Core feature of Malwarelytics for Android is protection against malware apps. In order to be able to check apps on the device, the SDK requires sensitive QUERY_ALL_PACKAGES
permission.
Google Play considers the list of installed apps to be personal and sensitive user data. Play policy permits only some kinds of apps to use this permission. Among them are apps that have a verifiable core purpose involving financial-transaction functionality. These apps may obtain broad visibility into installed apps for security-based purposed to fulfill their regulatory requirements.
Apps granted access to QUERY_ALL_PACKAGES
permission must comply with Google Play's user data policies, including prominent disclosure and consent requirement.
To confidently meet Google's requirements, an app integrating Malwarelytics for Android should create a user consent screen in the mobile app and display it on the first launch. See the provided example mockup:
The screen should contain a direct link to the privacy policy.
Besides modifications in your app, you also should do the following two steps:
- Add a link to the privacy policy in Google Play Console.
- Update your personal data protection policy to:
- Disclose security features of Malwarelytics for Android.
- Disclose Wultra as an outside data processor.
As explained in Malwarelytics privacy policy (available in Malwarelytics online portal), Wultra can use the data it collects only for security purposes - to protect your users. We do not and will not use the data for any other purposes than security. Specifically, we are not a data broker, and we do not provide data we collect to any third parties.
An example of the privacy policy wording items is the following:
The suppliers outside
{OUR_COMPANY_GROUP}
are in particular: IT service providers, including cloud repositories and IT security services (e.g., Salesforce, Microsoft, Wultra, etc.)
Our banking applications (in particular,
{NAME_OF_OUR_APPLICATION}
) and tools may contain antimalware / antivirus detection and detection of amended administrator rights (root/jailbreak) to determine if the device, from which you access our applications or tools, is secure or has been affected by a virus risk. These tools collect and then process information about the device security setting (e.g. deactivated screen lock, etc.), information about integrity of application and operating system (e.g. modified administrator rights [root/jailbreak]; start in emulator, use of hooking framework, etc.), device information (e.g. device model, anonymous device identifier to check whether the application is run on the same device as originally installed), metadata of potentially harmful applications and setting of notifications.
The above-mentioned data are processed in order to prevent fraud, to ensure user security, to comply with legislation and to conduct analysis for the purposes of improving security and evaluating potential threats.
For the analyses as per the previous sentence, third parties are used in some cases. See details in the Personal data recipients section.