Google is not shy about kicking apps out of its Play Store, sometimes for no good reason and with no useful explanation. But an app apparently exposing the entire Palestinian population register raised no internal alarm bells – not before a tech website contacted the tech giant.
Users leaving reviews on Play Store, raising the issue of serious privacy violations, didn’t help Google identify the problem on its own, either, and act any sooner.
Vice’s Motherboard writes that it first got wind of the offending app on October 10, thanks to Israeli security researcher Noam Rotem. Respecting a rule normally reserved for critical software bugs, the website decided not to report about the app – dubbed “Palestinian Civil Registry” – by naming it or linking to it – for fear that spreading information about it would increase the likelihood of abuse.
Instead, Motherboard contacted Google, no doubt in the hope the app would be swiftly reviewed and removed. This finally happened on Thursday, October 31, when the app was gone from the Play Store.
Before this happened, the Palestinian Civil Registry allowed anyone who had it installed on their phone to search through a database containing personal information of just about every Palestinian.
Addressing the incident on Twitter, a French security researcher details exactly what this means: you could search for “name, father’s name, mother’s name, family, grandfather’s name, home number, area code, date of birth, ID number.”
1. After reading this story, I wanted to see how bad this app was. Let me show you https://t.co/OwuDYaKRxX
— Elliot Alderson (@fs0c131y) November 1, 2019
The backend – said the researcher who goes by the name of Elliot Anderson – is hosted in Gabon.
About that backend server: although the app is gone from the Play Store, this highly sensitive data – all the more sensitive because it concerns private information about people in a conflict zone – remains exposed, Motherboard’s Joseph Cox said on Twitter.
According to Motherboard, Rotem showcased this, writing, “Their API is garbage, you can download (data of) all citizens” – and the website claims that it has been able to verify that “scraping en masse” can still be done from the server.
However, we don’t learn from the report who was behind the app – although we get multiple references, and even quotes, from the developer(s). We’re also none the wiser as to how they obtained this data in the first place. Some of those Motherboard spoke to speculate that the database might have been hacked.