacy impinging 'amateur' tracking apps...

    ...Are bringing too much attention onto Googles, nasty, privacy impinging 'professional' tracking services.

    Time to weed the garden and hope the herd will go back to the cud and stop worrying about the farmer.

  5. John Crisp

    Opt out

    Oh for the ability to choose what access apps have on install rather than the "accept we grab everything or nothing" that you are faced with, even on paid apps.

    Yes you can restrict some of it afterwards, but that just isn't good enough.

    1. Charles 9 Silver badge

      Re: Opt out

      Well, that's the hand you're dealt when you rely on others. You either hold 'em or fold 'em. The only third option is to roll your own, if you can. The rest of the populace just isn't there to back you up otherwise.

    2. Anonymous Coward
      Anonymous Coward

      Re: Opt out

      I thought that newer versions of Android allowed you to choose which permissions to grant to an app when you installed it, no?

      Certainly, on iOS, an app doesn’t get any permissions unless you grant them to it.

      The snag on both being that if an app has been given network access, then any embedded advertising code can do its stuff, but I suppose that’s the price we pay for “free”.

      1. Anonymous Coward
        Anonymous Coward

        Re: Opt out

        "I thought that newer versions of Android allowed you to choose which permissions to grant to an app when you installed it, no?"

        No, for a while you've had the ability to allow or not allow when an app first tries to use a permission but not on install (e.g. If you are about to share a photo from a camera app then Android will ask you if you give permission for the app to access your contacts). You can turn permissions off for any or all apps at any one time.

    3. Adam 1

      Re: Opt out

      Android 6+ changed the permissions model from an all you can eat buffet to an ask on first use. Basically the same as iOS. That is definitely a good start. Could it be improved? Well a guess you could add a preemptive decline feature (seems to be what you're looking for). I can't see why they can't allow mock virtualized data points. App wants location? Why not let me choose an answer from Google maps to tell that app whenever it asks. App wants contacts? Let me pass it a fake address book. App wants access to file system. Let me pass it a virtualized version safe in their sandbox.

      Tbh, the biggest failings with android permissions is the fact that so many phones are still sold with Android 5 and will never see an update.

      1. Anonymous Coward
        Anonymous Coward

        Re: Opt out

        I disagree with mock data points. Some apps actually have a serious use and so have completely unreliable data may make it useless. I know it is possible to subvert the data so you can never guarantee it is 100% accurate but if it is easy to send fake data then it can make it meaningless.

        The blocking of access is fine - you don't trust the app you don't allow permission. The app won't run without that permission (and it is an optional permission and not a core component) then don't use the app it can't be trusted.

        The more the developer sees it not being used because it requires your exact location, the less chance they will keep that requirement and the less of it will happen in the future.

        1. Diogenes

          Re: Opt out

          I have no use case for using what Samsung insists I allow Gallery to use, location and contacts, and it will not work at all unless I give those 2 permission(which is why I now use other apps). As long as I know where I took the photo, and the only person I share with is me...

          I also have no idea why google home needs location turned on when all I am trying to do is cast my tablet to the TV , and both devices are on the same WIFI

        2. Adam 1

          Re: Opt out

          We possibly have a disagreement about what correct behaviour is. If the app developer of a map application says it wants GPS, that is so the find me function works. If I configure **my** device to return nonsensical data, then I will expect the find me function to do weird things. If I give it real data, it will work as per the app developer's intention. If I reject the permission, it will probably crash. Not necessarily because they believe their application is pointless without it, but because most languages have really clunky handling of monads and it never occurred to the developer to check what happens if an exception is thrown or check the error code that got returned. In other cases, the app developer just can't be arsed to structure their code in a way that would minimise the required permissions. In other cases, the permission model itself is not fine grained enough (particularly around file and media access). The developer may want a very small subset of the permissions mentioned on the token, but you need to grant or reject the lot.

  6. 0laf
    Big Brother

    Except for Google. Because that's good snooping which you will want.

    But they'll try to stop the bad snooping, unless it makes money then it's good snooping.

    Just ask Amber Rudd she'll tell you why you don't need to worry. She can make the electric magic only do nice things that Amber wants. And everything Amber wants is nice.

    If you disagree you must be bad and you'll be taken away

  7. Anonymous Coward
    Anonymous Coward

    Quite literally every single app on my phone wants this information. I highly doubt that will change.

    1. Aitor 1 Silver badge

      Use a Xiaomi phone

      One alternative is to use a Xiaomi phone with Gapps.

      Now, only Xiaomi and google will collect your information, and that means plenty of battery saved.

      Of course, your information is not safe, as these two companies still spy on you, but at least you can prevent the rest from spying quite a bit.

      1. JohnFen

        Re: Use a Xiaomi phone

        And if you avoid having gapps installed, you can even reduce the number of spies to one. Or, better yet, get a phone that you can install a ROM onto, then use a vanilla Android ROM without gapps. Install a firewall, and you're about as safe as you can get.

        1. Charles 9 Silver badge

          Re: Use a Xiaomi phone

          Until you need to use a root- or custom-aware app with no substitutes. Then you're in Take It Or Leave It territory.

  8. Kevin Johnston

    Standards?

    So, how much of this is down to sloppy coding standards and how much to opportunists?

    I wanted a spirit level app so had a look at the various offerings and most of them wanted 'Access all Areas' permissions. Now I can understand some developers trying it on but that seemed more like the SDK throws in some basic headers which request full access and you are expected to trim it to what you actually need.

    Maybe an app dev can enlighten me here?

    1. BebopWeBop

      Re: Standards?

      Too some extent it is laziness - on both the develope and the user (not protesting/boycotting). I would be inclined to begin with the incompetence vs malicio9us intent - at least until shown otherwise. It does not take much effort from a developer to not require these.

      1. Khaptain

        Re: Standards?

        It actually takes effort to include the modules, which means it is definitely intentional in behalf of the Devs.

        1. Charles 9 Silver badge

          Re: Standards?

          So there's a module for EACH individual permission that you MUST include for it to request that permission? Or it simply a few large modules that ask for a bunch of them at a time?

  9. DropBear
    Alert

    Anyone opposed to slurping is welcome to support noyb.eu - as sad as it is, considering privacy concern awareness is unlikely to ever be higher than it is now, it looks like they need every single penny they can get (or should I say Euro-cent?)...

    1. RyokuMas
      FAIL

      ... because anyone who cares about privacy is clearly not a good little consumer, ready to whore themselves at the altar of their corporate overlords... right?

      1. DropBear

        That was an honest suggestion, not a sarcastic dismissal of the problem. Sorry if it came off as one.

        1. Charles 9 Silver badge

          The point is, the sheep outNUMBER us AND they outPAY us. Most aren't even interested in privacy given the prevalence of Facebook and so on. It's practically a case of You Can't Fix Stupid, only the stupid are dragging everyone else down with them.

          About the only way to fix this would be to require a license to use a computer, meaning a license to use something that's in the privacy of one's home. So it's a dilemma: either Big Brother watches over us or Joe Stupid drags us all down into the handbasket.

  10. ukgnome

    Hmmm

    Does this mean that Google have all the info they need now?

  11. Mahhn

    Stoogle

    Google is the company that has served thousands of malicious apps on their play store, still does, refuses to notify users even when a malicious app has been removed from the store, so that people will still be infected. And they are now threatening some of the malicious apps to play nicerer or what? going to remove them, but won't fucking tell anyone they've been infected.

    Google play store is like a Dr Office that is more likely to make you sick than anything else.

  12. Anonymous Coward
    Anonymous Coward

    Self control

    This is the crap world we built; demanding "free apps" and apps for everything. Yet the world is not free, nor is it void of people who are void of morals or smarts on both sides of the equation. To the uninformed user, I say sorry that you did not know better. To the informed user that participates and bitches about it, I say tough. To the informed user that participates and hides their head in the sand, I say Hello Brother, and I wish we had enough self control to just walk away.

    1. Charles 9 Silver badge

      Re: Self control

      It's not just that. Those who aren't enlightened are dragging the rest of us down with them, and there's practically no way to avoid it anymore. Even if we tried to hide in the mountains, the government has land-survey satellites now, complete with infrared imaging.

  13. Jamie Jones Silver badge

    This will affect 99.999% of apps out there

    I'm constantly blocking their shit in my firewall, and also removing privs/events as I see fit.

    It's ridiculous. Just yesterday, I *bought* an app, from a well known reputable company, with no adverts, yet it still tried to phone home with my exact location.

    A number of apps will even leave a little monitoring program running permanently, whether you use the app or not. How arrogant is that?

    1. Richocet

      Re: This will affect 99.999% of apps out there

      This.

      Apps you pay good money for can be rampant spies.

      Then you are faced with the ultimatum to allow it access to excessive un-needed info or else the app will spitefully refuse to operate.

      But you have paid and can't get that money back.

  14. GcdJ

    No Mention of banning locaiton data

    Under GDPR location data is also classed as personal data

    It only takes 4 location data points to uniquely identify any phone/user.

    Regards

    Geoff

    1. Jamie Jones Silver badge

      Re: No Mention of banning locaiton data

      Even worse, they classify "location data" to include GPS etc. if they can.

      A while ago I saw my exaction location be sent off to some random ad company.. If you threw a grenade at the coordinates given, you'd blow up my sofa...

  15. sloshnmosh

    Stoogle

    I tried in vain for over 8 months to report an "antivirus" app that was tricking users into installing their app through the use of fake virus warnings that were served up through hijacked Facebook links every single day for over 2 years straight and got absolutely NOWHERE!

    The app in question is using the Facebook Graph API to access a users Facebook account and the advertising SDK would use the "showSource" command to view a webpages HTML source and inject javascript that made the users phone vibrate with a full screen warning designed to appear as an internal warning from Google that your device was "infected" and linked to the app on the Google play Store.

    The relatively unknown app developer only has two apps, an "antivirus" app and a battery saving app yet it's company is now valued at well over $200 Million US.

    I took over 200 screenshots of users complaining about the fake virus warnings on the Play store reviews and forwarded them all to multiple Google reps and supervisors and nothing was ever done about it.

    1. Jamie Jones Silver badge

      Re: Stoogle

      What's it called?

      Try submitting it here: http://androidblacklist.org

  16. sloshnmosh

    Android Blacklist

    Thanks!

    Does Android Blacklist actually take action against an app/developer or is it just a reference site for the few Android users that actually care about what is installed on their device(s)?

    1. Jamie Jones Silver badge

      Re: Android Blacklist

      I don't think they take action - it's quite a new site. Though, I feel the more people support it, the more important it will get.

      I'd like to see them form some kind of action group in the future - in the meantime, I just hope to spread the word. I've got quite a few for them, but I've gathered them into a new category, and just have a bit more sorting out before I submit.. Hopefully they will be accepted!

      cheers

  17. sloshnmosh

    Android Blacklist

    @Jamie Jones: I went ahead and gave the info regarding the app to the Android Blacklist. Thanks again!

  18. Kiwi

    I'm surprised

    "

    ...Google's Unwanted Software Policy...
    "

    I knew they had an internal policy about unwanted software, but I never thought they'd go public about how their foisting their garbage on the rest of us is actually policiy!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading
  • Abortion rights: US senators seek ban on sale of health location data
    With Supreme Court set to overturn Roe v Wade, privacy is key

    A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.

    The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.

    Continue reading
  • America edges closer to a federal data privacy law, not that anyone can agree on it
    What do we want? Safeguards on information! How do we want it? Er, someone help!

    American lawmakers held a hearing on Tuesday to discuss a proposed federal information privacy bill that many want yet few believe will be approved in its current form.

    The hearing, dubbed "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security," was overseen by the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce.

    Therein, legislators and various concerned parties opined on the American Data Privacy and Protection Act (ADPPA) [PDF], proposed by Senator Roger Wicker (R-MS) and Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).

    Continue reading
  • Brave roasts DuckDuckGo over Bing privacy exception
    Search biz hits back at 'misleading' claims, saga lifts lid on Microsoft's web tracking advice

    Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.

    Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.

    "For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • It's a crime to use Google Analytics, watchdog tells Italian website
    Because data flows into the United States, not because of that user interface

    Updated Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.

    The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.

    So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading

Biting the hand that feeds IT © 1998–2022