Data protection authorities find privacy lapses in majority of mobile apps

One in three applications request excessive permissions, and privacy information is inadequate in 85 percent of them, a study found

Many mobile apps request too many permissions and don't explain how they collect users' personal information, a study of 1,211 popular apps by the Global Privacy Enforcement Network has found.

The majority of the apps reviewed did not adequately explain to users how they were collecting and using information, according to the study, carried out by 26 privacy enforcement authorities in 19 countries. It also found that a third of the tested mobile applications requested excessive permissions that were outside the scope of their functionality.

The issue of overly broad permissions has been brought up by privacy advocates and security experts before. It is often the result of the advertising-based revenue model used by many applications and which involves the bundling of ad frameworks in their code.

To provide targeted and interactive ads, ad libraries typically require access to a larger set of user data and device functionality than the host apps would normally need. Since these frameworks become part of the apps that use them, the access they require is reflected in the permissions requested by those apps.

The problem is further exacerbated by platform-dependent behavior. For example, iOS allows users to revoke an application's access to certain data after installation, but Android has no such mechanism, forcing users to choose between granting apps any permissions they request or not using them at all.

According to the GPEN study results published on the website of the Privacy Commissioner of Canada, reviewers found that almost one in three tested apps provided no privacy information other than permission requests. An additional 24 percent provided some information, but didn't explain how the information is collected, used and disclosed.

In 31 percent of cases the privacy information provided by developers somewhat explained the app's collection practices, but left open questions about certain permissions, the reviewers concluded.

Sixty percent of apps had too little privacy information available prior to their download, and forty percent of them did not have privacy communications tailored for the small screens of phones and tablets.

"Many apps provided a link to a webpage with a tough-to-read privacy policy that wasn't designed to be read on a handheld device," the Office of the Privacy Commissioner of Canada said. "In other cases, the apps linked to social media pages. Sometimes users would have to log in to view the policy or the links were simply broken. A number of apps raised questions about who the developer or data controller was."

The U.K.'s Information Commissioner's Office (ICO), which also participated in the study, published a document with guidance for mobile application developers on how to present privacy information to users and obtain their consent.

In the case of free ad-funded applications "the ad network is a data controller, but as the developer you will likely have a duty to inform your users of what personal data will be collected, how it will be used, by whom, and what control your users can exercise," ICO said in the document.

"Consider just-in-time notifications, where the necessary information is provided to the user just before data processing occurs," the ICO said. "Notifications like this could be particularly useful when collecting more intrusive data such as GPS location, or for prompting users about features of an app that they are using for the first time. You could avoid excessive notification by remembering the user's choice for a certain time period before reminding them again."

Join the CSO newsletter!

Error: Please check your email address.

Tags Office of the Privacy Commissioner of Canadasecuritymobile securityInformation Commissioner's Officedata protectionprivacyGlobal Privacy Enforcement Network

More about ICO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place