After years of complaints about over-permissioned apps that collect, use and share private user information, Apple will be making developer privacy policies more transparent for consumers.
Starting Dec. 8, iOS and macOS developers will be required to provide detailed information about how their apps collect information, which data they collect and what it will be used for, according to an Apple post on its developer support page. They’ll also have to report whether their apps track users, which permissions they request, and if the data is anonymized or linked to the user.
And, developers will have to reveal how it shares data with any “third-party partners,” which include analytics tools, advertising networks, third-party SDKs or other external vendors whose code they’ve added to an app.
If the data isn’t provided, the app won’t be allowed into the official iOS App Store or Mac App Store, Apple said.
The detailed information will be turned into “privacy labels” for apps so that users can easily see how their data is being handled. The labels will show up on apps’ pages in the App Stores, so that users will see it at the moment of download instead of having to parse through lengthy privacy policies.
Developers can submit the information via the App Store Connect website, according to Apple. Once submitted, it’s up to them to keep the information up-to-date and to make sure it reflects any changes in the app – a potential loophole, according to some researchers.
“Apple’s requirement to force developers to reveal what apps are doing with user data is a good step for privacy, but the fact that this is developer-provided means there are too many loopholes,” according to Duo Security, in a Tuesday posting. “It is up to the developer to make sure the labels are up-to-date and reflect the latest information whenever changes are made or functionality added. There doesn’t seem to be a mechanism for Apple to verify developers are telling the whole truth about their data partnerships, so users are left hoping that maybe they know enough from the labels to make an informed choice.”
Emma Bickerstaffe, senior research analyst at the Information Security Forum, agreed. She told Threatpost, “This is an important step on Apple’s behalf towards making both the consumer and developer aware of privacy rights and obligations. At first glance, it is a welcome development, however, there are questions around how this self-assessment model will be implemented, and whether the consumer will have the inclination to read it when installing an app. Just as consumers now automatically accept cookies and agree to privacy policies, they may also ignore privacy labels in their rush to download an app.”
Joseph Carson, chief security scientist and advisory CISO at Thycotic, had a different take.
“Apple continues to lead the way in digital privacy and transparency,” he told Threatpost. “This is an important move by Apple to provide more visibility and transparency to what apps are doing on iOS devices, allowing the user to decide what is OK and what is not OK. For too long, developers have gotten away with hiding mass data collections of users’ personal data and Apple is now making it visible. I believe it will be great if we can simplify it with a grading system, along with clear risk labels, as you would get on typical consumer products that are bad for your health.
In any event, Apple continues to tackle privacy problems. For instance, this summer it added a new banner alert to iOS 14 that lets users know if a mobile app is pasting from the clipboard and thus able to read to a user’s cut-and-paste data.
The banner revealed that TikTok was still snooping on iPhone users’ clipboards, despite the company saying months earlier that it was stopping the practice.
“iOS 14 puts additional focus on user privacy, and in particular gives users better visibility into their personal information that is shared with third parties,” Chris Hazelton, director of security solutions at Lookout, told Threatpost. “Previously, iOS users only had the choice between sharing all their information when using apps, or declining to share and not having access to apps.”
He added that the privacy changes in iOS 14 are part of an unstoppable trend to increase the protection of user privacy.
“macOS 10.15 Catalina kicked everyone out of the kernel, a privilege that endpoint security providers had since the beginning of desktop operating systems,” he explained. “With this move security vendors are now also limited in accessing user and system information, and must operate like any other app. Fighting this trend is like fight the ocean tides; you can’t. You have to adapt to the trend and innovate or die. Mobile security providers innovated when they couldn’t have kernel access and I am sure advertisers will find a way to innovate as well.”
App Privacy Concerns
Apps can be notorious for lifting or misusing user data. For instance, ProPrivacy found in 2019 that dating apps including Match and Tinder collect everything from chat content to financial data on their users — and then they share it. Their privacy policies also reserve the right to specifically share personal information with advertisers and other commercial business partners.
Soon after that, Grindr, Romeo, Recon and 3fun – four dating apps that together can claim 10 million users – were found to pinpoint, track and expose users’ exact locations.
More recently, IBM, the owner of the Weather Channel mobile app, reached a settlement with the Los Angeles city attorney’s office after a 2019 lawsuit alleged that the app was deceiving its users in how it was using their geolocation data.
The suit claimed that the app’s permission prompt for users to share their geolocation data did not make them aware that it was also selling that data to third-party companies. Instead, users were led to believe that the collected location data would be for the sole purpose of personalized forecasts and alerts, according to the lawsuit.
Facebook meanwhile in July said that it had discovered that 5,000 developers received data from app users — long after their access to that data should have expired in the wake of the Cambridge Analytica privacy incident.
Also in July, leading commercial drone maker DJI faced researcher allegations that its Android mobile application collects sensitive data from users without consent.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.