Microsoft Azure customers gain access to NowSecure Mobile App Security and Privacy Testing for scalability, reliability, and agility of Azure to drive mobile appdev and shape business strategies.

Media Announcement
magnifying glass icon

IDC Finds Mobile Data Privacy & Security Are Critical, but Developers Need New Tools to Comply

Posted by

Guest Author: Jim Mercer

Vice President of DevOps & DevSecOps for IDC
Mercer is research vice president of DevOps & DevSecOps for IDC.

Guest Author: Katie Norton

Senior Research Analyst of DevOps & DevSecOps for IDC.
Norton is senior research analyst of DevOps & DevSecOps for IDC.

There is a misconception that data security for mobile apps is a feature when, in reality, it has become a necessity. In IDC’s 2023 DevSecOps Adoption, Techniques, and Tools Survey, 24% of respondents indicated they experienced a sensitive data exposure breach in 2023.

If developers don’t properly secure mobile applications, personally identifiable information (PII), health data, or financial data may be exposed. This exposure of sensitive data could damage a company’s reputation, erode customer trust, harm users and decrease value. Furthermore, inadequately protected mobile applications can lead to legal liabilities and regulatory compliance violations. The California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR) and the Federal Trade Commission Health Breach Notification Rule stipulate data sovereignty, privacy requirements and protections for PII that mobile applications must comply with.

App Stores Prioritize Privacy

In the last few years, Google and Apple have made significant updates regarding privacy requirements for mobile applications in their respective app stores. Google has added Data Safety to the Play Store to increase transparency and give users more control over their data. For Android apps published on Google Play, developers must state how they collect, handle and protect user data.

Similarly, Apple rolled out App Tracking Transparency (ATT) several years ago to empower users to choose whether an app has permission to track their activity. Along with this, Apple introduced Privacy Nutrition Labels that communicate how apps collect and use data.

However, a particular challenge when accurately reporting privacy information is that mobile applications rely heavily on third-party components, including software development kits (SDKs), open-source frameworks and libraries. As such, both Google and Apple require privacy disclosures to include the data collected by any third-party SDKs the mobile app uses.

To fulfill the new Apple Privacy Manifest requirements, developers must gather multiple data elements across their code and systems.

New Apple Privacy Manifests for Mobile Apps

As part of its effort to address challenges in obtaining information from third-party SDKs, Apple introduced Privacy Manifests at this year’s developer conference (WWDC 2023). The Privacy Manifest lists the types of data an application or a third-party SDK collects about a user and the reasons for collecting this data. Apple has indicated that having a report aggregating all the privacy manifests for the mobile app’s first-party code and any SDKs used in the app will become a mandatory part of the Apple App Store review process in Spring 2024.

Improved data privacy and security are of the utmost importance for organizations, but they struggle to meet evolving compliance requirements. IDC’s 2023 DevSecOps Adoption, Techniques, and Tools Survey, respondents indicated safeguarding user data was one of the top two mobile application security challenges. Additionally, 19% of respondents stated compliance with data privacy regulations was challenging.

Unfortunately, complying with evolving mobile app privacy disclosure requirements create an added burden for mobile app developers to maintain mobile apps’ privacy, security and integrity.

To fulfill the new Apple Privacy Manifest requirements, developers must gather multiple data elements across their code and systems. As such, developers will need to understand data flows, dependencies and more. Apple’s XCode IDE provides some assistance, but the largely manual process can lead to an incomplete or inaccurate Privacy Manifest that ultimately could get the app rejected from the Apple App Store.

While developers focus on building innovative mobile apps that delight their users and support their business, they must properly handle data and respect privacy. New tools are emerging to assist developers on their journey. These tools can help developers better understand the flow and usage of sensitive private data in their mobile apps as they build them and readily generate documentation like the Apple Privacy Manifest efficiently and reliably.

Sponsored by NowSecure