This is Part 1 of a series on Security & Privacy for Mobile Apps.

(Note: in this article mobile apps means both native and webapps)


Are you Serious About Security on your mobile apps or webapps?

Security and privacy is an area that too often is not being properly addressed on mobile apps in general. From the product requirements, to the design and implementation of the mobile app, properly securing sensitive information means addressing this end-to-end: on the device/smartphone, through the network, and on the servers on the cloud.

Examples of sensitive information:

  • Personal Identifiable Information (PII)
  • Cardholder and other credit card information
  • Health/medical information
  • Tracking users/geo-location

And it is not only about collecting or not sensitive information, but also about 1) preventing others from gaining access to the sensitive data collected by your app, and 2) how to communicate to the user about how the app itself deals with such sensitive data.

As product owners and developers, we all should follow proper security and privacy guidelines, regardless of the kind of application. But when dealing with critical or sensitive information, we must go beyond guidelines and treat privacy and security as application requirements.


Increase in Apps with privacy & security requirements

Developers do need to be serious about security and privacy on their mobile apps:

But many developers find addressing privacy/security as challenging:

Why the need to be explicit about security and privacy?

Addressing security/privacy goes beyond protecting and securing data. It is a fact that security/privacy on mobile apps can quickly become confusing. And this impacts how we tell the users about what the application does with sensitive data. Typically this communication is done via privacy terms and/or policies that are hundreds of lines long and hard to read on a mobile device, thus many people simply skip reading it.

Simplifying privacy communication — a case for “Classifying Apps”?

Imagine that we can abstract and simplify how we communicate to the users the matters related to privacy/security. And idea is on classifying the Apps based on how they handle sensitive data, for example:

  • Class A — Collects data
  • Class B — Stores data
  • Class C — Shares data
  • Class D — Tracks the user
  • Any other?

Regardless, think about these classes when designing your application, and crafting your privacy policy documents.

Now imagine that these classifications are standardized, and with this, the Privacy wording for each these classes of apps is standardized as well — all with the goal of making such wording very clear and easy to understand, standard, and referenceable — similar in idea to how licenses such as GPL, MIT, Apache have been defined, standardized and used all around.

With such “standardization”, mobile apps would have a very clean, simple privacy policy that is familiar in wording and meaning, for example:

Privacy Policy — this application:

  1. Collects Data
  2. Shares data
  3. Tracks the user

Please click on the appropriate hyperlink for more information.

I would seeing an initiative of some kind to do just this (I’m investigating this as we speak). If you have any thoughts, please drop me a line. Perhaps there is something out there already that I haven’t seen yet. If there is nothing there yet, I believe it is worth it to follow up on this and come up with simple, consistent, familiar privacy messaging (and badge?) across platforms and applications.

Conclusion

Personal and sensitive information include any information that is critical for a user, for example credit card numbers, credit card validation codes, social security numbers, driver’s license numbers, name, addresses and date of birth, and other Personally Identifiable Information (PII). Any such information must be properly handled and secured.

As privacy continues to become more critical over time, with the number of apps exponentially increasing, and with potential legislation in the future, having clear privacy and security wording/messaging and responsibilities is very important. And as product owners and developers, you/we are responsible!

Related

/CEO