Menu
Data protection authorities find privacy lapses in majority of mobile apps

Data protection authorities find privacy lapses in majority of mobile apps

One in three applications request excessive permissions, and privacy information is inadequate in 85 percent of them, a study found

Many mobile apps request too many permissions and don't explain how they collect users' personal information, a study of 1,211 popular apps by the Global Privacy Enforcement Network has found.

The majority of the apps reviewed did not adequately explain to users how they were collecting and using information, according to the study, carried out by 26 privacy enforcement authorities in 19 countries. It also found that a third of the tested mobile applications requested excessive permissions that were outside the scope of their functionality.

The issue of overly broad permissions has been brought up by privacy advocates and security experts before. It is often the result of the advertising-based revenue model used by many applications and which involves the bundling of ad frameworks in their code.

To provide targeted and interactive ads, ad libraries typically require access to a larger set of user data and device functionality than the host apps would normally need. Since these frameworks become part of the apps that use them, the access they require is reflected in the permissions requested by those apps.

The problem is further exacerbated by platform-dependent behavior. For example, iOS allows users to revoke an application's access to certain data after installation, but Android has no such mechanism, forcing users to choose between granting apps any permissions they request or not using them at all.

According to the GPEN study results published on the website of the Privacy Commissioner of Canada, reviewers found that almost one in three tested apps provided no privacy information other than permission requests. An additional 24 percent provided some information, but didn't explain how the information is collected, used and disclosed.

In 31 percent of cases the privacy information provided by developers somewhat explained the app's collection practices, but left open questions about certain permissions, the reviewers concluded.

Sixty percent of apps had too little privacy information available prior to their download, and forty percent of them did not have privacy communications tailored for the small screens of phones and tablets.

"Many apps provided a link to a webpage with a tough-to-read privacy policy that wasn't designed to be read on a handheld device," the Office of the Privacy Commissioner of Canada said. "In other cases, the apps linked to social media pages. Sometimes users would have to log in to view the policy or the links were simply broken. A number of apps raised questions about who the developer or data controller was."

The U.K.'s Information Commissioner's Office (ICO), which also participated in the study, published a document with guidance for mobile application developers on how to present privacy information to users and obtain their consent.

In the case of free ad-funded applications "the ad network is a data controller, but as the developer you will likely have a duty to inform your users of what personal data will be collected, how it will be used, by whom, and what control your users can exercise," ICO said in the document.

"Consider just-in-time notifications, where the necessary information is provided to the user just before data processing occurs," the ICO said. "Notifications like this could be particularly useful when collecting more intrusive data such as GPS location, or for prompting users about features of an app that they are using for the first time. You could avoid excessive notification by remembering the user's choice for a certain time period before reminding them again."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Office of the Privacy Commissioner of Canadasecuritymobile securityInformation Commissioner's Officedata protectionprivacyGlobal Privacy Enforcement Network

Featured

Slideshows

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Examining the changing job scene in the Kiwi channel

Examining the changing job scene in the Kiwi channel

Typically, the New Year brings new opportunities for personnel within the Kiwi channel. 2017 started no differently, with a host of appointments, departures and reshuffles across vendor, distributor and reseller businesses. As a result, the job scene across New Zealand has changed - here’s a run down of who is working where in the year ahead…

Examining the changing job scene in the Kiwi channel
​What are the top 10 tech trends for New Zealand in 2017?

​What are the top 10 tech trends for New Zealand in 2017?

Digital Transformation (DX) has been a critical topic for business over the last few years and IDC is now predicting a step change as DX reaches macroeconomic levels. By 2020 a DX economy will emerge and it will become the core of what New Zealand industries focus on. From the board level through to the C-Suite, Kiwi organisations must be prepared to think and act digital when the DX economy emerges in 2017.

​What are the top 10 tech trends for New Zealand in 2017?
Show Comments