Unsecure Apps are risky

Mobile App Developers Unwittingly Aid Criminals

In turn, app developers eager to earn revenues from their hard work find it lucrative to collect as much data from their users as possible in order to offer more ad targeting data, and they can find many convenient ‘mobile monetizing kits’ to handle all the in-app ad publishing details for them.

Unfortunately, both of these practices can cause app developers unwittingly to become a mule for corrupt ad networks and privacy exploits.

Collecting too much information is a privacy risk

Collecting more information from users than is necessary just to have more data to offer to advertisers is not necessarily a good strategy. A recent study published by the Information Commissioner’s Office (ICO) in the UK found that 49% of app users decided not to download an app due to privacy concerns.

If scaring off half of your potential downloads isn’t reason enough to reconsider your app privacy policies, consider the privacy risks and negative publicity. The ICO study was part of a global survey of 1,211 mobile apps, sponsored by the Global Privacy Enforcement Network (GPEN), which enlisted 26 privacy regulators from around the world. The much-publicized conclusion of the survey was that 85% of all apps fail to properly explain what data they are collecting and how they are using it, and that 31% of apps request an “excessive number of permissions to access personal information.”

The numbers and negative attention will only get worse, as privacy groups and media continue to increase their scrutiny of data collection practices.

Corrupt ad networks imperil you and your users

Unbeknownst to many mobile app developers, their ad networks may be engaging in aggressive practices with their users and where the network has been compromised, even installing malware on their phones. Examples include:

  • Directing users to pornographic websites and/or fake app download sites
  • Reading users’ address book contacts and sending outbound emails or calendar event requests
  • Deleting or defacing users’ USB storage accounts connected to the phone
  • Dialing out to revenue-generating numbers or sending premium SMS messages
  • Automatically authorizing in-app purchases

Other technical deficiencies in your mobile app code – such as failing to properly check SSL / TLS certificates or inter-app injection flaws – let hackers exploit your users directly.

With ad-funded mobile apps, the ad network is the data controller technically responsible for stopping malvertisments and other corruptions. But the app developer carries the responsibility to collect only as much user data as needed, to protect that data from exfiltration, and to do background checks of the ad publishing networks being used. Otherwise the mobile app developer may become an unwitting aid to criminals.

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.