Many mobile apps request too many permissions and don’t explain how they collect users’ personal information, a study of 1,211 popular apps by the Global Privacy Enforcement Network has found.
The majority of the apps reviewed did not adequately explain to users how they were collecting and using information, according to the study, carried out by 26 privacy enforcement authorities in 19 countries. It also found that a third of the tested mobile applications requested excessive permissions that were outside the scope of their functionality.
The issue of overly broad permissions has been brought up by privacy advocates and security experts before. It is often the result of the advertising-based revenue model used by many applications and which involves the bundling of ad frameworks in their code.
To provide targeted and interactive ads, ad libraries typically require access to a larger set of user data and device functionality than the host apps would normally need. Since these frameworks become part of the apps that use them, the access they require is reflected in the permissions requested by those apps.
The problem is further exacerbated by platform-dependent behavior. For example, iOS allows users to revoke an application’s access to certain data after installation, but Android has no such mechanism, forcing users to choose between granting apps any permissions they request or not using them at all.
According to the GPEN study results published on the website of the Privacy Commissioner of Canada, reviewers found that almost one in three tested apps provided no privacy information other than permission requests. An additional 24 percent provided some information, but didn’t explain how the information is collected, used and disclosed.
In 31 percent of cases the privacy information provided by developers somewhat explained the app’s collection practices, but left open questions about certain permissions, the reviewers concluded.
Sixty percent of apps had too little privacy information available prior to their download, and forty percent of them did not have privacy communications tailored for the small screens of phones and tablets.
“Many apps provided a link to a webpage with a tough-to-read privacy policy that wasn’t designed to be read on a handheld device,” the Office of the Privacy Commissioner of Canada said. “In other cases, the apps linked to social media pages. Sometimes users would have to log in to view the policy or the links were simply broken. A number of apps raised questions about who the developer or data controller was.”
The U.K.’s Information Commissioner’s Office (ICO), which also participated in the study, published a document with guidance for mobile application developers on how to present privacy information to users and obtain their consent.
In the case of free ad-funded applications “the ad network is a data controller, but as the developer you will likely have a duty to inform your users of what personal data will be collected, how it will be used, by whom, and what control your users can exercise,” ICO said in the document.
“Consider just-in-time notifications, where the necessary information is provided to the user just before data processing occurs,” the ICO said. “Notifications like this could be particularly useful when collecting more intrusive data such as GPS location, or for prompting users about features of an app that they are using for the first time. You could avoid excessive notification by remembering the user’s choice for a certain time period before reminding them again.”