It’s no secret that mobile applications are a greedy bunch, often grasping for many more permissions than necessary.
The UK’s Information Commissioner’s Office (ICO) this week released the results of a study conducted by the Global Privacy Enforcement Network (GPEN) that quantified just how bad the problem is and spanked mobile app developers in the process.
The results are a compendium of research conducted by privacy entities in 19 countries. More than 1,200 popular applications were assessed, including most of the top 50 downloaded apps. And the conclusion was pretty conclusive: Most apps (85 percent) do not explain in clear language to users what information is collected, how it’s collected, nor how it’s used and disclosed. More than one-third, meanwhile, ask for excessive permissions such as access to the phone’s location data, device ID, camera, microphone, contacts and more.
Even less transparent to users, the results revealed, is the availability of a privacy policy.
“Mobile devices often have small screens, typically with touch-based interfaces. This can make it more challenging for apps to effectively communicate with app users,” the report said, adding that 43 percent of apps failed to make a policy small-screen friendly. “Consumers’ expectations of convenience can make it undesirable to present a user with a large privacy policy, or a large number of prompts, or both.”
And that goes for apps that bothered to present a privacy policy if so desired; 11 percent of the apps studied did not.
For those who did, the ICO provided guidance for app developers, suggesting they use plain English to describe to users what happens to their personal information and why it’s being requested. It also suggests audience-appropriate language, and the presentation of relevant privacy information before the app is downloaded and installed.
Excessive permissions, meanwhile, have been a thorn in the side of mobile security for some time. The U.S. Federal Trade Commission in May came down hard on more than a dozen health and fitness apps that were sending users’ personal information to 76 different third-party sites. Not only were the apps relaying device data, but also physical metrics and characteristics that the user was unaware of.
Rogue and malicious Android applications also are sneaky about tricking users into agreeing to excessive permissions upon installations. The consequences in those cases, however, can lead to financial fraud or unwitting participation in a botnet.
Often, users are given an all-or-nothing choice during installation about the permission and access they grant to applications; the ICO hopes developers provider users with more granular choices.
“Allow your users to easily review and change their decisions once the app is installed and in use,” the report suggests. “Give them a single and obvious place to go to configure the various settings within the app and give them privacy-friendly defaults. It should be as quick to disable a setting as it was to enable it.”
