ISL began its life as the Me2B Alliance, striving to create standards to enable greater power symmetry in the digitally facilitated relationship between consumers (“Me-s”) and the companies whose technology they use (“B-s”). We called this the M2B relationship. For mobile apps, all too often it’s a case of “Me2 Who Knows?!” People have a right to know who’s legally responsible for the apps they use, and it is anything but clear in mobile app stores today. App stores are failing to make clear the legal entity who is responsible for apps. ISL has filed responsible disclosures with Apple starting in late 2024 but our repeated attempts have been dismissed.

Anatomy of Responsible Party Info in the App Stores

Both Google and Apple allow for two kinds of developer accounts: individual and organization. The creation of either type of account requires identity validation, but it’s a lower bar for individuals than for organizations. Individuals must provide a government issued ID credential before being allowed to open a developer account. This validates the individual’s name and address. Organizations, however, must provide a DUNS number to validate the legal existence of the organization. ¹²

▶ Problem 1: How effective is this level of identification authentication? ISL recently found an app developer with 15 apps in the Google Play store with no verifiable legal existence whatsoever. Thus, the process is imperfect at best.

In both stores, the “Account Holder” (to use Apple’s language) is the individual/entity who is in a legal relationship with the app store [owner].

Figures 1a and 1b show two parts of an Apple App store listing. Note that the name in blue under the app name appears to be the Account Holder (Figure 1a). Note that the Information section of the app listing shows five other places where we expect to see the same Account Holder name and websites.

 

Figures 2a and 2b show a similar annotated view of the Google Play Store app listing. Between Figures 2a and 2b, there are six instances where the Account Holder name appears.

 

This all seems fine. What we see in practice, though, is that the various links and names presented in the app store listing that should be definitively showing the name of the legally party responsible for the app often have inconsistencies. Which brings us to additional problems.

▶ Problem 2: Account Holders can create additional user accounts within their account, including users with permissions to submit/delete apps.³ There’s seemingly no governance over this capability, left strictly in the hands of the Account Holder.

▶ Problem 3: The app store app listing doesn’t indicate if the developer of the app is an individual or a company. This information matters. People deserve to know if they’re using an app developed by an individual developer, or by a company. No matter what, so long as apps are collecting personal information, people have an unconditioned right to know who gets their data and what they’re doing with it.

▶ Problem 4: The Apple app store doesn’t disclose the location of the responsible app developer but the Google Play store does.⁴ The great thing about app ecosystems is that they foster worldwide participants. The problem is that the responsible developer can be oceans away from consumers, making it difficult or impossible to hold the developer accountable if there are issues.

▶ Problem 5: Apps have broken developer links. It’s wildly confusing when the name in blue or green font under the app name is different from the name that appears when you click on the developer link. Imagine if you went to a grocery store and there was a loaf of bread with no brand or company information. You wouldn’t want to eat that. When you click on the Developer Website link for the app shown in Figure 1b you find yourself not only not at a site that says Kepler47, you find a non-functional page for audiojoy.com (Figure 3).

▶ Problem 6: The Account Holder name from the listing header doesn’t match the name in the privacy policy OR in the App Support link. Figures 4a and 4b illustrate a case where the listed developer in the listing header is Will Aitchison (Figure 4a), but the privacy policy fails to indicate a legally responsible data controller entirely (Figure 4b).

 

 

 

Note that there’s another layer of confusion for the First Step Oregon app, namely, the privacy policy found on the App Support page differs from the privacy policy linked in the app store (Figure 4c). This case is a case where the app developer was likely an individual affiliated with the organization who wrote and submitted the app on behalf of the company. Still, it leaves a question for users: who is responsible? Who does the user contact in the case of issues?

The Boggle: Arcade Edition app in the Apple store shows a similar situation. The Account Holder appears to be Zynga Inc. from the app store listing header (Figure 5a). But when you click on the App Support link you see the Take-Two Terms of Service (Figure 5.b). Similarly, the linked privacy policy is also Take-Two’s. Finally, this app includes a copyright showing Zynga Inc. in the information section (Figure 5c). In this instance, the original Account Holder (Zynga Inc.) was acquired by another company (Take-Two). Zynga appears to be a wholly owned subsidiary of Take-Two based on its California business registration status, but the “hybrid” information in the app store is confusing.

 

 

Interestingly, not all Zynga games in the app store show Take-Two info at the App Support link. Figure 6b shows the App Support link for FreeCell, another Zynga game.

 

▶ Problem 7: App Information shows two different names. Figures 7a and 7b show elements of the Apple app store listing for the app, Count Money and Coins – Photo Touch Game. In the Information section of the app store listing, Innovative Investments Limited is shown as the Seller, but Grasshopper Apps is the copyright registrant.

 

▶ Problem 8: App store listings with broken privacy policy links. It’s relatively easy to find apps in the app stores whose privacy links are simply broken, non-functional. This is what we found with most of the Innovative Investments Limited apps (Figure 7c).

Conclusions

NONE of this should be happening today. App stores receive 30% of all app revenues and thus have ample resources to programmatically monitor these situations. Consumers should never have to conduct forensic research in order to figure out who they’re entering into a business relationship with. Here’s a recap of what the app store owners should do:

1. Make it crystal clear on your label who the legal entity responsible for the app is (I’ll call this “responsible developer”).
2. Make sure ALL instances in and related to the app store listing consistently show the same responsible developer name.
3. Make sure there is valid, working contact information for the responsible developer.
4. Indicate if the developer is an individual or an organization.
   a. Ideally, we’d like to know the organization type, as this effects their legal obligations. For instance, for-profit vs. non-profit vs. government entities.
   b. It’s also important to indicate coarse location information of the developer—i.e. city, state and country.
5. Make sure privacy policy links are functional all the time.

Here are Recommendations for app consumers:

1. If there isn’t a privacy policy, don’t install the app.
2. If there are no privacy details provided in the Apple store, don’t install the app.
3. If there’s no developer contact information provided, don’t install the app.
4. Contact us if you find these or other problems with app store entries.

Final Thoughts

We are well past the point of understanding the risks of these things, yet we see no systemic changes under development on the part of Apple and Google to put safety measures in place. Perhaps shining this light on some of the issues can help spur action.

Footnotes:

1. https://support.google.com/googleplay/android-developer/answer/13628312?sjid=9574226792909682372-NC
2. https://developer.apple.com/programs/enroll/
3. Summary of roles and permissions for Apple developer accounts: https://developer.apple.com/help/account/access/roles/
4. Location of the developer was met with some warranted and some dubious pushback from Android developers as shown on this Reddit thread https://www.reddit.com/r/androiddev/comments/17w3pgz/google_started_displaying_full_legal_name_and/?rdt=50889 . Mandatory disclosure of an individual developer’s location presents some risks. That said, the developer is capable of getting every user’s location information so it seems a reasonable requirement.