Research shows that the same app can pose a greater security and privacy risk depending on the country you download it from

Google and Apple have removed hundreds of apps from their government-demand app stores around the world, creating regional disparities in accessing mobile apps at a time as many economies become increasingly dependent on them.

At the request of the Indian government, in recent years, mobile giants have removed more than 200 Chinese applications, including widely downloaded applications such as TikTok. Likewise, companies removed LinkedIn, an essential professional networking app from Russian app stores, at the request of the Russian government.

However, accessing the application is only one problem. Developers also regionalize applications, which means they create different versions for different countries. This raises the question of whether these apps differ in terms of security and privacy by region.

In an ideal world, access to apps and app security and privacy features would be consistent everywhere. Popular mobile applications should be available without increasing the risk that users will be spied on or tracked depending on the country they are in, especially as not every country has strong data protection laws.

My colleagues and I recently studied the accessibility and privacy policies of thousands of popular apps around the world on Google Play, the app store for Android devices, in 26 countries. We found differences in app availability, security, and privacy.

While our research confirms the removal reports due to government demands, we also found many differences introduced by the app’s developers. We found cases of apps with settings and disclosures that expose users to greater or lesser security and privacy risks depending on the country in which they were downloaded.

Geo-blocked applications

The countries and one special administrative region in our study vary in location, population, and gross domestic product. These include the US, Germany, Hungary, Ukraine, Russia, South Korea, Turkey, Hong Kong and India. We also included countries such as Iran, Zimbabwe and Tunisia where it was difficult to collect data. We researched 5,684 popular apps around the world, each with over a million installations, across 22 of the most popular app categories, including Books & Resources, Education, Medicine, and News & Magazines.

Our research found large amounts of geo-blocking, with 3,672 out of 5,684 popular apps worldwide, blocked in at least one of our 26 countries. Developer blocking was significantly higher than government removal requests in all of our countries and application categories. We found Iran and Tunisia to have the highest blocking rates, with applications like Microsoft Office, Adobe Reader, Flipboard, and Google Books not available for download.

Trying to download the LinkedIn app from the Google Play app store is a whole different experience in the US, Iran, and Russia, top to bottom.
Kumar et al., CC BY-ND

We found regional overlap between applications that are geo-blocked. In the European countries covered by our study – Germany, Hungary, Ireland and the United Kingdom – 479 of the same applications were geographically blocked. Eight of them, including Blued and USA Today News, have only been blocked in the European Union, possibly due to a regional general data protection regulation. Turkey, Ukraine, and Russia also show similar blocking patterns, with high VNet application blocking in Turkey and Russia, which is in line with the recent increase in surveillance regulations.

Of the 61 data deletion requests by Google in individual countries, 36 were only for South Korea, including 17 gambling apps and games removed in line with the national online gambling ban. Although the removal of Chinese apps by the Indian government took place with full public disclosure, surprisingly most of the removals we saw took place without much public awareness and without public debate.

Differences in security and privacy

The apps we downloaded from Google Play also showed security and privacy differences by country. The one hundred and twenty-seven applications differed in which applications could be accessed on users’ mobile phones, 49 of which had additional permissions deemed “unsafe” by Google. Applications in Bahrain, Tunisia, and Canada have requested the most dangerous additional permissions.

Three VPN applications allow clear text communication in certain countries, which allows unauthorized access to user communications. The one hundred and eighteen applications differed in the number of in-app ad trackers in some countries, with the Games, Entertainment, and Social categories, with Iran and Ukraine recording the largest increases in ad trackers compared to the baseline all countries.

One hundred and three apps differ from country to country in their privacy policies. Users in countries not covered by data protection laws, such as the EU GDPR and the California US Consumer Privacy Act, are at greater risk of privacy. For example, 71 apps available on Google Play have GDPR compliance clauses only in the EU and CCPA only in the US. Twenty-eight apps that use unsafe permissions make no mention of it, even though Google’s policy requires them to do so.

The role of app stores

Application stores allow developers to target applications to users based on many different factors, including their country and specific device features. While Google has taken some steps towards transparency in its app store, our research shows that there are shortcomings in Google’s app ecosystem audits, some of which may compromise user security and privacy.

Also, potentially as a result of the policies of the app stores in some countries, app stores that specialize in specific regions of the world are becoming increasingly popular. However, these app stores may not have the appropriate verification policies so that changed versions of the app can reach users. For example, a national government may pressure a developer to release a version of the app that allows access to the back door. Users have no easy way to distinguish a changed application from an unchanged application.

Our study makes some recommendations for app store owners to address the issues we discovered:

  • Better moderate country targeting features
  • Provide detailed transparency reports on app removal
  • Veterinary applications vary by country or region
  • Push for transparency from developers who need differences
  • Host the app’s privacy policy itself to ensure availability when policies are blocked in certain countries

Leave a Reply