Skip Links

How mobile apps can take whatever data they want from a smartphone

IT Best Practices Alert By Linda Musthaler, Network World
January 25, 2013 12:12 PM ET
Linda Musthaler
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

Network World - I recently interviewed Domingo Guerra, president and co-founder of Appthority, a company that analyzes mobile applications to discover what they do, not just from a functionality perspective, but also what the apps do under the hood. By this I mean, what information the app collects from the device the owner may or may not know about, such as the user's contact list, the device's location and other private information. After talking with Guerra, I was ready to rip a bunch of apps off my smartphone -- and you might be too. Just think what these apps could be collecting from your enterprise.

Let's start with a bit of background on mobile versus traditional applications development. In a traditional commercial software market, a small number of companies produce software for public consumption -- companies like Microsoft, Symantec, SAP, etc. These companies make their money by selling a license to use the software, annual renewals or upgrades, and perhaps some services or a support contract. They invest heavily in quality control of their products. If they didn't, they'd quickly go out of business.

In the mobile app development world, there are hundreds of thousands of unique developers. They put their code together quickly to rush the app to market, maybe for the Apple or Android marketplaces, where an app is often free or very low cost. The 99 cents a developer charges for his app (minus the commission paid to the app store) may be all the money he ever collects from the buyer. Consequently, the developer looks for other means of revenue. This is where ad networks enter the market.

[ IN THE NEWS: California AG: Mobile apps should limit data collection ]

Ad networks are happy to pay mobile developers for information they can collect from users' devices. This is why an app will request to collect information that isn't directly related to the app. For example, a game might ask to collect the device's location information, even though the location has no bearing on the game. Once the app is able to collect the user's location, he can be tracked anywhere he goes. Think about this: your sales people can be tracked to customer locations; your executives can be tracked as they go to a secret merger & acquisition meeting; your staff can be tracked to their homes.

Developers in search of revenue don't necessarily wait for permission to collect data. Even if a user denies an app access to his location information, the app can figure it out using geo-IP tracking, cellphone triangulation or Wi-Fi network recognition. The mere presence of the app on a smartphone can be betraying the user's trust without his knowledge or permission.

Sometimes the user agreement that users accept (and hardly ever read) when downloading an app grants permission to collect and share data beyond that particular app. Guerra says that there's often a mismatch between what the users perceive they are giving permission to and what permission is actually being granted. Permission is being granted to the app itself, but people don't realize that the app may have code from ad networks or analytic frameworks built in. Therefore, the permission is grandfathered to those third parties as well. This means the contact list on the phone can be sucked right out and sent to the ad network. If a user has his work email synched to his smartphone, his work contact list can be sent outside the company without anyone's knowledge.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News