Google Tells Specific Apps to Disclose Location Gathering or Be Removed

Google has sent a wave of warnings to specific Android app developers telling them to be much clearer with how they collect and process location data or face being removed from the Play Store entirely, Motherboard has learned.

Google targeted apps that it believes worked with a company called Huq, which collects granular location data from ordinary smartphone apps and then sells products based on that to various industries. Google appears to have removed some offending apps too.

The move comes after Motherboard reported that some Huq-affiliated apps were sending location data to the company even when users explicitly opted-out. That report highlighted that smartphone users can’t necessarily be sure that an app is respecting their choices around data sharing.

“It's certainly a positive development, and I'm glad it was enforced by removing apps that chose not to comply,” Joel Reardon, assistant professor at the University of Calgary and the forensics lead and co-founder of AppCensus, a company that analyzes apps, and who first flagged some of the issues around Huq to Motherboard, said in an email. “This kind of policy-based enforcement, however, requires continuing effort in monitoring for bad actors and broken consent going forwards. The location collection firms also have a responsibility to ensure that apps that include their intimate tracking software actually ensure that apps implement the consent structures that they claim in privacy policies correctly.”

A Google spokesperson told Motherboard in an email that "As part of our investigation, we have sent a warning to all app developers that we determined were in violation of Google Play policies.” Google added that the investigation was specifically concerning Huq.

Huq is a UK-based firm that claims to collect and process over one billion location data events everyday, and says it sources that data from devices in 161 different countries, according to the company’s website. Huq then offers products based on that data to different sectors such as local governments, retail, real-estate, and financial investors, its website adds. Sometimes journalists use the company’s data too: in September the Financial Times published an article that used Huq data about UK drivers flocking to petrol stations during a recent fuel scare.

Huq obtains this data by paying app developers to include its own software development kit (SDK) inside apps. This bundle of code then collects the app users’ location data and transfers it to Huq. Huq obtains data from both Android and iOS devices.

Motherboard’s and Reardon’s findings about Huq-affiliated apps collecting data without consent focused on a selection of specific apps, including one called “Network Signal Info” made by KAIBITS Software GmbH and “QR & Barcode Scanner” developed by AppSourceHub, each with more than 5 million downloads.

Huq later admitted to the BBC that some of its data was gained without seeking permission from users.

"It is possible that we or our partners may uncover future technical issues, but what's important is how quickly we act and how seriously we take the issue," Huq told the BBC.

Norwegian outlet NRK then reported on another app that Reardon found, Quran Mp3, also made by AppSourceHub, that sent location data to Huq even when a user had opted-out. Huq told the outlet it had stopped its partnership with AppSourceHub. A UK National Rail app also cut ties with Huq, NRK reported.

Multiple apps that previously may have had links with Huq have since been removed from the Google Play Store. Those include “ONCE—Escaner de Cupones,” a Spanish language lottery app; “Acak,” a video chat app; a reference app for the popular game League of Legends “Champions of League of Legends;” and flight tracker “Airline Flight Status Track & Airport FlightBoard.” It is not clear if all of these apps were removed for the same reason or not.

A representative for the app “London Live Bus Times” confirmed it had received a request from Google relating to updating its app’s disclosures on location data. The representative said the app has been updated.

Brad Folkens, from the visual search engine app “CamFind,” said he believed Google had removed the app by mistake.

“The items indicated on the ticket (presence of Huq SDK) are not in the APK. We've responded to Google with evidence the Huq SDK is not present in an appeal, but have not yet received a reply,” he wrote. But the app’s privacy policy clearly says that it collects and shares location information with third parties, and that “one of these third parties is Huq.” Folkens then told Motherboard the app used to use the Huq service directly but discontinued it earlier this year.

Google has previously banned other location data firms as entities in their own right after Motherboard's reporting, including X-Mode and Predicio. This round of enforcement seems more focused on specific apps and their own disclosure policies rather than Huq as a company overall.

On Wednesday Huq Chief Marketing Officer Alexander Fairfax told Motherboard in an email that “The two apps you mention haven’t worked with us for some time—it’s quite possible they haven’t updated their code since we stopped working together,” when provided an example of some apps that are no longer available on the Google Play Store. “To the best of our knowledge, all our current partners comply with Google Play Store Ts & Cs [terms and conditions].”

Huq Chief Technology Officer Isambard Poulson previously told Motherboard that app developers are the ones responsible for obtaining that consent.

“Our SDK should only be initialised when users provide consent. The app developer is responsible for the implementation of their own consent management system,” Poulson wrote.

Apple did not respond to multiple requests for comment on whether it has taken any action against Huq-affiliated apps, despite the Huq SDK being present in iOS apps, according to analytics data from app intelligence company 42matters.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.