Our investigations team successfully worked with a popular health and fitness mobile app to resolve privacy issues and better protect users’ data. The results are a great example of how IDAC intends to work with app companies and developers to address challenges in a direct and collaborative way. In this instance, we opted not to name the app because their team worked quickly and openly with our investigators to rectify our concerns.
In the future, we intend to publish additional findings such as this, ideally calling out good behavior and allowing responsible companies to be credited with their approach. Other IDAC investigations may take different routes.
Once we became aware of privacy issues with this specific mobile app, our team conducted technical tests on the Android version of the app in real-time from locations in the United States, France, and the United Kingdom.
After identifying privacy concerns related to persistent identifiers and inaccessible privacy settings for some users, our team reached out to the parent company to learn more about its practices. Although the issues we flagged were not egregious, the company’s privacy and legal team responded quickly and amicably to our request for more information. We worked closely with them to remediate the following:
The app was using the Android ID instead of the Android Advertising ID
The health and fitness app was using the Android ID instead of the Android Advertising ID. The Android Advertising ID (AAID) is a unique, user-resettable identifier used for advertising and analytics in Android apps. The Android ID, on the other hand, is a persistent identifier which differs from the AAID in that it is effectively fixed to the hardware of the device and cannot be reset. Google prohibited the use of Android IDs for advertising purposes and instead requires the use of the AAID in an effort to give users more control over their privacy.
We raised this issue with the company and they swiftly had their engineers look into our concern. Upon its review, the company verified that the Android ID was not being used for advertising purposes. As a best practice they are working on removing the use of the Android ID from the app altogether.
The app’s privacy settings were inaccessible for Android 7 device users
We conducted our tests on an Android 7 device and noticed that the app’s privacy and information consent management setting pages were blank when we attempted to access the information. (Note: this issue only came up on Android 7 devices). After discussing this with the company’s team, we learned that it was a user experience (UX) issue and the empty module was not the intended design. The company has since fixed this UX issue.
Conclusion
After we discovered and raised these privacy issues, the company promptly addressed our concerns surrounding its app. We are pleased that the company cooperated with our investigations team and demonstrated its commitment to consumer privacy. The company was open to suggestions and eager to resolve our concerns — exhibiting exemplary behavior that we hope other companies we approach will emulate.