The Federal Trade Commission (FTC) has been aggressively cracking down on mobile app privacy violations to safeguard consumers’ personal information. Following the landmark California Consumer Privacy Act (CCPA), several states including Florida, Montana, Oregon, Texas and Washington enacted data privacy laws that take effect in 2024 and many others have pending privacy legislation. With privacy in the spotlight, mobile app makers must ensure their code and third-party components properly protect personal data.
Consumers have also intensified their focus on data privacy. An International Association of Privacy Professionals (IAPP) report shows that 68% of consumers across the world are either somewhat or very concerned about their online privacy. In addition, consumers won’t do business with organizations that lose their trust through cybersecurity breaches or leaks. Over the past year, 85% of consumers said they deleted a mobile app due to privacy concerns, according to the IAPP.
Organizations must meet growing privacy demands in order to maintain regulatory compliance, safeguard brand reputation and preserve consumer trust. Consequently, executives, product owners, and legal and global risk and compliance teams are now tasking mobile application security and app development teams with meeting privacy requirements. App security and DevSecOps organizations need an easy way to build mobile apps that meet security, privacy and compliance requirements. In addition to applying privacy by design principles, the security analysts and developers should automatically test for security and privacy issues throughout the software development lifecycle (SDLC) to ensure mobile apps safeguard privacy prior to release.
Many finance and banking, high tech, healthcare, public sector and retail and hospitality mobile apps access a wealth of Personally Identifiable Information (PII). This sensitive data may include name, username, password, phone number, location, ZIP code, serial number, device ID, DNS address, Bluetooth MAC address, WiFi network or other information. Threat actors can harvest the data gleaned from security or privacy breaches or exposures to assemble extensive digital footprints that put customers at risk.
Mobile app developers and security professionals must test the mobile apps prior to release to verify they meet corporate security and privacy requirements using tools such as NowSecure Platform. In addition to ensuring the mobile apps they build are free of common security vulnerabilities, devs should take a privacy by design approach to safeguard customer data. They should focus on these key aspects of mobile app privacy:
- Data collection
- Data leakage over the network
- Data leakage via storage
- Data leakage via APIs & endpoints
Apple & Google Privacy Requirements
Organizations need to comply with Android and Apple requirements for publishing mobile apps to their respective app stores, Google Play and the App Store. These protections aim to increase transparency about privacy practices and give consumers control over how mobile app makers use their data.
Apple rolled out Privacy Nutrition Labels in 2020 to help users make informed decisions about the mobile apps they download and use. Developers must report to Apple the data used to track users, data linked to users and data not linked to them. In spring 2024, Apple will go a step further and require iOS developers to complete a privacy manifest for any mobile app that has the potential to be misused for fingerprinting. A privacy manifest details the privacy practices of the mobile app, including all third-party software development kits (SDK) the iOS apps contain.
Google in 2022 enacted Google Play Data Safety requirements to enable developers to show how they safeguard user data and privacy. Developers must disclose in their Play Store listings how their Android apps collect, share and secure user data or face removal. They do that by completing a Data Safety section that covers data used, stored and collected.
Android developers also have the option of demonstrating their mobile apps comply with the highest standard of mobile security and privacy by obtaining an App Defense Alliance (ADA) Mobile Application Security Assessment (MASA). NowSecure experts perform the ADA MASA independent security review by objectively evaluating the mobile app against a set of industry standards. Apps that pass the third-party validation highlight the distinction in the Google Play Data safety section via an independent security review badge. In 2023, Google began to promote the independent security review badge by introducing a Play Store banner for certain app types and started this initiative with virtual private networks. This designation demonstrates a commitment to security and privacy and may help increase a developer’s mobile app downloads. NowSecure Services can help organizations obtain ADA MASA validation and also performs SDK pen testing.
Of more than 600 tests, NowSecure Platform identifies 180 findings related to mobile app privacy.
OWASP MASVS Addresses Privacy
The OWASP Mobile Application Security Project (MAS) continues to evolve to meet growing expectations for security and privacy. The OWASP Mobile Application Security Verification Standard (MASVS) has long served as the global industry standard for mobile app security. It outlines minimum requirements for mobile app developers and security analysts to follow when building and releasing mobile apps.
OWASP MAS recently introduced the OWASP MASVS-PRIVACY category to help organizations assess the privacy implications of their mobile apps and make informed decisions. MASVS-PRIVACY provides a baseline for user privacy focusing on the app itself, looking at what can be tested using information that’s publicly available or found within the app through methods like static or dynamic analysis.
The new controls include:
- MASVS-PRIVACY-1: The app minimizes access to sensitive data and resources.
- MASVS-PRIVACY-2: The app prevents identification of the user.
- MASVS-PRIVACY-3: The app is transparent about data collection and usage.
- MASVS-PRIVACY-4: The app offers user control over their data.
The addition of a dedicated privacy category signifies growing recognition of the importance of privacy. Data security focuses on safeguarding data from unauthorized access, while data privacy emphasizes the rights of users and how data is collected, processed, stored and shared.
Why the OWASP MASVS-PRIVACY Category Matters
Privacy extends beyond traditional security measures. The new category covers a spectrum – from safeguarding PII to health metrics, location data and device identifiers. As the world grapples with stringent privacy regulations like Global Data Protection Regulation (GDPR), Children’s Online Privacy Protection Act (COPPA) and the California Consumer Privacy Act (CCPA), the addition of OWASP MASVS-PRIVACY becomes a strategic imperative for successful mobile app security and privacy programs.
NowSecure Platform Privacy Findings Protect Users
The NowSecure Platform mobile application security testing solution leads the charge on easing mobile AppSec and privacy compliance. NowSecure designed the solution to provide the coverage you want at the speed you need, all integrated into the DevSecOps toolchain and developers’ preferred workflows. By incorporating SAST, DAST, IAST, and API security testing into a single assessment, NowSecure delivers fast, comprehensive assessments.
Of more than 600 tests, NowSecure Platform identifies 180 findings related to mobile app privacy. NowSecure also plans future support to help you meet the new OWASP MASVS-PRIVACY category requirements. Adding privacy findings offers an extra layer of insight for mobile app developers and security professionals looking to meet compliance requirements and deliver high-quality mobile apps to their customers.
With the new NowSecure Platform findings view, you can easily identify privacy issues present in your mobile app portfolio by filtering to the “Privacy” finding category.
PII Data Collection
Safeguarding PII remains critical. NowSecure Platform utilizes an attacker’s perspective to fully interrogate your mobile app in different network conditions in order to identify any potentially leaked PII such as device identifiers, email addresses, first names, last names, GPS longitude and latitude, phone numbers, usernames, passwords, ZIP codes, Bluetooth identifiers, WiFi information, serial numbers and more.
All NowSecure findings include relevant compliance requirements that may be impacted. By identifying PII data collection issues, NowSecure Platform surfaces the data you need to meet compliance requirements like CCPA, GDPR and the Health Insurance Portability and Accountability Act (HIPAA).
Data Leakage Over the Network
Digging into network connection conditions is also crucial in identifying potential issues where data is leaked over the network. During analysis, NowSecure Platform looks at network capture while using invalid hostnames, during normal operation, while bypassing TLS encryption, and while using a self-signed certificate. This enables NowSecure Platform to identify privacy problems such as unencrypted network traffic, PII exposed and modifiable over the network, sensitive data in TLS communications, use of HTTP instead of HTTPS and susceptibility to a man-in-the-middle attack.
Identifying and remediating these issues goes beyond security, it is critical for protecting the data that your mobile app collects on your users. In a world where one data leak can damage brand reputation and destroy customer trust, protecting the privacy of your customers has never been more important.
Data Leakage via Storage
Improperly protecting data storage puts your customers’ sensitive data at risk. At the forefront of NowSecure Platform new privacy findings is identifying where collected data is stored. By investigating storage approaches for things such as external storage devices, keyboard caches, user interface, on-device storage, device logs and device RAM and unencrypted network traffic, NowSecure Platform can identify potential areas for leaked sensitive data.
By addressing these privacy issues, you ensure your mobile app protects your users sensitive information, reducing the likelihood of data leakage.
Data Leakage via APIs & Endpoints
Understanding the way your app handles customer privacy does not stop at the code you’ve written, it includes the APIs and third-party libraries included in your app. NowSecure Platform assessments each generate a Software Bill of Materials (SBOM) to catalog the libraries and trackers included in your mobile apps. It also investigates the endpoints of your network connections, providing information about the host, organization and geolocation of the endpoints so you can identify if any of the data in your mobile app is traveling to somewhere it shouldn’t be. Each assessment also performs API discovery via dynamic application security testing (DAST) and behavioral testing. This provides yet another way to ensure your mobile app only transmits data to the API endpoints you intend it to. Using all of this data empowers you to identify any potential leaks and stop them before customer data ends up in the wrong hands.
Google Play Data Safety Checks
As referenced above, the Google Play Data Safety section of the Play Store informs users what security and privacy measures mobile app developers have taken for their Android apps. With the introduction of Privacy findings, NowSecure can help provide data for your Google Play developer self attestations.
NowSecure Platform provides critical data around device or other IDs, location data, and personal information that are potentially collected or shared with known third parties. By identifying any of these issues in advance, you can remediate them, meeting requirements for the Google Play Data Safety section and protecting your users information and trust.
Bridging Trust and Compliance
NowSecure has always embraced standards-based testing, and always will. More than 180 privacy findings added to NowSecure Platform gives mobile app developers and security professionals a head start in building mobile apps that meet the OWASP MASVS-PRIVACY requirements. Getting in front of privacy challenges propels your mobile apps towards a future where security and privacy are one.
As the mobile application security and privacy landscape continuously evolves, so must your approach. Empower mobile security and development teams to build mobile apps that protect user privacy by applying NowSecure Platform automated testing.
Get a demo to explore NowSecure Platform privacy findings and ensure your mobile app honors user expectations for privacy.
