Studies: Developers Failing at Mobile App Privacy, Security

• By David Ramel
• September 15, 2014

Two new research studies paint a bleak picture of mobile app privacy and security, putting the blame on developers in both cases.

In one, the Global Privacy Enforcement Network (GPEN) faulted many aspects of mobile app privacy considerations, citing unclear policies on the use of personal information, hard-to-find privacy information, excessive requested permissions and more.

In the other, research firm Gartner Inc. predicted more than 75 percent of mobile apps will fail basic security tests through next year, pointing a finger at enterprise employees who download unsafe apps from app stores or otherwise use apps with little or no security assurances.

The GPEN study examined 1,211 mobile apps for privacy information and found 85 percent didn't clearly explain how they were collecting personal information or how it was being used. Some 59 percent made users struggle to find basic privacy information, while almost one-third seemed to request too many permissions to access such information. Furthermore, the study found, developers failed to tailor communications about privacy to small device screens. The information was presented in tiny typefaces or was difficult to find in lengthy privacy policies that required scrolling or viewing many pages.

The privacy enforcement organization stemmed from a 2007 Organization for Economic Cooperation and Development (OECD) initiative recommending cross-border cooperation in enforcing privacy protection laws. The resulting GPEN comprises organizations from 39 nations, ranging from Albania to the United States. In the this year's privacy "sweep," some 26 privacy enforcement authorities from 19 nations helped examine mobile apps and report findings.

"Apps are becoming central to our lives, so it is important we understand how they work and what they are doing with our information," said Simon Rice of the United Kingdom's Information Commissioners Office (ICO), which issued a news release about the study. "Today's results show that many app developers are still failing to provide this information in a way that is clear and understandable to the average consumer.

"The ICO and the other GPEN members will be writing out to those developers where there is clear room for improvement," Rice continued. "We will also be publishing guidance to explain the steps people can take to help protect their information when using mobile apps."

The ICO last December published such guidance on how to conform to the United Kingdom's Data Protection Act, with tips ranging from how to give users feedback and control of their personal information to how to test and maintain apps.

Not all of the findings from the most recent sweep were negative, however, and some best practices found by sweepers were published last week by the Office of the Privacy Commissioner of Canada, which participated in the study:

• Many popular apps are embracing the potential to build user trust by providing clear, easy-to-read and timely explanations about exactly what information will be collected and how it will be used, pursuant to each permission.
• Sweepers found many positive examples of apps properly tailoring privacy communications to the small screen through pop-ups, layered information and Just-in-Time notifications.
• Some apps didn’t just tell users what they would do with their personal information, but also clearly articulated what they would not do with the information. Some apps even provided links to the privacy policies of their advertising partners. Others gave users the option to "opt out" of the "help us with analytics" feature, which uses software to collect user information to improve the performance of the app.
• Sweepers noted a number of best practices in the area of children's privacy and parental consent. One international partner highlighted, for example, an app that required parents to complete a consent form before their child could register.

On the security side of things, Gartner publicized an upcoming Security and Risk Management Summit in Dubai, UAE, with troubling observations that put the blame on developers who focused too much on app functionality and not enough on security.

"Enterprises that embrace mobile computing and bring your own device (BYOD) strategies are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance," said Gartner's Dionisio Zumerle. "Most enterprises are inexperienced in mobile application security. Even when application security testing is undertaken, it is often done casually by developers who are mostly concerned with the functionality of applications, not their security."

The research firm also faulted app testing, noting that just testing the code and GUI of apps that run on devices isn't sufficient -- the server layer should be included in testing also. Server-side code should be tested with static application security testing (SAST) and dynamic application security testing (DAST) techniques.

"Today, more than 90 percent of enterprises use third-party commercial applications for their mobile BYOD strategies, and this is where current major application security testing efforts should be applied," Zumerle said. "App stores are filled with applications that mostly prove their advertised usefulness. Nevertheless, enterprises and individuals should not use them without paying attention to their security. They should download and use only those applications that have successfully passed security tests conducted by specialized application security testing vendors."

Gartner predicted that in the next few years, the focus of endpoint breaches will switch to devices -- tablets and smartphones -- noting that there's already a 3-to-1 ratio for attacks against devices compared with desktop computers.

Also, the research firm said, some three out of four security breaches through 2017 will result from misconfiguration of mobile apps, as opposed to deeply technical attacks.

"A classic example of misconfiguration is the misuse of personal cloud service through apps residing on smartphones and tablets," Gartner said. "When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the vast majority."

Gartner said it will share information from its security and risk management summits on Twitter using #GartnerSEC.