Irene Tham reports:
Ninety per cent of mobile apps in Singapore do not adequately declare what consumer data is collected or how it is used, potentially falling foul of Singapore’s Personal Data Protection Act (PDPA) .
Yet, more than half of the mobile apps that people download seek access to swathes of sensitive information, such as users’ online and social media identities and location.
This comes from an inaugural study of the privacy policies of 113 popular apps from the Singapore Google Play store. The sample comprises taxi apps as well as those from banks, telcos, real estate agents and financial advisers.
Read more on The Straits Times.
From the press release issued by Straits Interactive:
Key Highlights of the Findings
Straits Interactive looked at the types of permissions an app was seeking, whether those permissions exceeded what would be expected based on the app’s functionality, and most importantly, how the app explained to consumers why it wanted the personal information and what it planned to do with it. The findings showed that:
- More than 89% of the apps request more than 1 permission compared to the global average of 75% (67% of these applications request more than five permissions)
- 58% of apps had excessive permissions based on sweeper’s understanding of app’s functionality
- 18% of the apps had no data protection policy or information, other than permissions
- 55% of the apps did not have adequate privacy information as the sweeper did not know how information would be collected, used and disclosed
- In terms of permissions, many of the apps surveyed require potentially sensitive information such as location information – 70% (compared to 32% global average); 29% requests permission to access the camera and 52% to the device ID.
Further analysis of mobile apps code
To drill down further into the security and privacy loopholes, Appknox did a code analysis of the apps concerned, covering basic coding practices, data flow and metrics which include OWASP or Open Web Application Security Project configurations. The top three risks discovered were:
- 69% – Remote Code Execution Through Java Script Interface (where a remote attacker can execute malicious code, extract all user data or load malware on the device)
- 61% – Broken Trust Manager for SSL (a TrustManager is what the system uses to validate security certificates from the server)
- 52%- Derived Crypto keys (Weak encryption technique)
Unfortunately, the full survey is not free, but can be ordered “for a nominal fee.” See their press release.