Researchers Find Hundreds of Apps Secretly Capture User Data

October 26, 2015

Cyberspace SpyResearchers recently reported that more than 250 apps currently distributed through the Apple Apps Store secretly transmit information about individual users and their devices to other parties.  This data collection apparently takes place without the knowledge of the apps developers, Apple or the individual apps users.  The secret data collection is inconsistent with Apple’s policies for the apps it distributes.  It also raises important legal and public policy concerns.

Developers often rely on computer code created by other parties when they develop their apps.  They commonly integrate that third party code into their apps.  This third party code is frequently provided to developers in software “kits” which they embed in their own apps.  The developers are not necessarily aware of all of the capabilities and operations of the third party code they use.

Researchers examining currently available apps discovered that many of those apps contain third party code that collects information about users and their devices, and transmits that data to other parties, including advertisers.  Data collected reportedly includes: user email addresses, serial numbers of the smartphone or other device used and some of its components, and an inventory of apps loaded on the device.

If the apps are collecting and transmitting this information, they are apparently in violation of Apple Apps Store privacy and security policies.  Additionally, the secret collection of user information described by the researchers could be in violation of U.S. Federal Trade Commission and state law privacy protection requirements.

This situation raises important questions regarding responsibility for the operations of apps and their components.  It seems that responsibility for apps operations is shared by the developers, distributors, and users.  All of those parties must participate in the efforts to police apps operations.

Apps developers must exercise greater caution with regard to use of third party code in their apps.  At a minimum, they should develop a clear understanding of the operations and functional capabilities of the software kits they integrate into their apps.  They should use greater care in their selection of software kits, and they should be particularly mindful of privacy and security concerns.

Apps distributors, including Apple, should also enhance their apps review and oversight activities.  In particular, they should direct greater attention to apps that incorporate third party code.  It seems that embedded third party code presents a special threat to apps user security and privacy.

Finally, apps users should play a more active and informed role in apps management.  They should try to be informed consumers with regard to the functional capabilities and operations of the apps they use.  They should direct their attention both to the apps that they download as well as those that are pre-installed on the devices they use.  Although it is admittedly difficult for end users to be fully versed in the capabilities of all of the apps they use, consumers should make a deliberate effort to monitor their apps.

Embedded code provided by third parties presents an important security and privacy challenge for apps and for a wide range of other software products.  It is increasingly important that all software developers, distributors, and users recognize the significance of effective embedded code management and take reasonable steps to monitor and control embedded code use.