Data protection authorities find privacy lapses in majority of mobile apps

One in three applications request excessive permissions, and privacy information is inadequate in 85 percent of them, a study found

Many mobile apps request too many permissions and don't explain how they collect users' personal information, a study of 1,211 popular apps by the Global Privacy Enforcement Network has found.

The majority of the apps reviewed did not adequately explain to users how they were collecting and using information, according to the study, carried out by 26 privacy enforcement authorities in 19 countries. It also found that a third of the tested mobile applications requested excessive permissions that were outside the scope of their functionality.

The issue of overly broad permissions has been brought up by privacy advocates and security experts before. It is often the result of the advertising-based revenue model used by many applications and which involves the bundling of ad frameworks in their code.

To provide targeted and interactive ads, ad libraries typically require access to a larger set of user data and device functionality than the host apps would normally need. Since these frameworks become part of the apps that use them, the access they require is reflected in the permissions requested by those apps.

The problem is further exacerbated by platform-dependent behavior. For example, iOS allows users to revoke an application's access to certain data after installation, but Android has no such mechanism, forcing users to choose between granting apps any permissions they request or not using them at all.

According to the GPEN study results published on the website of the Privacy Commissioner of Canada, reviewers found that almost one in three tested apps provided no privacy information other than permission requests. An additional 24 percent provided some information, but didn't explain how the information is collected, used and disclosed.

In 31 percent of cases the privacy information provided by developers somewhat explained the app's collection practices, but left open questions about certain permissions, the reviewers concluded.

Sixty percent of apps had too little privacy information available prior to their download, and forty percent of them did not have privacy communications tailored for the small screens of phones and tablets.

"Many apps provided a link to a webpage with a tough-to-read privacy policy that wasn't designed to be read on a handheld device," the Office of the Privacy Commissioner of Canada said. "In other cases, the apps linked to social media pages. Sometimes users would have to log in to view the policy or the links were simply broken. A number of apps raised questions about who the developer or data controller was."

The U.K.'s Information Commissioner's Office (ICO), which also participated in the study, published a document with guidance for mobile application developers on how to present privacy information to users and obtain their consent.

In the case of free ad-funded applications "the ad network is a data controller, but as the developer you will likely have a duty to inform your users of what personal data will be collected, how it will be used, by whom, and what control your users can exercise," ICO said in the document.

"Consider just-in-time notifications, where the necessary information is provided to the user just before data processing occurs," the ICO said. "Notifications like this could be particularly useful when collecting more intrusive data such as GPS location, or for prompting users about features of an app that they are using for the first time. You could avoid excessive notification by remembering the user's choice for a certain time period before reminding them again."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Office of the Privacy Commissioner of Canadasecuritymobile securityInformation Commissioner's Officedata protectionprivacyGlobal Privacy Enforcement Network

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?