Mobile apps represent latest security hole

Online music app Pandora’s disclosure earlier this month that it had been subpoenaed in an inquiry into possible improper sharing of user data has, excuse the pun, opened a pandora’s box.

Pandora disclosed the subpoena as part of an SEC filing. According to the Wall Street Journal, which broke the story:

…the criminal investigation is examining whether the app makers fully described to users the types of data they collected and why they needed the information—such as a user's location or a unique identifier for the phone—the person familiar with the matter said. Collecting information about a user without proper notice or authorization could violate a federal computer-fraud law.

Every time a user installs a mobile app, he or she grants the application access to a wide array of system resources, APIs and user data. The question is: are app makers properly handling such disclosures, and if they are not, could they be violating federal privacy laws?

The Pandora disclosure seems to have provided an incentive for others to take a peek into mobile app security. For instance, blog Android Police has reported Skype for Android improperly exposes a user’s name, phone number, chat log and more, a vulnerability Skype verified.

What’s the takeaway here? Mobile apps are still in their infancy, and their current permissions systems all too often make a user comfortable with just clicking “yes” to all access requests on install. After all, what’s the alternative, not using the app at all?

That model, exacerbated by the sheer data available in mobile environments – personal data, location information, financial info and more – means that mobile apps will likely coming under more scrutiny until security and privacy concerns are more fully addressed.