Google Play Cybersecurity Woes Continue

Google Play is making headlines, but this time malware isn’t the problem. There are several apps which leak the private information of users and track their activity, even when they switch devices.

The Google Play store is once again battling cybersecurity woes. It’s not the first time and it’s likely not the last, although the most recent glaring offender was the Joker malware program. This time there are several apps that are impacted, and it’s not malware that’s the problem. This time, specific apps are leaking data that could be used to track users. Even if they switch devices.

The apps in question are Baidu Search Box and Baidu Maps (Baidu is a Chinese-based company akin to Google), which have been downloaded millions of times. While these apps are no longer available for download, anyone who has them on their device is risking exposure. The apps are said to expose information like phone model, screen resolution, MAC address, wireless carrier, network, Android ID, IMSI and IMEI numbers. Some of those things are not horrible to expose (although any exposure is bad), but IMEI can be used to directly track a user. Even if they switch to a new phone, if they keep their number and move their SIM card over, the new device is impacted.

In addition, Homestyler (an interior-decorating app) and an Android SDK called ShareSDK are also offenders of data leakage. Homestyler is still available in Google Play in the U.S. From ThreatPost:

“While not a definitive violation of Google’s policy for Android apps, the collection of identifiers, such as the IMSI or MAC address, is discouraged based on Android’s best practice guide,” explained the researchers. “To prevent data leakage, Android app developers should follow Android’s best practices guide and correctly handle users’ data. Android users should stay informed about the required permissions requested by applications on their devices.”

It is not uncommon for app stores to feature both malicious and legitimate apps which collect user data without consent. In fact, an April 2019 report found that millions of apps leak personally identifiable information (name, age, income, contact info, etc.).

The real issue at hand here is the lack of security implemented in application development. This is something we have discussed many times in the past, and the above illustrates exactly why this is important. Not only are unsecure apps leaking personal and/or tracking information, but users have no idea that it’s happening. That’s a blatant violation of trust and exhibits poor ethical business practices. The people who are impacted by the lack of security are the same people who have no idea that it’s a problem, and therefore may not even know to delete the app from their device.

In this example, it’s Android’s Google Play store that’s the culprit, but that doesn’t mean it doesn’t happen on other operating systems. Apple and Microsoft both have their own sets of privacy and functionality issues as well, this isn’t reserved to Android or Google Play. Which is why we not only discuss the need for developers to ensure security prior to deploying an app, but we also stress that users should verify the apps they download prior to installation.

The bottom line for consumers is that everyone needs to verify everything. Don’t just trust the place you download your apps from, do some research, especially if it’s a new app that only has five reviews. It’s also a good idea to install some security protections on your mobile devices, which do not come with antiviral or antimalware programs on them. Everyone is responsible for their personal devices, so if you don’t want your information exposed, be smart with it!

The bottom line for businesses is that security matters. The news has been ripe with cybersecurity problems for months, which most businesses are starting to address. Which is good, but they should ensure everything is done properly when it comes to app development. Functionality and design are great, but if there’s no security, then the app will fail. If this is a problem your business has encountered in the past and you are unsure of how to fix it, hire an expert! There’s always someone out there who is a specialist at what you need. Don’t “wing it,” do it right the first time and you’ll reap the rewards of increased user interaction and higher profit margins.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY