Mobile and Application Security Leaders Weigh-In on Apple's New Required Privacy Labels for Apps
Apple has finally begun the rollout of new labels about the privacy practices of apps for users to see before they are downloaded from its App Store.
Developers must now show what information they gather, listed in terms of what is taken to track users and what is linked directly to them. However, Apple said it was not seeking to change publishers' business models. Note that Apple has included its own apps in the new rule.
Two cyber and privacy experts weigh-in on the latest news.
Chris Hazelton, Director of Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions:
“The privacy changes in iOS 14 are part of an unstoppable trend to increase the protection of user privacy. However, this trend will not stop with tracking for advertisers. Developers that update their apps moving forward won’t have their apps approved unless they include this information. macOS 10.15 Catalina kicked everyone out of the kernel, a privilege that endpoint security providers had since the beginning of desktop operating systems. With this move security vendors are now also limited in accessing user and system information, and must operate like any other app. Fighting this trend is like fight the ocean tides; you can't. You have to adapt to the trend and innovate or die. Mobile security providers innovated when they couldn't have kernel access and I am sure advertisers will find a way to innovate as well.
iOS 14 puts additional focus on user privacy, and in particular gives users better visibility into their personal information that is shared with 3rd parties. Users are more in control of their personal information. They can now decide on an app-by-app basis which will have access to personal data. Previously, iOS users only had the choice between sharing all their information when using apps, or declining to share and not having access to apps. Now Apple has created levers for users to more easily pick and choose the developers with which they share personal information.
This requirement to disclose third-party data collection, and whether it’s used for tracking will make it easier for users to understand how apps use personal data. This format will clearly disclose the data used to track users across their other apps and websites. It will also disclose how data, like financial information, will be linked to other accounts, devices, or identities. Like nutrition labels in real life, the goal is to create a common, easily understandable format for users to see how their personal data is collected and used by developers and their partners. It will make it easier for users to question whether free services from developers are worth the cost in terms of privacy and security of their own data.”
Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security:
“Typically, end users "trust" their mobile phones as well as the apps on their phones. However, these apps have unparalleled access to explicit, and more importantly, implicit user data.
The average application user is not savvy enough to understand technical feedback from applications. The details of the data that the app is capturing has to be communicated in a manner that the average user is able to comprehend and make decisions on how they want to use the app. In general, this move is a good one that will force the convergence of privacy and user experience. Moreover, if done right, end users will start trusting some apps over others. An app that tells me that “we track you current location only when you are using the app, but do not store your tracking information” will fare better at garnering trust than an app that tells me “tracks GPS coordinates”.
The challenge is going to be – how does the app developer now relay all this on the limited form-factor that a mobile phone offers and yet engage the end user?”