An innocuous-looking torch app for Android that has been downloaded more than 50m times silently shared users' locations and device IDs with advertisers, the company has admitted.

In a settlement with the US Federal Trade Commission (FTC), the maker of Brightest Flashlight Free admitted that the app's privacy policy "deceptively failed to disclose" that it was passing on location and device ID data to networks of advertisers.

The privacy policy said that "any" information collected by the app would be used by the company. But it didn't say that it would also send it to third parties.

Since its release in February 2011, the app has been downloaded between 50m and 100m times, according to data on the Google Play app store.

"When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it,' said Jessica Rich, director of the FTC's consumer protection bureau. "But this flashlight left them in the dark about how their information was going to be used."

False choice

The FTC also said that the app gave users a false choice: "At the bottom of the license agreement, consumers could click to 'Accept' or 'Refuse' the terms of the agreement. Even before a consumer had a chance to accept those terms, though, the application was already collecting and sending information to third parties – including location and the unique device identifier."

That meant that advertisers could in effect have tracked users through their device ID and location to see what adverts they were clicking on - and even identified people through related information.

Analysts warned that the revelation could harm Google's reputation - and that other apps on the Android market are suspected of doing the same.

"Bad security/privacy hurts Google's attempts to build trust and willingness to pay [for apps]," commented the research company Canalys.

Fake warning

In October, three security researchers from Bitdefender examined 630,000 apps in the Google Play store and said that more than 23,000 of them grabbed the user's email address. They also highlighted Brightest Flashlight Free for displaying a fake antivirus warning which suggested that the user's phone harboured malware.

Graham Cluley, an independent security expert, commented: "The question remains, of course, how many *other* free Android apps are doing similarly sneaky tricks, exposing the privacy of their users?"

Under the settlement, the app will in future have to tell users how, where and when their data is about to be shared, and get their express permission to do so.

The case is the first where the FTC has zeroed in on unwanted sharing of geolocation data as part of its requirement to protect US consumer privacy.

Android apps tell users what information they will collect from users before they are installed - but do not give any explanation of what or how the information will be used, or why it is necessary to collect it. There is also no standard way to veto the collection of data or access to a machine function by an app.

The Play Store app, which has generally received good reviews - an average of 4.8 out of 5 - turns on all the lights on the device to create a torch. It also says that it offers "unobtrusive ads".

The developer, GoldenShores Technologies, also offers another app for choosing colours, which is also ad-supported. It has had far fewer downloads, totalling around 50,000. The FTC didn't say whether it is investigating that app.

Erik Geidl, who runs GoldenShores Technologies, has been ordered to delete any personal information that the app has collected. He is also required to tell the FTC if he changes his employment over the next ten years.