You can now get reward up to $50,000 for reporting data abuse by Android apps

Google today announced the launch of Developer Data Protection Reward Program. It is a bounty program that will help Google to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions. You can get rewarded if you provide an evidence of data abuse. You can get reward up to $50,000.

Through this program, Google is trying to avoid the cases where user data is being used or sold unexpectedly, or used in an illegitimate way without user consent.

For example, you can report a Google Play app, if the app that has permissions to the SMS permission group shares that data with a third party for advertising purposes. You can also report the app if it accesses user’s inventory of installed apps and doesn’t treat this data as sensitive data subject to the Privacy Policy requirements.

Examples of violations include:

  • An app providing travel services, using or transferring user data unrelated to travel.
  • An app transferring user data to affiliates to help develop new products.
  • An app using or sharing user data for the purpose of targeting that user with advertisements.
  • An app developer allowing employees to read user data without the user’s permission .
  • An extension that has no interactive UI elements exposed to the user, but collects web browsing activity in the background for another purpose, including providing rewards to the user
  • Any extension that publicly discloses authentication, payment, or financial information (for example, sending this data over HTTP)
  • An extension whose sole marketed purpose is to add themes to popular social media sites, but also anonymously scrapes the number of friends a user has, for sale or research purposes, and does not have a prominent disclosure to its users
  • An app that accesses a user’s phone or contact book data and doesn’t treat this data as personal or sensitive data subject to the Privacy Policy, Secure Transmission, and Prominent Disclosure requirements. (E.g. metadata around who you’ve called or texted, timestamps of these communications, etc.)
  • Using contact data without user permission for another service unrelated to the original app (e.g. requesting contact information, then reusing it for a separate business or application unrelated to the original app).

Learn more about this program here.