Modern mobile platforms host a wide range of personal and sensitive information about the user that can reveal that user’s identity, social interactions, and even locations visited. Because of the sensitivity of this data, the Android operating system protects access to sensitive resources through a permission model, which should be granted by the user to any requesting application.
The set of permissions that Android apps request may be necessary for them to work properly. For instance, a map app wouldn’t be nearly as useful if it couldn’t use GPS data to get a location. However, this state of affairs has also given malicious actors the capacity to harvest personal data at scale without user awareness and consent.
An application developer that does not manage sensitive data carefully can seriously harm a user’s privacy as well as potentially run afoul of various data protection laws, including GDPR. Therefore, it is important for developers to follow the “privacy by design” principle. This goal can be achieved by avoiding the collection of any unnecessary personal data beyond what’s required to deliver a service to the end-user. However, as demonstrated by the research community in the last few years [1-4], a significant fraction of privacy violations has been caused by a myriad of third-party libraries embedded in mobile apps by the developer.
What is a third-party library?
As in the context of the web, developers can leverage and integrate thousands of third-party libraries (or SDKs) in their apps. These libraries allow the developer to track user behaviour, improve user engagement and retention, connect with social media and earn money by displaying ads and other features without having to implement these features themselves.
However, in addition to their valuable help, most third-party libraries also collect sensitive data and send it to their online servers – or to another company altogether — for profiling mobile users. They can gain access to sensitive data by piggybacking on the permissions requested by the host app. Most users would never know about these practices, because the platform doesn’t require developers to tell users what software libraries they use. And only very few apps, typically those developed by large companies willing to comply with GDPR requirements, make public their policies on user privacy; if they do, it’s usually in long legal documents a regular person won’t read, much less understand. Transparency will allow you to gain users’ trust while helping them to know which organizations are collecting personal data and for what purpose.
If you are a micro company and you plan to release a mobile app for your business, you should know that under GDPR terms any app developer is liable for any potential privacy violation inflicted by such third-party software. It is therefore, important, to fully understand the operations of these libraries before integrating them in your software.
A few recommendations to make your Android app GDPR compliant.
Below, we list a number of recommendations that any privacy-aware application developer should follow to comply with GDPR (and the majority of privacy regulations worldwide).
Many of these recommendations tackle common errors found during our research efforts to study the privacy damage of mobile Android applications :
- Familiarize yourself with the high-level requirements and provisions of GDPR. There are a myriad of online resources that offer valuable information to understand this revolutionary privacy regulation and guidelines, including Google’s Android documentation and our own SMOOTH GDPR guidelines.
- Read Google’s privacy and security requirements for Android apps, their recommendations to obtain consent from European users, and their best practices for collection and handling of unique identifiers in Android apps.
- Think how your organization ensures user transparency and control around personal data use. GDPR requires your organization to provide the right systems to record user privacy preferences and consent, and to demonstrate to regulators and partners that you are an accountable organization.
- Minimize the collection of personal and sensitive data from your users by following the principles of Privacy by Design. For instance, if your app does not need certain data to function, collecting this data poses a liability, in that you will now need to be responsible for keeping and transmitting this data securely.
- Honor the “Limit Ad Tracking” option offered by Android settings to users by not collecting any persistent identifiers when selected.
- Avoid using persistent identifiers linked to hardware when possible. This means that hardware identifiers like the IMEI, WiFi MAC address, or device serial number should not be sent to third parties, such as advertisers, without user consent. Similarly, other persistent identifiers, such as the Google Services Framework ID or Android ID should also not be used for tracking or advertising purposes.
- Only use the Advertising ID for user profiling and ads use-cases. This resettable Android identifier is created entirely for this purpose, to balance user privacy with developers’ analytics and advertising needs. By transmitting the Advertising ID for other purposes or by transmitting it alongside other persistent identifiers, any privacy protections are eliminated.
- Limit the use of the “Advertising ID” to advertising-related purposes, never combining it with other persistent identifiers or private user data. This is in fact a violation of Google’s Terms of Service.
- Be transparent: Offer a privacy policy that clearly explains to non-technical users how personal data will be collected and for what purposes. This includes reporting whether sensitive data is shared with any third-party organizations, such as advertising and tracking services, crash reporting services, or SDKs for social network integration.
- List the privacy policy in the designated field in your app’s Google Play profile, so that potential users can review it before downloading the app. When providing a terms of service agreement or privacy policy when your app is first started, make sure to not transmit identifiers (or other sensitive user data) until the user has had the opportunity to read and/or agree to your policy, and give consent.
- Carefully review the data collection policies of third-party advertising and analytics services. As an app developer, you are liable for any privacy violation inflicted by embedded third-party software. Therefore, verify that they do not collect personal data beyond what’s needed (e.g., no personally identifiable information or location information is collected) and that they properly obtain user consent before doing so. Make sure that embedded third parties do not collect personal data without consent. Beware of third parties promising high monetary returns.
- Handle personal data securely. Use modern cryptography such as HTTPS (TLS) [5]. Personal and sensitive data uploaded without encryption can be intercepted and manipulated by in-path observers (i.e., any computer between your users and your servers). This can compromise users’ privacy and information integrity, especially in countries with mass surveillance or when users access the networks through untrusted public networks. We recommend application developers use state-of-the-art encryption like HTTPS (TLS) for any privacy-sensitive transaction and avoid using third-party libraries that do not support encryption.
Written by: Narseo Vallina-Rodriguez and Alvaro Feal, IMDEA Networks Institute
Related research efforts:
[1] Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, Serge Egelman (July 2018)
“Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale. In the 18th Privacy Enhancing Technologies Symposium (PETS 2018), 24–27 July 2018, Barcelona, Spain
http://eprints.networks.imdea.org/1795/1/Wont_Somebody_Think_Children_Examining_COPPA_Compliance_Scale_2018_EN.pdf
[2] Haoyu Wang, Zhe Liu, Narseo Vallina-Rodriguez, Yao Guo, Li Li, Juan Tapiador, Jingcun Cao, Guaoi Xu (October 2018)
Beyond Google Play: A Large-Scale Comparative Study of Chinese Android App Markets. In: The 18th ACM Internet Measurement Conference (IMC 2018), 31 October – 2 November 2018, Boston, MA, USA
http://eprints.networks.imdea.org/1885/1/imc18-final148.pdf
[3] Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, Phillipa Gill (February 2018)
Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem
The Network and Distributed System Security Symposium (NDSS 2018), 18-21 February 2018, San Diego, CA, USA
http://eprints.networks.imdea.org/1744/1/trackers.pdf
[4] Jingjing Ren, Martina Lindorfer, Daniel J. Dubois, Ashwin Rao, David Choffnes, Narseo Vallina-Rodriguez (February 2018)
Bug Fixes, Improvements,… and Privacy Leaks
In: Network and Distributed System Security Symposium 2018 (NDSS 2018), 18-21 February 2018, San Diego, CA, USA
http://eprints.networks.imdea.org/1743/1/appversion_final.pdf
[5] Abbas Razaghpanah, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, Phillipa Gill (December 2017)
Studying TLS Usage in Android Apps
In: The 13th International Conference on emerging Networking EXperiments and Technologies (ACM CoNEXT 2017), 12-15 December 2017, Seoul, South Korea
http://eprints.networks.imdea.org/id/eprint/1690
Other resources:
Lumen Privacy Monitor: https://play.google.com/store/apps/details?id=edu.berkeley.icsi.haystack
Haystack project: https://www.haystack.mobi
AppCensus: https://www.appcensus.mobi