It is basically impossible To track what all your mobile apps are doing and what data they’re sharing with whom and when. So over the past couple of years, Apple and Google have added mechanisms to their app stores, such as privacy labels, giving users some insight into how apps work and what information they’re sharing. But these transparency tools are filled with information from app developers themselves. And a new study focusing on data security data on Google Play suggests that the details provided by developers are often wrong.
Researchers at Mozilla’s non-profit software group looked at data security information for the 40 most downloaded apps on Google Play and rated these privacy statements as “poor”, “needs improvement” or “okay”. The assessments are based on the degree to which the data security information does or does not conform to the information in each application’s privacy policy. 16 out of 40 apps, including Facebook and Minecraft, received the lowest score for data security disclosures. Fifteen applications received a moderate grade. These include the Meta-owned Instagram and WhatsApp apps, but also Google-owned YouTube, Google Maps and Gmail. Six of the applications have been awarded the highest rating, including Google Play Games Candy Crush Saga.
“When you land on a Twitter app page or a Tik Tok app page and click on data safety, the first thing you’ll see is a declaration that these companies don’t share data with third parties. That’s funny — you know right away something’s off,” said Mozilla project leader Jane Kaltrider. “As a privacy researcher, I could tell that this information wasn’t helping people make informed decisions. Moreover, the person who reads regularly is lulled into a false sense of security.
Google requires all app developers submitting to Google Play to complete a data security form. The reason is that the developers have information about how their product handles data and interacts with other parties, not the app store that facilitates distribution.
“If we find that a developer has submitted inaccurate information on the Data Safety form and that it violates the policy, we will ask the developer to correct the issue to bring it into compliance. Non-compliant apps are subject to enforcement actions,” Google told Mozilla researchers. The company did not return WIRED’s questions about the nature of those enforcement actions or how long they took.
Google, however, rejected the researchers’ method. “This report contradicts the company’s general privacy policies intended to cover various products and services with individual data security labels, which inform users of the data an app collects,” the company said in a statement. “The arbitrary ratings assigned to apps by the Mozilla Foundation are not a measure of the security or validity of accounts given their flawed methodology and lack of verification information.”
In other words, Google is saying that Mozilla researchers either misunderstood the scope of the privacy policies they were looking at or consulted the wrong policies altogether. But the privacy policies the researchers used in their analysis are the actual policies that each app developer links to Google Play, indicating that they apply to the apps in question.
