Google offers privacy audit tool to app developers

Google's in-house incubator Area 120 has introduced a service called Checks to help mobile app developers understand how their applications handle data and automate privacy compliance.

Makers of mobile apps can sign up for Checks, now in beta testing, and have their apps scanned to generate data usage declarations for app stores, to see how their privacy policies measure up to legal obligations, and to understand how their apps and any integrated Software Developer Kits (SDKs) collect and handle data in light of declared permissions.

"We’ve heard developers say it’s difficult to keep pace with regulatory and app store policy changes, and determine how those changes apply to their apps," said Check co-founders Nia Castelly and Fergus Hurley in a blog post. "Checks helps developers gain confidence to make informed decisions by identifying potential compliance issues, providing clear actionable insights in simple language, and offering links to relevant resources."

SDKs – libraries added to apps to help deliver advertisements and perform other functions – pose a potential privacy and security problem because their code may not be trustworthy. These add-on modules, popular as a way to present ads and perform other revenue-generating functions within mobile apps, have been implicated in the harvesting of location data, and other forms of data looting. Consequently, developers who care about legal compliance are likely to welcome the visibility Checks promises.

"[SDKs] can change their functionality at any time, sometimes without the app developer knowing it," explain Castelly and Hurley. "Checks helps mobile app developers who use SDKs by detecting when their app’s data sharing practices have changed and then sending them an automated alert."

• Facebook is one bad Chrome extension away from another Cambridge Analytica scandal
• France says Google Analytics breaches GDPR when it sends data to US
• CIA illegally harvested US citizens' data, senators assert
• Should we expect to keep communication private in the digital age?

Checks is mainly focused on Android apps: It's intended to help Android developers properly declare data usage for the new Data privacy and security section coming to Google Play in April 2022. The service provides instructions for setting up a Checks account with Android apps and notes that the Checks SDK tracking feature requires the Android Gradle Plugin in Android Studio.

Checks consists of a Store Disclosure Creation tool, a Store Disclosure Monitoring tool, and Compliance Monitoring and Data Monitoring services.

Data Monitoring looks at permissions, data collection and sharing, within app code and SDKs. The Check website suggests iOS developers with similar Android apps can use the Data Monitoring report from their Android apps to anticipate what iOS customers would see when looking at their iOS device's App Privacy Report.

The Checks compliance service – which is paid – mentions that it covers iOS apps but does not disclose details.

Checks has a Free tier that provides app analysis, which developers can use to fill out Google Play's Data privacy and security section.

There are also Core ($249/app per month), Premium ($499/app per month), and Enterprise (pricing on request) tiers that offer compliance monitoring for privacy rules in the US (CCPA, COPPA), the EU (GDPR), Brazil (LGPD), and Google Play Store Developer Policies. The per–app fee covers both Android and iOS apps, but it's unclear how iOS apps get monitored.

Though rather pricey, Google disclaims the service's recommendations. "Checks does not provide legal advice or conclusions regarding your app or privacy practices," the company says. The Chocolate Factory also insists Checks only uses public data, doesn't collect or store any data, and doesn't share its analysis reports with Google Play.

Google did not immediately respond to a request to clarify what aspects of Checks work with iOS apps and to say whether broader iOS support might be expected in the future. ®