Privacy and Security in Mobile App Development: Tips to Creating Better Apps
Following the highly-publicised ban of TikTok on government devices, Australians are starting to pay more attention to the privacy and security risks that come with mobile applications. For companies with (or thinking about developing) an app, this means there’s more focus and scrutiny on app privacy than in the past – and more opportunity to leverage privacy as a competitive advantage.
Tips for Better Privacy and Security in Mobile App Development
Embed Privacy into your Mobile App’s UX/UI Design.
Embedding privacy-centric user experience (UX) and user interface (UI) design principles into your mobile app can help to enhance user trust and safeguard their personal data. Here are some examples showing how you can achieve it:
- Transparent Data Handling Details: Make it clear to users how their data will be collected, used, and shared, including ensuring that privacy policies are easily legible on smaller device screens.
- Adopt Granular Permissions: Don’t make data privacy and data collection an all-or-nothing question. Instead, adopt granular permissions that allow users to choose what they would like to consent to and what they’d prefer not to share.
- Make Consent Management Simple: It’s a better practice to allow users to easily toggle between consent options and to allow them to revoke consents and permissions at any point. This should be reflected in your design.
- Avoid dark patterns.
It’s important that your mobile app’s privacy and security measures are user-friendly, convenient, not too time intensive, and that they don’t impact the performance of other apps (if possible).
We saw some backlash in Singapore recently from customers who were upset with a new security measure introduced in a banking app. The app would not work if the phone had potentially risky mobile apps downloaded to it. The bank believed that this measure would help to protect its users’ financial data and passwords – and the measure was applauded by the industry regulator (the Monetary Authority of Singapore). The app’s users, however, expressed frustration with the measure. So, the ultimate impact on the human using the app is something to consider.
Introduce Privacy by Design Before Development Starts.
Privacy by Design, a privacy-centred approach to systems engineering, is most effective when it is introduced at the earliest possible stage. This means privacy (and privacy by design) should ideally be introduced at the conception stage – starting with an assessment of potential privacy risks and likely data flows through the app.
With the privacy risks and data flows in mind, you can compile some clear privacy goals and principles before development. This allows the app to be designed with these privacy principles in mind – resulting in better privacy and (oftentimes) innovation and improved app performance.
This also helps to prevent situations where apps collect data that clearly are not needed through overprivileged access – which can hurt customer loyalty. Overprivileged access is any kind of access sought that is not required to perform the function of the app. Examples of what overprivileged access looks like in mobile applications:
- Flashlight apps that record audio and video.
- Photo editing apps that request access to the phone’s contacts.
- Recipe apps seeking access to a person’s location all the time.
Carefully Consider the Risk of Collecting Biometrics.
We’re seeing more and more apps using biometric authentication – and we aren’t surprised. Biometrics offer a convenient and secure method for authentication on a mobile app. However, biometrics do come with a suite of significant risks that we aren’t sure developers are always paying adequate attention to. This is particularly true if you intend to store biometric information or if your app is likely to be used by children.
We aren’t saying that biometrics should never be used as an authentication tool on mobile applications. However, developers should pay careful attention to the risks and weigh them against the alternatives, which include:
- Multi-factor authentication options (like SMS verification or authentication apps).
- Password managers.
- Token-based systems.
Biometric authentication should only be adopted in mobile apps where it is warranted – for instance, to secure high-risk transactions or to access or share sensitive data. And you need to think about your obligations to get consent (biometric data is sensitive data) and provide notice.
Be Aware of the Risks of Third-Party Software Development Kits.
Third-party development kits make life much easier for developers by providing ready-made code, APIs, and documentation that helps avoid reinventing the wheel on certain app functionality (like adding advanced features like social media integration and advertising capabilities or augmented reality and machine learning). However, as with any third-party supplier, app developers should carefully vet the third party (and the SDK itself) to minimise privacy and security risk.
Developers should also consider blocking any updates to the SDK they rely on until the code has been rechecked and analysed. And those hiring web developers to create an app should consider embedding contractual provisions that require the developer (or whoever will maintain your app) to do this.
Mobile App Privacy and Security with Privacy 108
Privacy 108’s team of privacy and security professionals would be thrilled to assist you with your app development. If you’d like to develop or improve your organisation’s mobile app privacy or security, reach out.