This flashlight app requires: Your contacts list, identity, access to your camera...
Who us, dodgy? Vast majority of mobile apps fail privacy test
A global survey of more than 1,200 mobile apps has discovered that the vast majority (85 per cent) fail to provide basic privacy information.
The global survey faulted apps for accessing large amounts of personal information without adequately explaining how they were collecting, using and disclosing personal information. Almost one in three apps appeared to request an excessive number of permissions to access additional personal information.
More than half (59 per cent) of the apps left users struggling to find basic privacy information. Many (43 per cent) of the apps either providing information in a too small print, or also hide the information in lengthy privacy policies that required scrolling or clicking through multiple pages.
It wasn't all bad news.
The research did find examples of good practice, with some apps providing a basic explanation of how personal information is being used, including links to more detailed information.
The regulators were also impressed by the use of just-in-time notifications on some apps that informed users of the potential collection, or use, of personal data as it was about to happen. These approaches were lauded because they make it easier for people to understand how their information is being used and when.
Andersen Cheng, chief exec of mobile startup SRD Wireless, said that the survey's findings are unsurprising because apps are increasingly set up to make money from data collection first and offer a service second. Essentially, the industry has assumed that users have no control over their own data: as long as apps are deciding they need access to your life history and full contacts list to work, your personal information can never be safe.
"The issue here is more than just how apps explain how they collect and use data," Cheng commented. "The issue is that many apps not only store a huge amount of data on their users in the first place, but then share that with other applications or use it in ways that simply aren’t secure."
App developers and operators can always fall victim to data breaches and attacks that spill the data of thousands or even millions of individuals, Cheng warned.
“This [risk] is exacerbated by the fact that, since their business models revolve around user data, many apps store far more information than they need. For instance, a simple communication app should only need your user ID and contact number. If it then demands access to your date of birth, contacts list and other information it is increasing the risk that others will gain access to your data, as well as that of your friends and family,” he concluded.
Room for improvement
The survey by the Global Privacy Enforcement Network (GPEN) examined the privacy information provided by 1,211 mobile apps. As a member of GPEN, the UK’s Information Commissioner’s Office examined 50 of the top apps released by UK developers.
ICO group manager for technology, Simon Rice, said: “Apps are becoming central to our lives, so it is important we understand how they work and what they are doing with our information. Today’s results show that many app developers are still failing to provide this information in a way that is clear and understandable to the average consumer."
“The ICO and the other GPEN members will be writing out to those developers where there is clear room for improvement. We will also be publishing guidance to explain the steps people can take to help protect their information when using mobile apps,” he added.
The ICO has published "Privacy in Mobile Apps" guidance (PDF) to help app UK developers to follow best practice and comply with the UK's Data Protection Act.
The guidance includes advice on informing people how their information will be used. Research carried out last year to support the launch of the guidance’s launch found that 49 per cent of app users have decided not to download an app due to privacy concerns, so developers have a commercial reason to be clearer about their privacy policies. ®
Sponsored: Becoming a Pragmatic Security Leader