Building Trust 1 October 2017

Best Practices: Mobile App Privacy & Security

As mobile usage and application development continues to grow, the need to adopt best practices in data security, app security and privacy have been highlighted. To aid developers while enhancing online trust, consumer protection, and regulatory compliance, OTA has provided the following outline. As learned in the development of website and software applications, developers can overlook basic standards and guidelines and fail to uniformly apply and maintain them between versions and device platforms. Creating a security and privacy discipline including robust integration from inception throughout an app’s life-cycle pays long-term dividends to a company and to its users. Note as the landscape is rapidly evolving, developers need to conduct their own review for regulatory compliance.  

These resources serve as a tool to help developers. OTA recommends brands and developers move from a minimal compliance point-of-view to one of stewardship, making security and privacy a competitive business advantage.  As outlined, it is paramount that developers implement adequate security controls, provide appropriate notification and understand privacy implications and boundaries of collection and use of data.

Privacy

At the forefront of the consumer privacy landscape is the data collection, sharing and usage of user data on websites and by mobile apps.  Recent high profile media attention, class action lawsuits and dependence on mobile devices have prompted close scrutiny of developer, advertisers and platform practices and controls. Regulators on the state, national and international level are actively encouraging (and enforcing) consumer privacy rights against app developers that misuse or surreptitiously access user data. Developers should build privacy into their mobile apps from the start in order to foster trust and confidence in the mobile app ecosystem. If the app is ad-supported the app should include access to preference management tools that indicate advertising preferences. In addition, OTA recommends that unless related to a core capability of the app, apps should not access sensitive data.       

Security

Apps are not just about innovation, but are also about security and a safe user experience. Many apps heavily rely on sensitive user information, making them a target and vulnerable to hackers, malware and more. There is no “one-size-fits-all” approach to the development process and needs for each app. However, certain “bedrock” measures are essential.  All sensitive information must be encrypted during transmission over any network or communication link. Once sensitive data has been entered, it should not be displayed in plain text anywhere in the application. Sensitive data should always be protected by a password and if an app uses passwords or other sensitive data, the passwords or other sensitive data should not be stored in the device and not echoed when entered into the application. Security also includes secure code development and code signing to help protect applications from being compromised by other apps or the code being unknowingly manipulated.

User Control

While there are limitations based on platforms technologies, developers should strive to provide users choice and control around the unexpected collection and use of personal information. Mobile app developers should only collect the minimum amount of data required to provide the service, with an eye towards ways to archive the functionality while anonymizing personal information. When this data is used outside the scope of what users would reasonably expect, make sure users can easily opt-out.  OTA recommends that unless related to a core capability of the app, do not access sensitive data unless related to the app’s core capability.  In addition, developers are able to provide “enhanced notice and choice” to users when most relevant, within the OS design framework. A best practice is to do this before data is collected, transmitted or used. OTA also recommends providing periodic reminders and visual indicators to users that the app is collecting their personal data.
 

Notice

When it comes to best practices, disclosure and transparency are fundamental. An app’s data use, sharing and retention practices should be available to users before the app is downloaded .  A best practice is making the Privacy Policy discoverable from the app platform or store without requiring a user to download the app. The policy should be written in plain English at the reading level of the target audience(s).  While the app may be in English, having the privacy policy and terms of use in other languages is highly recommended to maximize user’s ability in comprehending the app’s data practices. (See OTA’s  multi-lingual privacy policy). Due to limitations of the screen size of mobile devices, OTA recommends developers consider a short form notice highlighting key data practices which are disclosed in detail in the full privacy policy.  Third party solutions from leading companies such as TRUSTe and others provide tools to help create these notices including additional contextual, “just in time notices”. 

Resources

 

Related Resources

Building Trust 31 August 2020

Policy Toolkit on IoT Security and Privacy

The Policy Toolkit on IoT Security and Privacy is a practical resource for policymakers and regulators to strengthen the...

Building Trust 1 November 2019

Security Factsheet: Keeping Your Workplace Safe Online

For many of us the Internet is a staple in our day-to-day lives – especially at our jobs. But...

Building Trust 1 November 2019

Security Factsheet: Why Should Municipalities Make Network and Data Security a Priority?

Communities can minimize risk by being intentional about how and by whom networks and devices are used. These are...