Application Security

Comment: New Mobile App Privacy Report

The Information Commissioner’s Office (ICO) and Global Privacy Enforcement Network (GPEN) have released a damning report on mobile app privacy (or lack thereof). Reviewing the privacy of 1,200 mobile apps, assessed by 26 privacy regulators across the world, the report highlights the vulnerability of personal and corporate data residing on, and being accessed through, mobile devices. A key finding was that one in three apps requested an ‘excessive’ number of permissions to access personal information and 85% failed to explain how they were collecting, using and disclosing personal information.  Users were also unable to find basic privacy information on 59% of apps, perhaps unsurprising when 30% of apps provided absolutely no privacy policy information whatsoever.


These are worrying statistics that should present a significant concern for anyone using mobile apps, which in this day and age is just about everyone. The same is true for business too, where the consequences of privacy failings could be even greater than with personal use.


It’s almost impossible to downplay our dependence on mobile devices, which are one of the most frequently used and relied upon tools in the corporate environment. Today’s employees are using mobile applications for a variety of personal and corporate tasks, a fact that few would take issue with. However, problems may arise in cases where employees do so without the knowledge of the IT department - their technical expertise and guidance should act as a kind of safety net in this scenario. With this latest report from the ICO exposing the privacy failings of so many apps, it points to a scenario where both individual and company data could face a considerable security risk. This is not to mention that a number of the activities potentially compromising privacy may, in fact, be perfectly legal – a worrying scenario indeed.


What’s more, lax password practices where employees are re-using the same password multiple times in both their personal and corporate life, means that the security threat is being multiplied. Indeed Skyhigh’s research indicates that more than 80% of enterprises have this kind of password problem and other studies have indicated that 30% of users typically reuse passwords.


Once credentials in one mobile app have been compromised, a domino effect is caused across other mobile and cloud services where the same password has been used.  For example, hackers may try to login to the enterprise VPN or corporate mail with the stolen credentials. Even if the password is not reused by the user, the hacker will have a much better chance of guessing the right one. This could prove extremely costly for enterprises, as vast amounts of confidential company information is suddenly up for the taking.


The answer to this password problem is simple in theory but difficult to enforce. That is getting employees to use a different password for every service and not using the same passwords for personal and corporate use.


Returning to the core issue of mobile application security, the solution is slightly more complex. To mitigate the risk of these less secure mobile apps creeping into your corporate network and holding the door open for attackers, it is critical for businesses to have a handle on what mobile and cloud services are in use. It is only by knowing the reach of corporate information that businesses can adequately secure it.  The bottom line is that not all applications and services were created equal in terms of privacy – and businesses must strike a balance between utilising the flexibility and collaboration gains of these services, while preserving the integrity of sensitive enterprise data.



Charlie Howe is EMEA director at Skyhigh Networks


« Mobile Optimisation: Critical to Help Privacy Concerns


Xhosa Tradition & the Modern World »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?