NPC on alert vs invasive ‘creepy’ Android app package
MANILA, Philippines — The National Privacy Commission warned the people to beware of Android app packages (APKs) that can be installed by app developers and allow intrusive eavesdropping if not outright personal data hacking and theft by unscrupulous groups.
NPC commissioner Raymund Liboro said that the agency will take a proactive stance against the invasive APKs after a thorough investigation they conducted following complaints of invasion of privacy and illegal processing and handling of personal data.
Liboro said they have already informed Google, the maker of Android, regarding the “creepy” APKs among apps in Android smartphones.
“The NPC is currently conducting what we call privacy sweeps on company mobile apps and websites. We’re doing this by sector,” Liboro told The STAR.
“It’s anchored on transparency where we check whether companies are being transparent in telling how they use personal data. When we spot apps lacking in transparency, that already raises a red flag,” Liboro said.
“We are calling on companies to practice ‘privacy by design’ and not include creepy features in the apps they develop,” Liboro added.
The NPC last Friday announced its intention to pursue criminal prosecution of three online lending firms that had violated the Data Privacy Act of 2012 in their modus operandi of publicly shaming borrowers who were delinquent in loan payments.
The NPC said they have completed their investigation on Fast Cash Global Lending Inc., which operates the Fast Cash app; Unipeso Lending Co. Inc., behind the CashLending app and Fynamics Lending Inc. that operates the PondoPeso app.
NPC officials have recommended the prosecution of the board members of the three firms, whose business model was found to be based on principles that go against the Data Privacy Act.
In their investigation of hundreds of complaints against the erring online lenders, the NPC technical and information technology team discovered that the lending apps of the companies had APKs that allowed the lenders to tap into users’ phone book records, and other personal data; and even overwrite some content and functions to barge in on their lenders.
Aside from the phonebook directory contacts, the APKs allowed the app operators to access photos and videos, access and even write calender entries on the users’ Android phones, allow them to access the precise location and approximate location of the user; find out the status of the users’ phone; read the contents on external storage of a user’s micro SD, write the users’ contacts data aside from accessing them, initiate a phone call without going through the dialer user interface for the user to confirm or accept the call, and even access the microphone and record audio and access and record on the phone’s built in camera.
“There should be a way to make APKs and their permissions more transparent and understandable to the users so that consent is meaningful and informed,” Liboro said.
In the meantime, Liboro reiterated a call to the public that they should be more vigilant on the apps they download onto their phones.
“I strongly advice the public to be vigilant when installing such apps or APKs. You may check the permission list on Google Play Store before downloading such apps or APKs. Also, checking the reviews of these apps or APKs will give a brief overview of the app’s operations,” Liboro said.