This post first appeared in TRUSTe’s Technology Blog on July 14th, 2015
By Helen Huang, Sr. Product Manager, TRUSTe, CIPP/US
Mobile application privacy management is now more important than ever—at least half of Fortune 500 companies have internal mobile applications. But managing mobile application privacy risk goes beyond the applications on your employees’ devices. As companies’ presence, products, and services increasingly shift into the mobile space, mobile privacy is drawing increasing attention—both internally and from the Federal Trade Commission. In particular, the healthcare industry had the highest privacy payout in 2014, and the FTC and FDA’s additional scrutiny into wellness and health services should increase management’s focus on improving mobile application development tools and processes.
Product managers in different business units in different companies often develop mobile applications within a single global organization. Adding to this complexity, companies often leverage outsourced mobile developers, putting mobile applications still another step away from the oversight of the privacy officer.
To manage data privacy risk, privacy officers must have a handle on the data that’s collected, the security of data transfer, and all third parties accessing the mobile application. According to Forrester Mobile Study 2015, “Companies had no idea they were gathering the data because they used third-party advertising libraries that were capturing the data without the original developers having any knowledge of the activity.” If developers are not aware of third parties and their activities, privacy officers are left in the dark on transparency and data minimization. The privacy and enforcement risks are real—the FTC fined the Path social networking service $800,000 for collecting users’ data without their consent.
Insecure transmission of data also poses a risk to both users’ privacy and corporate reputations. The FTC has ordered that Fandango undergo security assessments every other year for the next 20 years because of their insecure transmission of data. Other mobile application designs and implementations should be reviewed by the privacy officer to prevent possible public backlash in the event of a user perceived privacy violation. For example, privacy officers should analyze whether an application contains an overly broad set of requested permissions, which may indicate high privacy risk or be considered suspicious activity
.To manage data privacy risk, privacy officers must have a handle on the data that’s collected, the security of data transfer, and all third parties accessing the mobile application across all their companies’ mobile applications. Privacy officers can leverage in-house technology or hire a vendor to provide the information to which the privacy officer can map against in-house guidelines and regulations to determine if there is a privacy risk. Depending on how many applications a company has and how often the company updates the mobile application, this could drain a lot of resources. To efficiently manage privacy risk of mobile applications across the company, a privacy officer needs:
- Condensed, relevant and actionable data to assess privacy risk. The report should either be a standalone privacy report or a comprehensive separate section within a security report.
- An automated or partially automated tool to generate the information
- Sufficient resources internally or outsourced to analyze the findings and flag any privacy risks.
TRUSTe Mobile App Assessments
The time is right to streamline the discovery of any privacy risks within your company’s mobile applications. TRUSTe solutions can help analyze applications and application source code to find the data flows, security safeguards, and third-party data access within the application. These comprehensive scanning tools produce an accurate, detailed, and actionable mobile risk assessment report.
By analyzing information on a specific mobile application such as third-party domains, the data collected, data stored on the device, insecure transmissions and app permissions, a privacy officer can easily analyze whether internal enterprise or consumer applications are following regulatory or internal guidelines and whether application behavior is consistent with the app’s purpose.
TRUSTe can also provide manual technical analysis to generate an even more detailed report. This identifies any areas in the mobile application that pose privacy risks and provide intelligent remediation recommendations. TRUSTe compares the mobile app findings against applicable regulations to highlight any noncompliance risks.
To help privacy officers manage mobile application data privacy globally, TRUSTe is expanding its mobile offerings to include privacy risk evaluation on mobile devices and applications. To learn more about these new offerings, contact firstname.lastname@example.org.