Many mobile applications gather and sometimes share unnecessary data, according to a recent Appthority survey of the top 200 Android apps and the top 200 iOS apps. In particular, the practice of apps accessing the user's Unique Device IDentifier has become more common recently despite efforts two years ago to curtail the technique. For developers, the survey could provide an important reminder of the types of application behaviors that, while often lucrative, can erode consumer trust or even lead to application blacklisting in the enterprise.
According to the report, common risky behaviors include performing location tracking (employed by 70 percent of free apps and 44 percent of paid ones), often without reason, in-app purchases (which can end up costing employers who issue devices) and sharing data with advertising networks or analytics companies (58 percent of the top free Android apps do so, as do 24 percent of paid ones). Also notable is the use of single sign-on features, which can create security risks, ZDNet's Larry Seltzer pointed out.
"SSO is considered risky because loss of the credential (typically a social network) could compromise all the sites to which the user logs in with the SSO," Seltzer wrote. "Furthermore, any permissions granted to an app accessed with an SSO are also available to the SSO site. For instance, if you log in to an app using your Facebook credentials and grant that app access to your contact list, Facebook gets access to it as well."
The UDID problem
More than half of the top Android and iOS apps (56 percent) identify the UDID, and every one of the top free Android games do so. This practice has been the subject of vigorous debate: A landmark 2010 Wall Street Journal investigation yielded similar results, and Apple has faced lawsuits over data gathering practices in recent years. The company asked mobile developers to stop using UDID codes to track their applications and offered alternatives with iOS 6, initially noting that it would block any applications that used UDID. Despite an initial decline in the practice, however, it seems to have rebounded, and it has remained consistently high in Android, according to the study.
The study's sponsor, Appthority, is an application whitelisting service, so it potentially stands to benefit from painting "risky" data gathering behaviors in a negative light. Nonetheless, given growing consumer concerns over privacy, this issue isn't likely to go away anytime soon. By recognizing that many of the data-gathering approaches they use may be considered risky or invasive by the public, developers can modify their apps and potentially build trust in their audience by avoiding these tactics. Tools like code review and source code analysis can help developers identify where there might be privacy gaps in their applications and address the issues rather than waiting for the next disclosure or study that puts their services in the crosshairs of public opinion.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.