By now, we’ve had it beaten into our heads that our phones and tablets are home to a wealth of personal info that can come back to haunt us. Sometimes we share it ourselves. But other times our mobile apps do it to us, by collecting, collating, selling, and sometimes broadcasting our activities and personal information. If there’s anything recent data breaches have taught us, it’s that once personal data gets out there, it can make us vulnerable forever.
According to Appthority’s latest App Reputation Report (registration required), sketchy apps aren’t the only problem. The report recently found that 83 percent of the top 100 paid and top 100 free apps on Android, and 91 percent on iOS had at least one risky behavior. With that in mind, here are seven broad ways many apps can compromise your privacy.
1. Unencrypted data
Probably the riskiest thing an app can do is collect data about you – your name, email address, phone number, home address, credit card info, and what-have-you – and just leave it unencrypted, wide open for anyone to see – a problem Facebook’s precious new WhatsApp had some years ago.
There’s almost no way to determine if an app is adequately securing the data it saves or transmits.
What can you do? Unless you have both the expertise and the time to monitor your apps’ data transmission and storage (few people do), there’s almost no way to determine if an app is adequately securing the data it saves or transmits. Reassuring, huh?
2. Location, location, location
Some apps need to know your location, like a mapping app trying to give you directions. But does a free game or a recipes app need to know your location? Probably not. To advertisers, your location is one of the most valuable things on your phone, so many apps grab it solely to pass along to advertisers. Some people are comfortable with that; other people aren’t. Either way, users have no idea how developers and ad networks are using, profiling, sharing, and selling that location data.
What can you do? In both iOS and Android, apps that want your location must get your permission via a pop-up. Unfortunately, it’s usually an all-or-nothing decision: agree, or don’t use the app.
3. Ads, ads, ads
How can ads be risky? The most obvious way is the detailed profiles advertisers build up on individuals – profiles that often follow us from place to place and device to device. Who knows how that information is being used, sold, and traded?
Reseting your advertising identifier is like telling ad networks you’re a brand new person.
What can you do? Obviously, you can use only apps without advertising – those usually cost money. Also, iOS 7 users can “Limit Ad Tracking” in Settings > Privacy > Advertising > “Reset Advertising Identifier” – it’s like telling ad networks you’re a brand new person. There are no real equivalents for Android: Google doesn’t even allow ad-blockers in Google Play. It’s also a good idea to block third-party and advertising cookies in your mobile browser settings.
4. Single sign-on
Do you use your Twitter, Facebook, or Google+ account to sign in to apps and sites? Single sign-in makes it easier to share, like, and +1 good content, but if your social media account is compromised (it happens), all those sites and apps are vulnerable too. Moreover, sites and apps can implement single sign-on badly, giving attackers an opportunity to take over accounts. (That happens too.)
What can you do? Single sign-on is convenient, but risky. If you’re going to use it, we recommend only doing so with apps or sites where you have a high degree of trust.
5. Address books and calendars
Like location, calendar and address books are a goldmine for advertisers. So lots of apps want to access your contacts and calendars whether they need them or not, purely for analyzing that info and sharing it/selling it to advertisers. Consider that Appthority found 22 percent of the top 100 paid apps access the address book, but 31 percent of free apps do the same thing. And as mentioned, even if you don’t care about advertisers knowing your particulars, not all apps or ad networks handle the information safely.
What you can do: Access to calendars and address books is an app permission. In iOS 6 and higher you can try revoking it in Settings > Privacy. Unfortunately, there’s no built-in way for Android users to control permissions once an app is installed: if you don’t think an app needs your contacts and calendars, don’t give it permission.
6. In-app purchases
Many apps – especially games – are available for free, but make money via in-app purchases that add features, content, or help you level up faster. The risk of in-app purchases is obvious: it’s your money! The Internet is replete with tales of children racking up enormous bills by in-app purchases in games (Apple just settled with the FTC for $32.5 million over this very problem). Even some adults are guilty of going nuts with in-app purchases.
What can you do: In-app purchases can be turned off in iOS (you can find the setting in Settings > General > Restrictions, “Enable Restrictions”). Android is trickier, but you can set a PIN to confirm in-app purchases in settings for the Google Play app: find User Controls and set a PIN.
7. Unique Identifiers
One of the ways advertisers and others have tracked mobile users is with unique device identifiers (UDIDs): numbers that are unique to a particular device. Since most mobile devices are used nearly-exclusively by one person, UDIDs became a great way to track people: combine that with location data, and it’s an advertiser’s paradise. And if those UDIDs are compromised (it happens) or mismanaged (that happens too), there’s no way change them.
Combine unique identifiers with location data, and it’s an advertiser’s paradise.
What you can do: With iOS 7 Apple requires apps use another number (IDFA, or ID for Advertisers) to track users. iOS users can change it anytime in Settings > Privacy > Advertising to make advertisers lose track of a device. (Of course, they’ll just start tracking you again.) Apple is also reportedly cracking down on apps that use IDFA for any purpose other than serving ads. Google is trying something similar with Google AdID, but the diversity of the Android ecosystem makes things complicated. Bottom line: performing a factory reset of a device might change its UDID.
Awareness is the best defense
Most of us have clicked through permissions popups while installing an app thinking “Yeah, whatever, I’m sure it’s fine, just get on with it already!” And it’s understandable. But it’s important to remember that even the most innocuous-seeming apps can carry risks.
The best defense is awareness and dilligence. Make a habit of scanning permissions used by apps and deciding whether they make sense. If they seem intrusive, sometimes moving from a free and a paid app can solve the problem. If an app makes you uncomfortable, remove it. And if an app promising pictures of cats with funny captions demands location data … well, maybe you don’t need that app at all.