Basically, it is due to how Play Store is set up. Developers are the merchant of record, not Google (unlike Apple's app store, where Apple is the merchant of record). The developer may not "want" this information, but for tax purposes they need it.
These personal details could then be used to access the users' bank
details. That's also more than enough information to be able to access
your other devices which could also be mined for more data - insurance
information, other credit cards - which could then be used to access
your banking credentials.
Do developers have access to users' bank details? How would anyone access 'other devices' with just a name, address and email? This seems a little far-fetched.
Social engineering, name, address and email is enough to own anyone. For most things, maybe not on their own, but having these three keys its pretty easy to track down ph number, dob, and a number of other details.
The only reason this poses a security "threat" is because utility companies, banks, and other institutions use these "personal" bits of information like a password. And from what I hear, in the US your SSN's are used like this rather often as well.
I once had a long discussion with some call center manager about how using my DOB as a password to being able to cancel my account was hideously crappy and insecure, needless to say "its company policy" and there wasn't anything I could do to avoid it. (Yes I'm one of those people, but I really had nothing better to do and trolling some random call center staff is one of my favorite pastimes)
I probably should have put this nearer the top but oh well, to conclude, its not really a big deal, and hardly any different to any other commerce where you hand over this information along with your credit card. The only reason people are up and arms about it is because its too easy to get snagged by some identity thief uploading an seemingly legit application. In reality, there is easier ways to own someone in a targeted attack.
Simple solution: don't use your main google account for the play store, you can have multiple google accounts applied to android and pick and choose which to use for play store and which to use for gmail etc.
Worse case scenario that I can think of is that they use the same password for their email as they used for the in-app auth in the App they bought.
Next step would be for the app creator to login, see what they can use to create requests for other personal credentials. Facebook password reminder, they get in, then they have the user's DoB and family information (for those stupid companies still using "what's your mothers maiden name" password reminder questions).
You could probably do a fair chunk of damage, but that's all based off the fact that the user would have to be silly enough to still use the same password over multiple services. Yes I know... we've been telling them for far too long, but people still don't listen. They think that if their bank password and their email password are different then they are safe.
If the user is already setting a password in the app, couldn't the app just ask for the user's email address? It doesn't seem like having the email address for free really buys a malicious developer that much.
The argument there would be that the user "provided" the app owner with their email address, where at this point Google is just giving it to them. Don't get me wrong, I'm on the, I don't care side.
I was in a store one day when the clerk asked the customer for their postcode, the customer went nuts saying that he shouldn't have to tell them. Three minutes of arguing could have been shortened to "INSERT FAKE NUMBER" if he was really that against giving his real post code.
Google Play is the one sole reason I have a Google account (connected to my Android phone or in general.) I guess I need to start pirating all my apps now, but at least I can delete the account!
Merchants (such as Safeway) don't get this information if you use a credit card to make a purchase. The network (Visa, MC, Amex etc) authenticates the transaction and issuing bank releases the funds. But merchant doesn't even get the ZIP code of the customer.
If you make online purchases, most merchants do ask you to create an account (accept those 'enlightened ones that allow you guest sign-up), in which case they get all your information. There too you can use Paypal/Gwallet, if it is offered, but Paypal/Gwallet may or may not share the information with the merchant. That is kind of a grey area. Paypal clearly doesn't for merchants on ebay but in cases like Homedepot, I am not so sure.
The problem is that he is comfortable with Google receiving his information (name, address, email) but not third party developers selling through Google.
Developers on Google Play should not be merchants. Google should be more than a payment processor — especially if they are going to take 30% just like Apple does.
Apple handles this a hell of a lot better: as a developer you don't see anything about your customers (except how many there are per country) and you don't have to compute and collect sales tax yourself for every region you sell in, nor do you have to manually handle returns.
I hear the Amazon App Store does this a lot better than Google Play.
While I agree that Google's cut should be thinner, it works out way better as a buyer when you can ask a developer directly for a refund or about payment issues rather than deal with a huge company with automated customer service that doesn't work.
It's fairly straightforward to get a refund from Apple for an App Store app — we see about 2-3 refunds a week processed for our main app ($9.99).
The thing is, as developers, we don't have to deal with it. The customer is unhappy and gets their refund, Apple does it, not us. We simply see that a refund happened and move on.
It's a far better system for all involved: consistent refund policy for the customer, developer doesn't have to deal with it.
I do make those purchases sparingly and when I do so I consent to giving the merchant that information. Never have I consented to giving my information to developers.
As developer I certainly wouldn't feel confortable receiving this kind of informations. There is a difference between selling for instance a $100 product and selling the equivalent of a cheeseburger. In the latter case I wouldn't expect receiving so much detailed informations for such insignificant and common purchase.
But if you were to buy a cheeseburger with a credit card, the person selling the cheeseburger would get this exact same information. I don't know if the price should really be a factor here.
As msy replied there are for sure some informations the seller wouldn't have from a credit card. But more generally this is a good question, I don't know how much informations the merchant obtain from VISA when I purchase something online. I would expect none, just that the transaction is authorized or denied.
Banks and networks (Visa etc) don't share the customer information with the merchant. There was a class action law suit against merchants asking for Zipcode.
http://articles.latimes.com/2011/feb/16/business/la-fi-0216-...
Here Google is acting like a network and the developer is the merchant. There is absolutely no requirement (from a legal perspective) to pass on the customers' information to the merchant.
Visa and the issuer bank don't share any personal details of the customer with the merchant, which is what Google and Paypal (and probably square) are promising the merchants, if they use their payment system.
Although there is a legitimate reason for sharing this information (sales taxes), it is not clearly explained to users or developers and goes against reasonable expectations.
I hate sounding like a broken record, and this isn't really aimed at anyone in particular (just a few comments have irked me), but if you haven't seen this talk from like a decade ago, please watch it before you post on things concerned with privacy.
Because these two blog posts are happy about the setup of the Play store, it is not a flaw anymore (with or without quotation marks)? It surprised the app developer in the OP and it surprised me. It may be very, very old news, but I read the internets quite a bit and still didn't know this.
Basically, it is due to how Play Store is set up. Developers are the merchant of record, not Google (unlike Apple's app store, where Apple is the merchant of record). The developer may not "want" this information, but for tax purposes they need it.