
Google 'flaw' puts users' details on display - nreece
http://www.news.com.au/technology/massive-google-security-flaw-puts-users-details-on-display-for-all-to-find/story-e6frfro0-1226577210852
======
Kylekramer
Depends on your definition of flaw. This has been discussed before:
[https://plus.google.com/106557483623231970995/posts/Bed6WUJp...](https://plus.google.com/106557483623231970995/posts/Bed6WUJpNi4)

Basically, it is due to how Play Store is set up. Developers are the merchant
of record, not Google (unlike Apple's app store, where Apple is the merchant
of record). The developer may not "want" this information, but for tax
purposes they need it.

------
recurser

        These personal details could then be used to access the users' bank 
        details. That's also more than enough information to be able to access 
        your other devices which could also be mined for more data - insurance 
        information, other credit cards -  which could then be used to access 
        your banking credentials.
    

Do developers have access to users' bank details? How would anyone access
'other devices' with just a name, address and email? This seems a little far-
fetched.

~~~
kysol
Worse case scenario that I can think of is that they use the same password for
their email as they used for the in-app auth in the App they bought.

Next step would be for the app creator to login, see what they can use to
create requests for other personal credentials. Facebook password reminder,
they get in, then they have the user's DoB and family information (for those
stupid companies still using "what's your mothers maiden name" password
reminder questions).

You could probably do a fair chunk of damage, but that's all based off the
fact that the user would have to be silly enough to still use the same
password over multiple services. Yes I know... we've been telling them for far
too long, but people still don't listen. They think that if their bank
password and their email password are different then they are safe.

~~~
eurleif
If the user is already setting a password in the app, couldn't the app just
ask for the user's email address? It doesn't seem like having the email
address for free really buys a malicious developer that much.

~~~
kysol
The argument there would be that the user "provided" the app owner with their
email address, where at this point Google is just giving it to them. Don't get
me wrong, I'm on the, I don't care side.

I was in a store one day when the clerk asked the customer for their postcode,
the customer went nuts saying that he shouldn't have to tell them. Three
minutes of arguing could have been shortened to "INSERT FAKE NUMBER" if he was
really that against giving his real post code.

------
nilved
Google Play is the one sole reason I have a Google account (connected to my
Android phone or in general.) I guess I need to start pirating all my apps
now, but at least I can delete the account!

~~~
tadfisher
Better avoid making any online purchases whatsoever, or credit card purchases
altogether. Every merchant gets this information.

~~~
interpol_p
The problem is that he is comfortable with Google receiving his information
(name, address, email) but not third party developers selling through Google.

Developers on Google Play _should not be merchants_. Google should be more
than a payment processor — especially if they are going to take 30% just like
Apple does.

Apple handles this a hell of a lot better: as a developer you don't see
anything about your customers (except how many there are per country) and you
don't have to compute and collect sales tax yourself for every region you sell
in, nor do you have to manually handle returns.

I hear the Amazon App Store does this a lot better than Google Play.

~~~
tadfisher
While I agree that Google's cut should be thinner, it works out way better as
a buyer when you can ask a developer directly for a refund or about payment
issues rather than deal with a huge company with automated customer service
that doesn't work.

~~~
interpol_p
It's fairly straightforward to get a refund from Apple for an App Store app —
we see about 2-3 refunds a week processed for our main app ($9.99).

The thing is, as developers, we don't have to deal with it. The customer is
unhappy and gets their refund, Apple does it, not us. We simply see that a
refund happened and move on.

It's a far better system for all involved: consistent refund policy for the
customer, developer doesn't have to deal with it.

------
EricButler
My thoughts on this: <http://codebutler.com/2013/02/13/play-store-privacy/>

Although there is a legitimate reason for sharing this information (sales
taxes), it is not clearly explained to users or developers and goes against
reasonable expectations.

------
doe88
As developer I certainly wouldn't feel confortable receiving this kind of
informations. There is a difference between selling for instance a $100
product and selling the equivalent of a cheeseburger. In the latter case I
wouldn't expect receiving so much detailed informations for such insignificant
and common purchase.

~~~
Kylekramer
But if you were to buy a cheeseburger with a credit card, the person selling
the cheeseburger would get this exact same information. I don't know if the
price should really be a factor here.

~~~
doe88
As msy replied there are for sure some informations the seller wouldn't have
from a credit card. But more generally this is a good question, I don't know
how much informations the merchant obtain from VISA when I purchase something
online. I would expect none, just that the transaction is authorized or
denied.

~~~
vagarwa
Banks and networks (Visa etc) don't share the customer information with the
merchant. There was a class action law suit against merchants asking for
Zipcode. [http://articles.latimes.com/2011/feb/16/business/la-
fi-0216-...](http://articles.latimes.com/2011/feb/16/business/la-fi-0216-zip-
lawsuits-20110216) Here Google is acting like a network and the developer is
the merchant. There is absolutely no requirement (from a legal perspective) to
pass on the customers' information to the merchant. Visa and the issuer bank
don't share any personal details of the customer with the merchant, which is
what Google and Paypal (and probably square) are promising the merchants, if
they use their payment system.

~~~
doe88
Thank you for the infos it's helpful.

------
ryanhuff
Does this apply to free app downloads?

~~~
yanw
No.

------
maxpow4h
The main problem here is it isn't communicated effectively to users.

------
taproot
I hate sounding like a broken record, and this isn't really aimed at anyone in
particular (just a few comments have irked me), but if you haven't seen this
talk from like a decade ago, please watch it before you post on things
concerned with privacy.

<http://www.youtube.com/playlist?list=PL8C71542205AA51E5>

"Privacy is dead, get over it - Steve Rambam"

------
1010011010
Like paypal?

------
yanw
No it's not a "flaw":

[http://marketingland.com/why-im-glad-google-play-gives-
devel...](http://marketingland.com/why-im-glad-google-play-gives-developers-
customer-data-33431)

[http://marketingland.com/google-play-gives-email-
addresses-p...](http://marketingland.com/google-play-gives-email-addresses-
privacy-issues-33432)

It's ridicules how some outlets just run with this sort of crap without
question.

~~~
gurkendoktor
Because these two blog posts are happy about the setup of the Play store, it
is not a flaw anymore (with or without quotation marks)? It surprised the app
developer in the OP and it surprised me. It may be _very, very_ old news, but
I read the internets quite a bit and still didn't know this.

