App development is big business. Recent studies show that smartphone users spend 89% of their mobile media time using mobile apps. Further, it is estimated that there are potentially more smartphones now in existence than there are people on Earth. With such a huge market to appeal to, and an almost unlimited scope for app ideas, there are huge profits to be made for app developers and their investors.
In a sector which has customer's personal data at its core, the Information Commissioner's Office (the "ICO") is eager to ensure that privacy is not forgotten.
In 2013, the ICO published guidance, click here to view the document, for app developers, drafted specifically to cover the areas of the Data Protection Act ("DPA") which app developers need to consider to safeguard against breaches of the DPA. Such breaches could result in a hefty fine, or arguably worse, lasting damage to their reputation.
Since we last discussed this guidance, click here to view the article, the ICO conducted a review, in 2015, of 21 popular mobile apps to see how they fared.
The results of the review were generally reassuring, although the ICO did note that are still plenty of cause for concern. These problems included the use of unencrypted connections to transmit personal data which meant that an attacker could snoop on the communication and potentially obtain usernames and passwords, if they could get into a position to do so. Although this might sound difficult, often the would-be hacker using the same Wi-Fi hotspot as the customer can be enough. Given the widespread availability of open Wi-Fi in public areas, this poses a serious problem.
The most concerning aspect highlighted by the ICO from a purely technical point of view was that three of the apps that were using encrypted connections did not check digital certificates adequately. HTTPS remains an effective method for keeping data confidential in transit, but only when it’s set up and used properly. While encryption on its own guards against casual snooping, it doesn’t stop an attacker from impersonating a server. Proper certificate checking allows an app to be sure that it’s communicating with the intended server.
Other issues discovered during the investigation included:
- Default passwords and weak password requirements;
- Setting of cookies without consent;
- Transmission of passwords in the URL;
- Unexplained usage of tracking ID numbers;
- Misleading interface design; and
- Plain annoyance (e.g. advertising in the notification bar).
The ICO have declared that they will continue to investigate the compliance of mobile apps with data protection law. Specifically in their sights are finance and wellbeing apps, due to the high propensity for these apps to contain very sensitive information. It is paramount apps of these nature are processing data correctly and the ICO have warned that there is no room for excuses. The results will be published later this year.
In light of this news, clients with mobile apps should revert back to their app developers to ensure their products comply fully with data protection legislation. The 2013 ICO guidance is a good place to start.
This article was written by Christopher Coughlan and Ashley Davies