Mobile app users have become more savvy about protecting sensitive personal information and considering the level of access permissions to grant apps. At the same time, lawmakers have instituted regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) that clamp down on data usage and sharing practices worldwide. As a result, mobile app developers must adapt and do whatever they can to protect user privacy and safeguard personal information.
Developers can get ahead of regulatory action and improve the overall user experience by looking for ways to implement mobile app privacy features directly into their mobile apps. Here are six mobile app privacy features to consider including in future DevSecOps sprints.
Transparent Privacy Labels
Making users aware of what data you’re collecting and why is crucial because that provides context of why that information might be important to the way the app runs. Privacy-aware users have questioned app use of their data because developers have traditionally been opaque about what they’re collecting and where the app broadcasts or shares data.
Giving users an inventory of the data usage can be scary for developers, and add additional work to the process — accountability is like that. But developers need to get ready because that accountability will eventually be demanded of them. The industry will likely see more third-party reputation analysis with companies holding mobile app dev’s feet to the fire with privacy reports. Get in front of the ball now and start adding transparency labels to your apps — much like nutrition labels on food.
In addition, consider making mobile app privacy information sharing a two-way conversation. Mobile app developers can do a lot for customer experience and continuous improvement if they also include very easy-to-find contact details for users to get in touch when they find privacy problems and vulnerabilities in the app. Don’t make them dig through your website, include that in the app itself. Placing that within the privacy label is a natural spot.
Granular Data Use Options
With data privacy laws like GDPR and CCPA implementing opt-in and opt-out user data right mandates, now is the time for mobile app developers to get serious about the kinds of options they provide users to make data usage selections within the apps themselves. For the sake of compliance and better user satisfaction, mobile developers should consider building functions directly into the app that give users more granular control over what data the app collects, and who the developer does or does not share certain data with. It can make a world of difference in user experience if that control is offered directly through the app via various radio buttons versus having to go to an arcane website to handle that capability.
Consider this across all geographies rather than just for California or EU citizens, as more data privacy laws are on the horizon and doing this now will futureproof you from technical debt.
Not all mobile app privacy features are security features. And not all security features are privacy-related. However, there are definitely certain security features that greatly bolster user privacy when they’re well implemented. One of the most obvious is encrypted communication.
Users need the peace of mind that no one else but the developer can collect their information if they’re using a particular app. Implementing HTTPS provides assurance that attackers can’t use man-in-the-middle (MiTM) attacks and other techniques to sniff out private information from the app. Many mobile developers have already jumped onto the HTTPS bandwagon, but there are also still plenty holding out with HTTP. A recent study we did at NowSecure found that one in five Android apps and one in seven iOS apps still use HTTP.
Additionally, be certain that you’re implementing HTTPS securely. On mobile there are a lot of ways you can implement TLS, and if you do it incorrectly it can become effectively just as insecure as simply using HTTP. In some ways it’s worse because that breeds a false sense of security—there might be MiTM connections hidden in the app and the user won’t even think it’s possible for that to happen because the app is supposedly an HTTPS app. So it’s crucial that the app not only implements HTTPS, but that it also does it correctly.
Privacy-Optimized App Storage
Both iOS and Android have gone to great lengths to protect devices at the platform level, including how data is stored on these pocket-sized computers. However, there are still ways that data can be pulled from the device by remote attackers and there are ways that the apps sitting on top of the operating systems can store data insecurely, putting user privacy at risk in the process. And, sadly, this is a reality that mobile developers tend to overlook.
Optimizing data storage for privacy can come down to something as simple as properly implementing encryption for data at rest. It can also be fostered by being more mindful of the locations that the app stores data so that other apps can’t access it. For example, in Android there are locations called external storage that an app can access that are also accessible to the user and to other apps. Being considerate of that and aware of the mobile app privacy issues that can arise by letting the app store data on external storage is important. Because depending on how your app uses that data and what’s being stored there, a developer could potentially be increasing the privacy risks for the user by tapping into it.
A lot of apps have functionality built into them that could be used to phish users—essentially providing the means for a user to breach their own mobile app privacy. A classic example of this is webviews, which are in essence an in-app browser that make it easier for the dev to tap into external content to be displayed within the app. Webviews aren’t necessarily a bad thing in their own right, but without some content controls that restrict what web content can and can’t be displayed, they can definitely be used by attackers for malicious purposes.
It just goes to show that content controls are crucial for maintaining the privacy of user data handled by apps.
Properly Configured Permissions
Smart app developers recognize that sound integrations are good for everyone in the mobile ecosystem. But they also need to remain mindful that insecure connections and sharing permissions between apps can put user data at risk. When permissions are overly promiscuous or poorly configured, an app stands as a prime source of data leaks on a user’s device. It’s up to developers to lock down their permissions as much as possible to prevent that from happening. This can also be tied into data use options—giving the user informed choices about which apps their data can span across and allowing them to control what goes where.
Mobile App Privacy Advice
Mobile app privacy features like the ones we’ve suggested here are just the start to creating safe, user-friendly mobile apps. To devise a strategy for how developers can improve mobile app privacy, check out our latest ebook, “Building Privacy by Design Into Your Mobile App Portfolio.”