In reality, most mobile clients don’t read through the permissions and privacy policies and EULA of the applications they download to their mobile devices. It’s understandable; after all, they’re tedious and we’re trusting. It’s not uncommon, however, for mobile apps to sneak clauses into their privacy policies that, if we actually read them, we might not be alright with. In fact, the popularity of downloadable mobile apps in recent years is becoming a top privacy issue among consumers — especially as people are increasingly spending more time using mobile applications than they are browsing the mobile web. Thus, it’s important to read through the mobile app privacy policies and understand why they’re requesting to access certain personal data.
Case 1: Carnegie Mellon Study
In 2013, researchers at Carnegie Mellon University set out first, to determine how many mobile applications request and use personal data and second, to see if ordinary users were surprised by the results or not. In their research, CMU discovered that from the top 100 mobile apps on Android, 56 access and use the device ID, contact list, and/or location; and the majority of users were surprised to learn that apps like Brightest Flashlight, Angry Birds, Shazam, and Pandora were accessing and using their personal information.
The study went even further — the researchers learned that Angry Birds, for example, shared sensitive information with eight parties: four companies that target mobile ads, two mobile ad networks, an app analytics site and an ad optimization and rewards company. Also, Shazam shared user information with companies that serve mobile advertisements. In short, even mobile applications that are seemingly harmless, like games, collect and sell personal user information.
Case 2: Google Mobile App Privacy Policies
In 2014, Google announced in a short blog post that it would do the same but with mobile applications on iOS — meaning, if on your iPhone, you were signed into Gmail, you’d also be signed into Maps, Drive, YouTube, Chrome, etc. In doing so, Google is treating you as a single user across all their platforms, it’s easier to track your behavior across devices and operating systems. This, of course, is beneficial for users, who might have found it bothersome to constantly re-login to Google services, but also not something most users are aware of, and consequently agree to.
Case 3: Health and Fitness Apps
How To Proceed
Clearly, mobile app privacy policies aren’t always as forthcoming as we like to assume. It’s for this reason that users must read carefully and be weary of which apps they download and grant personal access to. That said, here are a few tips from our security team:
- Typically, paid apps are safer than free ones. This is because free apps collect and sell your data to advertisers. Nuro Secure Messaging, for example, is a paid application does not profit from selling personal information. In fact, Nuro, which relies on Google GCM and Apple APN to push notifications, ensures that sensitive content is never sent to Apple, Google, or other third-party servers.
- Read through the privacy policies and permission settings. If something doesn’t sit right with you, don’t grant the app access to your personal information. Remember, there are millions of apps out there — there are probably similar apps that don’t require personal information.
- Make sure the app is from a trusted developer or company. In a mobile banking app, for example, the app should be developed by the bank itself — not some other seller or developer.
- Turn off certain settings (bluetooth, location services, near field communications, WiFi, cellular data) when you’re not using them. Sometimes, apps use this data without you even knowing it.