The Usable Security & Privacy Group at Berkeley has published a website entitled AppCensus which purports to give a privacy health check for Android mobile apps. One can go to the site and type in the name of an Android mobile app and, for approximately 19,000 or so mobile apps on Google Play, the site will give a rough list of the device IDs and special permissions requested by the App from the Android OS; the host names on the Internet to which the app transmits device IDs; and an indication of whether location is used.

The Washington Post just featured the AppCensus site in a story about (alleged) COPPA non-compliance.

AppCensus has significant shortcomings, but has dramatically lowered the bar for journalists, regulators, and privacy researchers to make meaningful inquiries or public statements about any companies’ Android apps. It will unfortunately make the “gotcha” game for perceived violations nearly a turn-key exercise for reporters, researchers, and regulators. One can see this tool being used not just for COPPA, but also for VPPA, HIPAA, and GLBA (although it is critical to note that VPPA, HIPPA, and GLBA require the confluence of both a device ID and another piece of information—health care, movie title or genre, financial information, etc.—and AppCensus does not provide that second piece, but the site would still likely be the starting point for regulators, the media, and plaintiffs’ counsel on these issues).

We would recommend, to the greatest extent possible, that companies have apps privacy tested in Beta, so as to avoid an adverse event associated with AppCensus.