Mobile App Companies Violate Customer Privacy by Gathering User Data

Mobile app companies have the capacity to gather a whole host of user information, including email addresses and data about other apps users have downloaded. Users must be wary of these capabilities, and take precautions against downloading apps that could abuse this power.
By far the most common precaution that smartphone owners take when purchasing mobile apps is buying them from a reputable source. The Apple (NASDAQ:AAPL) App Store has earned a reputation for creating a discerning space for mobile applications.

App Store’s rigorous vetting process protects end users

The App Store does not sell every app created. Rather, Apple has a vested interest in protecting its customers by limiting the apps available in the store to those that adhere to its privacy policy.
Historically, this approach has paid off for the App Store. For instance, apps available in the App Store are rarely affected by malware attacks. For the sake of comparison, 96 percent of malware attacks (which totaled 390,000 unique samples in the first three quarters of 2014) targeted Android devices, which typically download apps from the Google (NASDAQ:GOOGL) Play store.

Misleading reputation?

However, this reputation for being the safer store may be misleading. Researchers have discovered over 250 iOS apps that are in violation of Apple’s privacy policy, which bans the collection of email addresses, serial numbers and other personal identification information. According to Ars Technica, that represents a serious invasion of privacy to the 1 million people estimated to have downloaded these apps.
Nate Lawson, founder of security analytics startup SourceDNA, told the publication, “[t]his is the first time we’ve found apps live in the App Store that are violating user privacy by pulling data from private APIs. This is actually an obfuscated toolkit for extracting as much private information as it can. It’s definitely the kind of stuff that Apple should have caught.”

Are mobile app companies at fault?

It could be that mobile app companies don’t even know that their apps are collecting this information. That’s because the data being culled is sent only to the creator of the software development kit used to deliver the ads within these apps. The advertising company behind these apps is China-based Youmi. The majority of the 250-plus apps using this advertising tool kit are also Chinese, including the official McDonald’s (NYSE:MCD) app for Chinese speakers.
The information being gathered by these apps falls into four major categories: a list of apps downloaded onto the phone, the platform serial number of the iPhone or iPad (if it’s being run on an older version of iOS), a list of hardware components of devices running on the newer iOS and Apple ID email addresses.
With that in mind, it is important to note that the mobile app companies affected aren’t specifically at fault in this situation. It is the advertising company that has abused its privileged position in order to gather personal data. It remains to be seen how Apple will react — based on precedent, it’s likely that it will either remove the ads or speak to the mobile app companies directly about adopting an updated advertising system. However, for consumers this is a timely reminder that personal data is vulnerable in the world of mobile applications.
 
Securities Disclosure: I, Morag McGreevey, hold no direct investment interest in any company mentioned in this article.