Sneaky Mobile App Privacy Policies: Is Your Data Safe?

In reality, most mobile clients don’t read through the permissions and privacy policies and EULA of the applications they download to their mobile devices. It’s understandable; after all, they’re tedious and we’re trusting. It’s not uncommon, however, for mobile apps to sneak clauses into their privacy policies that, if we actually read them, we might not be alright with. In fact, the popularity of downloadable mobile apps in recent years is becoming a top privacy issue among consumers — especially as people are increasingly spending more time using mobile applications than they are browsing the mobile web. Thus, it’s important to read through the mobile app privacy policies and understand why they’re requesting to access certain personal data.

Case 1: Carnegie Mellon Study

In 2013, researchers at Carnegie Mellon University set out first, to determine how many mobile applications request and use personal data and second, to see if ordinary users were surprised by the results or not. In their research, CMU discovered that from the top 100 mobile apps on Android, 56 access and use the device ID, contact list, and/or location; and the majority of users were surprised to learn that apps like Brightest Flashlight, Angry Birds, Shazam, and Pandora were accessing and using their personal information.

The study went even further — the researchers learned that Angry Birds, for example, shared sensitive information with eight parties: four companies that target mobile ads, two mobile ad networks, an app analytics site and an ad optimization and rewards company. Also, Shazam shared user information with companies that serve mobile advertisements. In short, even mobile applications that are seemingly harmless, like games, collect and sell personal user information.

Case 2: Google Mobile App Privacy Policies

In 2012, Google announced it would combine the privacy policies of sixty of its services (from Gmail to Google Docs) into one single privacy policy. This way, even if you are using multiple Google services, Google is able to view you as a single user across all web applications. It was, of course, met with outrage from privacy campaigners, regulators, and authorities; France, Spain, and Germany slapped harsh fines on Google.

In 2014, Google announced in a short blog post that it would do the same but with mobile applications on iOS — meaning, if on your iPhone, you were signed into Gmail, you’d also be signed into Maps, Drive, YouTube, Chrome, etc. In doing so, Google is treating you as a single user across all their platforms, it’s easier to track your behavior across devices and operating systems. This, of course, is beneficial for users, who might have found it bothersome to constantly re-login to Google services, but also not something most users are aware of, and consequently agree to.

Case 3: Health and Fitness Apps

It’s common for smartphone users to download and use health and fitness mobile apps, from food diary apps to pedometers. However, in a report by the Privacy Rights Clearinghouse in 2013, it was discovered that most of the popular wellness apps collected names, email addresses, ages, gender, height, weight, lifestyle habits, and prescription records. In addition, the Privacy Rights Clearinghouse found that just 43% of the free apps they reviewed provided a link to a website privacy policy — and only half of those apps had policies that were actually accurate. In summary, the PRC found that many apps send data in plain text, unencrypted, without user knowledge; many apps connect to third-party sites without user knowledge; and 72% of the apps they reviewed presented a medium-to-high personal privacy risk.

How To Proceed

Clearly, mobile app privacy policies aren’t always as forthcoming as we like to assume. It’s for this reason that users must read carefully and be weary of which apps they download and grant personal access to. That said, here are a few tips from our security team:

  1. Typically, paid apps are safer than free ones. This is because free apps collect and sell your data to advertisers. Nuro Secure Messaging, for example, is a paid application does not profit from selling personal information. In fact, Nuro, which relies on Google GCM and Apple APN to push notifications, ensures that sensitive content is never sent to Apple, Google, or other third-party servers.
  2. Read through the privacy policies and permission settings. If something doesn’t sit right with you, don’t grant the app access to your personal information. Remember, there are millions of apps out there — there are probably similar apps that don’t require personal information.
  3. Make sure the app is from a trusted developer or company. In a mobile banking app, for example, the app should be developed by the bank itself — not some other seller or developer.
  4. Turn off certain settings (bluetooth, location services, near field communications, WiFi, cellular data) when you’re not using them. Sometimes, apps use this data without you even knowing it.