In response to outreach from researchers from the International Digital Accountability Council (IDAC), Google has taken corrective action in connection with three apps – Princess Salon, Number Coloring and Cats and Cosplay and data collection practices by three software development kits (SDKs) used within those apps.
IDAC alerted Google that the three apps were in violation of Google’s developer policies. It also alerted Google to potential issues with three SDKs used in those apps – Unity, Umeng, and Appodeal. Google took corrective action in response, after its own investigation.
IDAC’s president Quentin Palfrey praised Google for the steps it took to resolve the issues IDAC presented to Google. “The practices we observed in our research raised serious concerns about data practices within these apps,” Palfrey said. “We applaud Google for taking steps to enforce on these apps and the third-party data practices within these apps.”
IDAC’s Findings with Respect To Third-Party Data Practices
IDAC flagged to Google that SDK versions of Unity, Appodeal, and Umeng used within the three apps were collecting data in ways that could potentially lead to violations of Google Play policies. Google took action after its own investigation.
IDAC’s tests revealed that certain versions of the Unity, Appodeal, and Umeng SDKs were not in compliance with broader Google Play policies around data collection. Among other things, IDAC’s tests highlighted that certain versions of Unity’s SDK were collecting both the user’s AAID and Android ID simultaneously, which may have allowed Unity to bypass privacy controls and track users over time and across devices.