Aiming to shore up user security BlackBerry this week released a new set of privacy guidelines it’s encouraging third-party app developers to follow to better protect their customers.
The guidelines apply to customers’ personally identifiable information (PII) – the bits of information that apps collect from their users: names, email addresses, telephone numbers and the like – and how they’re used, stored and accessed.
The guidelines initially surfaced in an article last Friday on the company’s Developer Support forums but were revised Tuesday.
Addressing data collection, BlackBerry is stressing apps only collect user information when it’s reasonable to do so and to make sure it’s clear to users what developers are doing with that information via an easy to find privacy policy.
If the apps use third-party code, like an ad service for example, BlackBerry wants app developers to understand how it works and how it may directly affect user information. While BlackBerry assuming developers will follow any privacy/data protection legislation, its still is stressing they stay accountable for its users’ information and to familiarize themselves with the law wherever the app is being downloaded and used.
If a user’s data is sent to an external server, it’s encouraged to be encrypted, on and off the phone and everywhere in between. If it must be transferred, BlackBerry is encouraging the app to use Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
The guidelines aren’t mandatory, the company still has its RIME Store Vendor Agreement and its BlackBerry World Vendor Guidelines for that, instead the new list is expected to be viewed as recommended best practices.
BlackBerry notes that app developers will bear final responsibility but acknowledges that complying with the principles will ensure the vendors’ apps will remain listed in the company’s recently re-launched online app store, BlackBerry World.
To compete with Google’s Play marketplace and Apple’s app store, BlackBerry rebranded its app store last week to include music and video offerings. The company even ditched the name its used since 1985, Research in Motion (RIM), to fully embrace the BlackBerry brand.
With these guidelines however, the company is essentially telling its developers to do their due diligence to ensure they can find a balance between being transparent while adequately securing their users’ information.
To clarify exactly what kind of user information (or PII) includes, BlackBerry gives a pretty extensive rundown, noting the data can include everything from a user’s passwords to geolocation data to phone call logs to calendar reminders.
While some of these suggestions may sound a bit obvious, especially for a company operating in the mobile security sphere, in BlackBerry’s defense, it’s not the first time the group has tried to lock down a uniform list of principles.
This week’s guidelines build off a blogpost written by Adrian Stone, BlackBerry’s Head of Security Response team, last summer. In that post, on the company’s Business Blog, Stone pointed out that users would see new privacy notices pop up from time to time warning them about any third-party applications that don’t properly address how the app accesses and uses the data.
While the group tasked with scouring BB code and keeping its products secure, BlackBerry’s Security Incident Response Team, still issues these alerts, it’s clear the company is looking to hold third-party developers to a higher standard and curb the number of alerts it sends going forward.