These are the conclusions of a study conducted by IEEE Senior Member Lorrie Cranor, a professor of computer science and of engineering and public policy at Carnegie Mellon University, in Pittsburgh, and Ph.D. researcher Rebecca Balebako, who is now an information scientist at the nonprofit global policy think tank RAND, in Santa Monica, Calif. They surveyed 228 app developers and found that many do not have a background in ways to protect privacy or security, or even consider these issues when building their applications. Their findings were published in “Improving App Privacy: Nudging App Developers to Protect User Privacy,” available in the IEEE Xplore Digital Library.
Many app developers rely on third-party programs such as Google Maps or Facebook to be integrated into their programs without understanding how these are using the data collected and whether they might cause potential privacy or security threats to the users. Moreover, many developers do a poor job of encrypting the data that comes from the apps, Balebako says.
There’s an opportunity for the developers of mobile phones and tablets to create a default setting on the devices to encrypt data from apps or make it simpler for app developers to do this on their own, she says. “App developers shouldn’t have to figure out how to encrypt data for each system,” Balebako says. “A lot of app developers mentioned they don’t want to deal with handling passwords and encrypting data. They just want to design apps.”
When interviewing app developers for the study, Balebako also found that many believed their users were not too concerned about privacy and security protections, and that they were willing to accept the trade-off in order to get the service the app provided. Balebako argues that users do care and warns that there is no way of knowing how these apps and third-party services might use the data in the future.
Greg Clark, CEO of Blue Coat Systems, an information security company in Sunnyvale, Calif., agrees with these observations. He knows for a fact that developers are not paying attention to security concerns. “I’ve had to sit down with them a number of times and talk about what has to be done now in order to not regret something later.”
But even if developers did care about security, their skill set to build in security is lacking, he says. While many large companies have security experts on their development teams, so-called enterprise applications designed by established companies are a small subset of the total number of apps available, Clark adds. “Security is not the main focus for someone who is building a new dating app for 20 year olds.”
These are some measures that developers for both mobile devices and apps can implement to improve security.
- Design mobile systems to validate the integrity of apps before allowing them to be downloaded on the device. (Apple, for example, curates applications for download through its App Store.)
- Build mobile devices to automatically encrypt data that is stored and collected through apps to make it difficult for third-party services to get access.
- Read the fine print on third-party services before integrating them into app designs to avoid causing privacy breaches or a security glitch. If the service is used, provide users with a notice about the potential threats before they download the app.
- Keep programs open for network inspections to catch malicious activities; avoid strategies like certificate pinning, which keeps browsing activity private.
- Move into an open cloud-based security system infrastructure that continues to evolve and keep up with potential threats. These types of systems also keep tabs on all devices that belong to a single user so that a potential threat from one device or location doesn’t make its way into another. (Read our article “Mobile Devices Remain Vulnerable to Attacks,” to learn more about this framework.)
- When potential threats are detected, provide ample warning to users not to download the app. This might also include notifying them of vulnerable Wi-Fi spots.