Google cracks down on apps that snoop on you, even if they're not in Play Store

Unless apps come clean about the personal data they collect, Google will slap them with Safe Browsing warnings.
Written by Liam Tung, Contributing Writer

Google is introducing significant changes to how it enforces its Unwanted Software Policy, which should result in better privacy and transparency for the world's two billion Android users.

Google is giving developers two months to ensure their apps don't deviate from its Unwanted Software policy. If an app continues to stray from the policy, users are likely to see its Safe Browsing full-page warnings, which will probably drive users away from the offending software.

The crackdown is a new effort to combat malicious and harmful Android apps and will apply to software distributed through the Play Store as well as third-party Android app markets.

The Safe Browsing warnings will appear "on apps and on websites leading to apps that collect a user's personal data without their consent", Google said on its security blog.

In other words, the warnings may be applied to sites and software that promote the apps that violate its policy, as well as the offending apps themselves.


Safe Browsing warnings will appear "on apps and on websites leading to apps that collect a user's personal data without their consent".

Image: Google

If an app uses a user's phone number, email address, or device data, it will need to prompt the user and provide a privacy policy within the app.

Developers will also need to offer a way for users to give their "affirmative consent" if an app collects and transmits personal data that's unrelated to the functionality of the app. The app also needs to prominently explain how user data will be used.

"These data collection requirements apply to all functions of the app. For example, during analytics and crash reporting, the list of installed packages unrelated to the app may not be transmitted from the device without prominent disclosure and affirmative consent," Google said.

The changes reflect an update in August to the Personal and Sensitive Information section of Google's Developer Policy Center. The amended policy introduced a requirement for an app to provide prominent disclosure if it collects and transmits personal user data which is unrelated to the app's main functionality, as described in its Play Store listing.

The section covers requirements for how an in-app data-usage disclosure must be displayed and how the app needs to request user consent. For example, the in-app disclosure must be shown within the app itself and not just the Play Store listing or on a website.

It must also be displayed within the normal usage of the app and not be buried in settings. It also can't be placed in a privacy policy or terms of service and must not be bundled with non-privacy disclosures.

The affirmative consent request dialog needs to be presented in a clear and unambiguous way. To gain consent, the user will need to tap to accept or tick a check-box.

Google notes that two common violations are when an app doesn't treat a user's installed apps as personal or sensitive user data and when an app doesn't treat the user's phone or contact book as personal data. The apps will be considered to violate Google's policy if they don't follow the rules for prominent disclosure.

Websites owners that attract a Safe Browsing warning will need to follow the usual processes in the Search Console if they want to resolve the warnings. App developers caught by the new Safe Browsing warnings can request an app review on the App Verifications and Appeals support page.

Previous and related coverage

Google Safe Browsing beats rivals but still only flags up 10 percent of hacked sites

An analysis of hijacked websites suggests Google's Safe Browsing technology is only warning users about a small proportion of them.

Google tightens noose on HTTP: Chrome to stick 'Not secure' on pages with search fields

In October, Google will begin phase two of its plan to label all HTTP pages as non-secure.

Read more on Android

Editorial standards