«

»

Jul
14

Privacy Risk Assessment for Mobile Applications

Mobile application privacy management is now more important than ever—at least half of Fortune 500 companies have internal mobile applications. But managing mobile application privacy risk goes beyond the applications on your employees’ devices. As companies’ presence, products, and services increasingly shift into the mobile space, mobile privacy is drawing increasing attention—both internally and from the Federal Trade Commission. In particular, the healthcare industry had the highest privacy payout in 2014, and the FTC and FDA’s additional scrutiny into wellness and health services should increase management’s focus on improving mobile application development tools and processes.

Product managers in different business units in different companies often develop mobile applications within a single global organization. Adding to this complexity, companies often leverage outsourced mobile developers, putting mobile applications still another step away from the oversight of the privacy officer.

According to Forrester Mobile Study 2015, “Companies had no idea they were gathering the data because they used third-party advertising libraries that were capturing the data without the original developers having any knowledge of the activity.” If developers are not aware of third parties and their activities, privacy officers are left in the dark on transparency and data minimization. The privacy and enforcement risks are real—the FTC fined the Path social networking service $800,000 for collecting users’ data without their consent.

Insecure transmission of data also poses a risk to both users’ privacy and corporate reputations. The FTC has ordered that Fandango and Credit Karma undergo security assessments every other year for the next 20 years because of their insecure transmission of data. The privacy officer to prevent possible public backlash in the event of a user perceived privacy violation should review other mobile application designs and implementations. For example, privacy officers should analyze whether an application contains an overly broad set of requested permissions, which may indicate high privacy risk or be considered suspicious activity.

To manage data privacy risk, privacy officers must have a handle on the data that’s collected, the security of data transfer, and all third parties accessing the mobile application across all their companies’ mobile applications. Privacy officers can leverage in-house technology or hire a vendor to provide the information to which the privacy officer can map against in-house guidelines and regulations to determine if there is a privacy risk. Depending on how many applications a company have and how often the company updates the mobile application, this could drain a lot of resources. To efficiently manage privacy risk of mobile applications across the company, a privacy officer needs:

  1. Condensed, relevant and actionable data to assess privacy risk. The report should either be a standalone privacy report or a comprehensive separate section within a security report.
  2. An automated or partially automated tool to generate the information
  3. Sufficient resources internally or outsourced to analyze the findings and flag any privacy risks.

TRUSTe Mobile App Assessments

The time is right to streamline the discovery of any privacy risks within your company’s mobile applications. TRUSTe mobile assessments help you analyze applications by gathering information within network traffic, system API calls, log activities, and application source code to find the data flows, security safeguards, and third-party data access within the application. These comprehensive scanning tools produce an accurate, detailed, and actionable mobile risk assessment report.

TRUSTe Standard Mobile Assessments provide the privacy officer with all the information necessary to analyze the privacy risk of a mobile application. The discovery report lists:

  • Third-party domains, frameworks, and SDKs attached with company metadata and the Privacy Sensitivity Score from the proprietary TRUSTe Vendor Database
  • The data collected
  • Which third party is collecting data and/or what data the third party is collecting
  • What data is stored on the device
  • Any insecure transmissions (those that are unencrypted or that use misconfigured encryption)
  • The permissions an app is requesting

With this information, a privacy officer can easily analyze whether internal enterprise or consumer applications are following regulatory or internal guidelines and whether application behavior is consistent with the app’s purpose.

In addition, TRUSTe offers a mobile assessment premium service that provides manual technical analysis to generate an even more detailed report. This identifies any areas in the mobile application that pose privacy risks and provide intelligent remediation recommendations. TRUSTe can also compare the mobile app findings against applicable regulations to highlight any noncompliance risks.

To help privacy officers manage mobile application data privacy globally, TRUSTe is expanding its mobile offerings to include privacy risk scanning and assessment solutions. To learn more about these new TRUSTe scanning offerings, contact hhuang@truste.com.

 

Comments