The mobile phone giants have more than 200 Chinese apps, including many downloaded apps like TikTok, requested by the Indian government in recent years. Similarly, the companies removed LinkedIn, an essential professional networking app, from Russian app stores at the request of the Russian government.
However, access to apps is just one concern. Developers regionalize apps too, which means they produce different versions for different countries. This raises the question of whether these apps differ by region in their security and privacy capabilities.
In a perfect world, access to apps and app security and privacy capabilities would be consistent everywhere. Popular mobile apps should be available without increasing risk that users are spied on or tracked based on the country they are in, especially considering that not every country has strict data protection rules.
While our research confirms reports of takedowns due to government requests, we also found many discrepancies introduced by app developers. We found cases of apps with settings and disclosures that expose users to higher or lower security and privacy risks, depending on the country in which they were downloaded.
The countries and one special administrative region in our study are diverse in location, population and gross domestic product. They include the US, Germany, Hungary, Ukraine, Russia, South Korea, Turkey, Hong Kong, and India. We also included countries like Iran, Zimbabwe and Tunisia, where it was difficult to collect data. We surveyed 5,684 popular apps worldwide, each with over 1 million installs, out of the top 22 app categoriesincluding books and references, education, medical and news and magazines.
Our research showed large amounts of geo-blocking, with 3,672 of 5,684 popular apps worldwide blocked in at least one of our 26 countries. Developer blocking in all our countries and app categories was significantly higher than the number of takedowns requested by governments. We found that Iran and Tunisia have the highest blocking rates, with apps like Microsoft Office, Adobe Reader, Flipboard, and Google Books all not downloadable.
We found regional overlap in the apps that are geoblocked. In European countries in our study – Germany, Hungary, Ireland and the UK – 479 of the same apps were geo-blocked. Eight of those, including Blued and USA Today News, were blocked only in the European Union, possibly because of the regions General Data Protection Regulation. Turkey, Ukraine and Russia also show similar blocking patterns, with high virtual private network app blocking in Turkey and Russia, consistent with the recent increase in supervision laws.
Of the 61 country-specific takedowns by Google, 36 were unique to South Korea, including 17 gambling and gaming apps that were removed in accordance with the national ban on online gambling. While the takedown of Chinese apps by the Indian government took place with full disclosure, surprisingly most of the takedowns took place without much public awareness or debate.
Differences in security and privacy
The apps we downloaded from Google Play also showed country differences in their security and privacy capabilities. One hundred and twenty-seven apps varied in what the apps were allowed to open on users’ cellphones, 49 of which had additional permissions deemed “dangerous” by Google. Apps in Bahrain, Tunisia and Canada demanded the most extra dangerous permissions.
Three VPN apps enable clear text communication in some countries, allowing unauthorized access to users’ communications. One hundred and eighteen apps ranged in the number of ad trackers included in an app in some countries, with the categories Games, Entertainment and Social, with Iran and Ukraine having the most increases in the number of ad trackers compared to the base number common for all countries.
One hundred and three apps have country-based differences in their privacy policies. Users in countries not covered by data protection regulations, such as the GDPR in the EU and the California Consumer Privacy Act in the US, are at greater privacy risk. For example, 71 apps available through Google Play have GDPR compliant clauses in the EU only and CCPA only in the US Twenty-eight apps that use dangerous permissions make no mention of it, despite Google’s Policy oblige them to do so.
The role of app stores
App stores allow developers to target their apps to users based on a wide variety of factors, including their country and the specific features of their device. Although Google has taken few steps to transparency in the app store, our research shows there are flaws in Google’s control of the app ecosystem, some of which could compromise users’ security and privacy.
Possibly also due to app store policies in some countries, app stores specializing in specific regions of the world are becoming increasingly popular. However, these app stores may not have adequate auditing policies, allowing modified versions of apps to reach users. For example, a national government could pressure a developer to deliver a version of an app that: back door access. There is no easy way for users to distinguish a modified app from an unmodified one.
Our research offers several recommendations to app store owners to address the issues we found:
- You better moderate their country targeting features.
- Provide detailed transparency reports on app removals.
- Bold apps for differences based on country or region.
- Insist on transparency from developers about their need for the differences.
- Host app privacy policies themselves to ensure their availability when the policies are blocked in certain countries.
Renuka Kumar is a Ph.D. student of computer science and engineering at the University of Michigan.