When was the last time you checked the privacy terms before installing a free or paid app on your mobile device? A mapping app asking for your location might need that information, but if a flashlight app asks for your contacts – you should be concerned.
The problem with data sharing on iOS and Android mobile platforms comes into focus in a new study from Appthority, an online app risk management company. The report analyzes the top 400 free and paid iOS and Android apps for potential security threats.
Speaking with TECHtonics, Appthority’s President and Co-Founder Domingo Guerra says while malware typically comes to mind when considering security issues, data-sharing is a bigger problem for mobile apps.
“They are collecting too much user data, too much data stored on the device, and then sharing that data with third parties like advertising networks, social media sites, analytics frameworks and crash reporting sites as well,” he said.
Years of fighting malware have made PC users more careful with their personal information. This is particularly true for businesses, says Kaspersky Lab‘s principal security researcher Roel Schouwenberg, where security policies typically help prevent malware from being installed on company servers.
The same is not true for mobile apps, says Guerra.
“We forget that these are software and access sensitive information as well, and we just let everything into our phones,” he said. “It’s almost as if we have relationships with our phones and we trust them a 100 percent without knowing who we are trusting there.”
While mobile users are able to choose which apps better protect their personal information and which they should avoid. Guerra cautions that they need to be “a little bit more conscious with what the app is supposed to do and make sure that those intended behaviors match the actual permissions requested.”
Increasing education among users can help protect personal data that is often shared without their consent.
“If there were only a small pool of developers, it would be easier to reach them and work with them and provide training and education,” he said. “But when the landscape is so wide open, it really is something that has to come from us demanding better.”
But shouldn’t that be the responsibility of app developers?
The developer pool
“It’s a blessing and a curse that everybody in the world is now a developer,” says Jules Polonetsky, Executive Director of the Future of Privacy Forum.
The technology for making apps is inexpensive and available. Anyone can create useful apps to help others, though they might not be aware of the privacy implications of their benevolence.
Google and Apple watch over what goes into their app stores. But unaffiliated developers can pay advertisers to promote their apps for download outside the stores or post them on message boards, thereby sharing collected data.
According to Appthority, 88 different developers accounted for the top iOS 100 free apps and 86 different developers for the top paid apps. The Android environment is even more fragmented, with 91 different developers for the top 100 free apps.
There are “rules and guidelines mobile app developers need to adhere to in order to be listed in the respective app depositories,” said Schouwenberg, although he adds that those rules don’t always catch everything that comes through.
And a developer’s reputation is typically a metric that determines if an app will run in enterprise, he said.
“Developers should have a proven track record. But even then incidents can happen,” he said. “We’re seeing more legitimate companies being compromised and in some cases attackers have an opportunity to insert their own malicious code into the codebase. So we must always be vigilant.”
But stiff competition in the app market is leading some developers to communicate “more efficiently why they need certain access and what are they actually going to do with that data they collect,” said Guerra.
Some are providing more information to avoid being sued or fined, in light of recent scrutiny of apps targeting children. Some are pushing the boundaries for more information while others are beginning to understand the risks and the need to be smarter about handling data and using encryption.
“If a developer isn’t careful, and they have a lot of data, the developers themselves could be targets for hackers trying to get that information,” he said.
But the industry needs to do more, says Guerra; and consumers should demand better because “the more we ask for it, the more developers will comply.”
“We have to realize how valuable our information is,” he said. “I mean, a lot of folks keep their whole lives on their phone from pictures and information on their family, where they live, where they work, their work email, their work files, personal files as well, banking … It’s a whole life on one device. And we need to be careful who we invite into that life and who we invite into that device.”
Beware apps bearing gifts
There are no free apps. “Free often means in exchange for your data,” said Polonetsky.
Most free apps come from third parties looking to target users with ads. But that process in changing as Google and Apple provide a setting called Limit Ad Tracking.”
“You need to find it, but it’s there,” he said. “And when you turn that setting on, apps are supposed to make sure that all the ad networks they deal with don’t do any behavioral advertising.”
They can still track you, says Polonetsky, but “they’re not allowed, at risk of being tossed out of the app store, to create profiles of you, track you about the web. And so consumers definitely should take advantage of those settings.”
Beginning in September, Apple will require apps to specify why they need personal data before the user approves them for installation.
Polonetsky wonders if apps are ready to do this and whether they will be deceptive about it, given that Appthority’s report found that some apps continue to access users’ Unique Device Identification (UDID) even though they are not supposed to.
“As of August 1, Android – Google put rules in place that said that apps are not supposed to access that information,” he said. “Apple has had a rule in place for a while.”
Device IDs are accessed for analytics and third-party advertising. But Polonetsky says Apple and Google have “created a separate identifier … that is subject to some control. People can use that to limit their tracking. People can reset it.”
“The platforms said no, this is not acceptable and have told apps that they have to use these new identifiers that are under the users’ control,” he added. “So to the extent that the report documents that there are still companies doing that, they risk being tossed out of the app store.”
Another option came out of a White House effort to hammer out a code of conduct for apps. Privacy groups and a number of developers put together an app “nutrition label” that tells users what they need to know about their apps.
“We’re seeing some companies adopting it, but it’s still been very slow and it could be a good way for people to actually understand what permissions are,” he said.
A few years ago, there were few settings that allowed users to control information-sharing on their mobile device. Now, the mobile landscape is changing aquickly.
“We are starting to give our devices more and more information about both the most intimate parts of our body, what we do in our home,” said Polonetsky. “So, you know, it’s hard to even think of it as mobile or as apps anymore.”
Moving forward, he says people will face ethical decisions when creating apps that require data-sharing.
“We are in for a very challenging number of years,” he said. “And the decisions are really more than just marketing and ads … A lot of these decisions are going to shape how we interact with each other and how we interact with the world. So it’s really imperative that we get it right.”