Google Hosted an Insecure App for Searching Personal Data of Palestinians

An Android app on the Google Play Store allowed anyone to look up biographical information on a large number of people in Palestine, including names, dates of birth, place of residence, and details on their family. The app was designed for a user to search for one person at a time, but a cybersecurity researcher also found the server hosting the data itself is insecure, allowing anyone to scrape it en masse.

Motherboard confirmed Thursday this scraping is still possible, after the app was removed from the Play Store.

"Having an app that allows anyone to get everyone's details just makes the privacy breach easier," Noam Rotem, an independent security researcher based in Israel, and who researched the app, wrote in an email.

"This is a very worrying development," Susan Power, head of legal research and advocacy at Al-Haq, a human rights organization focused on Palestine, wrote in an email.

"To my knowledge this information would more than likely be on the Population Register which Israel maintains control of for all persons in Israel and the OPT [occupied Palestinian territories]. My understanding was that information could be obtained from this on a limited ad hoc basis, submitting ID numbers etc," Power added. "It sounds like the information from the Population Registry may have been either hacked or sold on, for private use. If this is the case, it would be a very serious breach of human rights."

The Population Registry Office did not immediately respond to a request for comment. The exact source of the data is unclear.

The app was called 'Palestinian Civil Registry' and claimed to have data on all Palestinians. Rotem first contacted Motherboard about the app on October 10, but Motherboard decided at the time not to name or link to the app so as to not amplify any potential privacy violations. Google told Motherboard it was aware of the issue and investigating. Google said it was also trying to contact its developer. Thursday, Google confirmed it removed the app from the Play Store.

The developer did not respond to multiple requests for comment from Motherboard in both English and Arabic.

"I received the link from a Palestinian friend who was baffled as to why is Google allowing this app to be live on the Play Store in the first place, even before he knew that their entire database was leaking," Rotem wrote.

"Palestinian privacy rights are a very sensitive subject, as the information is not controlled only by the Palestinian authority but by Israel as well, so having it available online is a step in the wrong direction," he added.

Some users also thought the app posed a privacy violation, judging by a review left on the app's Play Store page before it was taken down.

"This application violates the privacy and displays private information therefore I will devote all my efforts with friends to the company to delete this application," one reviewer wrote in Arabic.

The app developer responded in Arabic, "The application does not violate the privacy of anyone because the information available within the application already exists in many websites." The developer added that there is the option to having your own data deleted from the app.

Google did not answer whether this app violates its Play Store's terms of use, and didn't point to a specific part of the company's terms of use after it removed the app. The app's privacy policy only contains boilerplate language that doesn't talk specifically about the Palestine data.

But the data is still easy to download in a mass fashion, too. Even though Google has removed the app from the Play Store, the server hosting the data itself is still online, and outside of Google's control.

"Their API is garbage, you can download all citizens," Rotem wrote, and shared multiple samples of data. Motherboard also scraped some of the data with a basic script to verify Rotem's findings.

"Weird situation," he wrote.

Subscribe to our new cybersecurity podcast, CYBER.