A controversial data leak involving a popular fitness app represents only the tip of the iceberg when it comes to privacy concerns involving mobile apps, the vice president of a mobile security firm says.
According to Dave Jevans, Proofpoint’s vice president of mobile security, many apps can share who you are, your email address, your physical location, and even your browser history – though for now he says the only app to fall under widespread scrutiny is Runkeeper. The smartphone-based tracking program was recently called out for having a bug that transferred personal data to a third-party advertiser without alerting users – even when the app was not in use.
“Because [Runkeeper is] such a popular app, it has come under fire,” says Jevans. “That does not mean that any less popular apps are any more secure, it just means they haven’t been examined in great detail.”
Runkeeper has claimed that they were unaware of the bug’s presence, while the Norwegian Consumer Council (NCC), a Norwegian watchdog agency, has lodged a formal complaint against advertising firm Kiip.me, and is advocating for the company to delete all of the data that it collected. In response, Runkeeper noted that it was primarily the Android version that was impacted, but promised to release an update for iOS as well.
However, Jevans says that Runkeeper, which was initially launched in 2008 and now has over 40 million users, has had a history of security problems. For example, in 2013 it was possible to access other user accounts without knowing their password on the app. The problem resurfaced again in 2014.
More disconcerting, however, is the fact that the security requirements on the App Store are basically nonexistent and do not mandate a privacy policy, he says.
“We’ve analyzed over 12 million apps on both iPhone and Android,” Jevans says. “About half of them don’t even have a privacy policy.”
In the case of Runkeeper, the app does have a privacy policy in place, and outlines the following:
“The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this privacy policy.”
“The Services also enable third-party tracking mechanisms to collect your other information for use in online interest-based advertising.”
Jevans notes that neither of these are uncommon clauses. Often, by agreeing to the terms of use of one app, a user can inadvertently agree to the privacy policies of a third party site that is connected to the app. He also explains that apps are able to change and update privacy policies without warning.
Unfortunately, there are few precautions that users can take to protect their data once they have installed an app, Jevans says. he describes the market as “buyer beware,” and advises smartphone users to investigate an app thoroughly before agreeing to its terms of use.