HomeBest PracticesMobile App Privacy & Security

Mobile App Privacy & Security

As mobile usage and application development continues to grow, the need to adopt best practices in data security, app security and privacy have been highlighted.  In an effort to aid developers while enhancing online trust, consumer protection, and regulatory compliance, OTA has provided the following outline. As learned in the development of website and software applications, developers can overlook basic standards and guidelines and fail to uniformly apply and maintain them between versions and device platforms.  Creating a security and privacy discipline including robust integration from inception throughout an app's life-cycle pays long-term dividends to a company and to its users.  Note as the landscape is rapidly evolving, developers need to conduct their own review for regulatory compliance.  

These resources serve as a tool to help developers understand the criteria in which their applications will be evaluated in the 2014  Online Trust Audit & Honor Roll. OTA’s 2014 Audit tracks current guidelines and will evaluate and score apps against leading best practices. OTA recommends brands and developers move from a minimal compliance point-of-view to one of stewardship, making security and privacy a competitive business advantage.  As outlined, it is paramount that developers implement adequate security controls, provide appropriate notification and understand privacy implications and boundaries of collection and use of data.

  • Privacy - At the forefront of the consumer privacy landscape is the data collection, sharing and usage of user data on websites and by mobile apps.  Recent high profile media attention, class action lawsuits and dependence on mobile devices have prompted close scrutiny of developer, advertisers and platform practices and controls. Regulators on the state, national and international level are actively encouraging (and enforcing) consumer privacy rights against app developers that misuse or surreptitiously access user data. Developers should build privacy into their mobile apps from the start in order to foster trust and confidence in the mobile app ecosystem. If the app is ad-supported the app should include access to preference management tools that indicate advertising preferences. In addition, OTA recommends that unless related to a core capability of the app, apps should not access sensitive data.      
     
  • Security - Apps are not just about innovation, but are also about security and a safe user experience. Many apps heavily rely on sensitive user information, making them a target and vulnerable to hackers, malware and more. There is no “one-size-fits-all” approach to the development process and needs for each app. However, certain “bedrock” measures are essential.  All sensitive information must be encrypted during transmission over any network or communication link. Once sensitive data has been entered, it should not be displayed in plain text anywhere in the application. Sensitive data should always be protected by a password and if an app uses passwords or other sensitive data, the passwords or other sensitive data should not be stored in the device and not echoed when entered into the application. Security also includes secure code development and code signing to help protect applications from being compromised by other apps or the code being unknowingly manipulated.
     
  • User Control - While there are limitations based on platforms technologies, developers should strive to provide users choice and control around the unexpected collection and use of personal information. Mobile app developers should only collect the minimum amount of data required to provide the service, with an eye towards ways to archive the functionality while anonymizing personal information. When this data is used outside the scope of what users would reasonably expect, make sure users can easily opt-out.  OTA recommends that unless related to a core capability of the app, do not access sensitive data unless related to the app’s core capability.  In addition, developers are able to provide “enhanced notice and choice” to users when most relevant, within the OS design framework. A best practice is to do this before data is collected, transmitted or used. OTA also recommends providing periodic reminders and visual indicators to users that the app is collecting their personal data.
     
  • Notice - When it comes to best practices, disclosure and transparency are fundamental. An app’s data use, sharing and retention practices should be available to users before the app is downloaded .  A best practice is making the Privacy Policy discoverable from the app platform or store without requiring a user to download the app. The policy should be written in plain English at the reading level of the target audience(s).  While the app may be in English, having the privacy policy and terms of use in other languages is highly recommended to maximize user's ability in comprehending the app’s data practices. (See OTA's  multi-lingual privacy policy). Due to limitations of the screen size of mobile devices, OTA recommends developers consider a short form notice highlighting key data practices which are disclosed in detail in the full privacy policy.  Third party solutions from leading companies such as TRUSTe and others provide tools to help create these notices including additional contextual, "just in time notices".

 
Resources

Federal Trade Commission (FTC)  Mobile App Developers: Start with Security  (February 2013)

FTC Staff Report Recommends Ways to Improve Mobile Privacy Disclosures  (February 2013)

FTC Recommends Privacy Practices for Mobile Apps (February 2013)

Office of the Privacy Commissioner of Canada;  Seizing Opportunity: Good Privacy Practices for Mobile Apps (October 2012)

California Attorney General – Privacy Recommendations on the Go (January 2013)

US National Telecommunications and Information Administration (NTIA), Mobile App Privacy Code of Conduct (draft, July 2013)

 
Trade Organizations

App Quality Alliance – Best Practice Guidelines for Developing Quality Mobile Apps (June 2013)

Association for Competitive Technology  -  Mobile App Dashboard

Electronic Frontier Foundation – Mobile User Privacy Bill of Rights (March 2012)

Future of Privacy Forum & Center for Democracy & Technology -  Best Practice Mobile Application Developers

Future of Privacy Forum - Mobile Application Privacy

GSMA – Privacy Design Guidelines for Mobile Application Development - February 2012

 
Industry

Android App Security & Privacy Best Practices (Google)

Appscend – Mobile App Security Bottlenecks and Best Practices (October 2013)

AVG PrivacyFix Site Ratings

Lookout Mobile Security – Mobile App Advertising Guidelines (June 2012)

TRUSTe Privacy Best Practices

Window Phone Security Review