How to develop on Android to stop Privacy Risk alert?

Archive
1

Hi all,

We develop an Android app, which works well and our customers use fine. However, we've had a report from a customer who has Norton Mobile Security (v4.0.0.4024) installed on their S7 (Android 7.0) who said that our app is flagged by Norton App Advisor as a privacy risk in the Play Store. If they download the app (ignoring the warning) they get the message "This app is sharing your personal information but the location is unknown.".

How do we go about stopping this brick wall Norton is throwing in front of our customers? Is Norton being way to overzealous in marking all apps that use location or login forms as a privacy issue, effectively scaremongering people in to not using legitimate apps? Is there a whitelist our app can be added to??

Thanks in advance for any input that will help.

2

Hi again,

Totally understand that Norton wouldn't want to give out too much info, as that would give the less honest out there a way around the mechanism. Thanks for the info and the help though :)

Yeah I came to a thought that Norton is looking at the privacy information for the app and rating it as a risk without actually checking if a real risk exists. The issue here is though that consumers "trust" Norton as they're a security company, so they'll refuse to download an app because Norton says it's dangerous even though it may not be. I do not want to say to customers (we have over a million existing customers, and more to come) to not worry about it, just add us to your exceptions list - that would ring alarm bells with many more lol.

I guess the problem is Norton is reiterating what is already on the Play Store, but doing it in such a way it's scaring people off certain apps. I wonder how many people haven't used our app because of this. Our app doesn't ask for access to contacts, it simply wants to use location info (it doesn't need it, but it helps customers use the app easier), but it will send information back to our servers to process the 'order'. 

Many thanks, I'll check my PMs!

3

I'll see if I can get someone in the know to look into this thread for you. No guarantees though, as Norton is not likely to share any proprietary information on how their product works.

One thing to point out. The privacy messages provided by the Norton product is just a guide for users to use. If you check a few apps from the Google Play Store, you will probably find they all send information of some kind back 'home'. It is up to the user to decide if they trust the app developer with whatever information they gather.

It is similar to the messages given about the permissions required by some apps. The user has to decide if they want to install an app that wants access to their contacts.

I have sent you a forum PM. Please check your Inbox at the top right of the forum page.

4

Thanks for your reply :)

All data is sent to our server in our datacenter in the UK, there's no other end points. I'm not sure how we'd go about making Norton know that end point is safe. There doesn't appear to be any process to applying to be put on a whitelist or anything, it feels as though Norton are controlling on high, at the detriment to legitimate app developers. I bet you don't get these alerts for an app like Facebook ;) 

I guess the issue here is how Norton identifies these end points, for example if we don't allow ICMP (Ping) to a server, does that mean Norton doesn't know where the end point is so flags it as 'unknown'? I've got no idea, and I can't find any info from Norton in being able to troubleshoot this. 

I don't think there's any code to remove from the app without it making the app completely useless. We'd also not want to upload a unless app to the Play Store (when does Norton decide to flag an app as a risk? It trawls the Play Store?) as this would seriously effect our business. 

I'm hoping someone else here may be able to give solid guidance on why and how we should mitigate against these over zealous privacy alerts. 

Thanks again!

5

"This app is sharing your personal information but the location is unknown."

From this message, it would seem that Norton needs some way to identify where any data is being sent. I am not an employee or a programmer so I have no idea how this is accomplished. I have installed apps that have that message, and ones that identify the country where the data is being sent. 

Where is your telemetry being sent? While you try to figure this out, maybe you can temporarily remove that code. That should stop Norton from flagging the app. Then if you have any contacts that develop apps, you can ask them for guidance with this.