Mobile shopping apps raise privacy and security issues
Vague privacy policies give apps access you may not know about
By Sienna Kossman | Published: December 24, 2014
Shopping apps on your smartphone may lead you to the best grocery deals in town or make your morning coffee purchases a breeze. But they may also be accessing your phone's camera, microphone, text messaging and other seemingly unrelated systems, all while potentially collecting and storing information you're probably not aware of.
|MOBILE SHOPPING APPS:
HOW PRIVATE AND SECURE ARE THEY?
| • Shopping apps raise privacy, security issues
• 4 ways to check your apps' privacy, security
• Security check: Apple vs. Android
It's a problem for consumers who want to protect their data from intrusive marketers -- or cyberthieves. "The implications of this type of access to people's smartphone data/device data are great, especially since once an app vendor has received the data, you don't know who [ends up] with the data and what they do with it then," says Lee Tien, senior staff attorney for the Electronic Frontier Foundation. "You might see the first bits of data disappear around the corner but then you have no idea where they went after that."
Inspired by a Federal Trade Commission study that found many mobile shopping apps to be lacking in privacy and data security protection, CreditCards.com conducted its own investigation to find out what exactly some of the most popular shopping apps are doing once they are downloaded on a consumer's mobile device.
We selected a dozen of the most popular shopping, deal finder and coupon apps from the Google Play and Apple iTunes app stores: Wal-Mart, Cartwheel by Target, LivingSocial, Amazon, Zappos, Shopular, Etsy, Wish, Dunkin' Donuts, Groupon, Starbucks and RetailMeNot Coupons.
We found policies that give the apps permission to rummage through your phone and access wide-ranging functions:
- Dunkin' Donuts' policy gives it permission to send or edit SMS text messages through your mobile device.
- Zappos and Amazon can control your phone's flashlight capabilities.
- Eight apps' permissions include the ability to take pictures or record with your device.
- Eleven apps ask for permission to record and monitor a user's device location -- either precise, approximate or both.
In addition to these permissions, many apps use information-collecting cookies alongside the data already gathered from user-generated inputs or activities such as account setup or purchases. However, most apps did not provide clear information about how user information is stored and protected once collected.
Apps more invasive on Android devices
To find out what kind of user data each app collects and what else the mobile programs can do within a mobile device upon download, we looked at information in each app store, as well as company privacy policies and any prompts that appear before or immediately after downloading an app through both Google Play and the App Store.
Once an app vendor has received the data, you don't know who [ends up] with the data and what they do with it.
|-- Lee Tien
Electronic Frontier Foundation
Policies were both bloated and vague, requiring us to pore over reams of legalese, but we were still left us wondering why an app might need certain permissions.
Apps from Google Play ask for more permissions than those in the App Store, though that may partly be because of the way each discloses permissions. (For more information on the security of the two systems see, "Apple vs. Android: Which platform is more secure?") When you download an app from Google Play you are prompted upfront to accept all permissions, which may include access to any of the following categories: in-app purchases, device and app history, cellular data settings, identity, contacts/calendar, location, SMS, phone, photos/media/files, camera/microphone, Wi-Fi connection information, Bluetooth connection information, device ID and call information, and "other."
You're not allowed to pick and choose which permissions to allow on Google Play. It's either all or none. If you choose the latter, the app won't download.
Expanding each category reveals specific permissions, but not information about why they're needed. For example, our survey of the Google Play-based permission requests found:
- 11 of the 12 apps (all except Cartwheel by Target) request permission to control sleep settings to prevent the device from sleeping.
- Zappos requests the ability to "draw over other apps." It's still unclear what this means, as Zappos did not respond to multiple requests for more information.
- The Dunkin' Donuts app provides the most information regarding privacy and security, but it also has one of the longest permission request lists, asking for access to phone vibration control, contacts, calendar, call logs and the ability to send and edit text messages. Dunkin' Donuts also did not respond to multiple requests for comment.
- Amazon asks for permission to record audio through the mobile device.
- All 12 apps' permissions allow modifications of a mobile device's USB storage contents.
Apps from the App Store ask for fewer permissions than those from Google Play, and the requests they do make are done in a different way. When we looked at the same set of apps on an iPhone 6, very few permission prompts -- with the exception of alerts asking to collect location data -- appeared before an app's download. "Permissions are not typically given upfront; they are collected throughout the app contextually," says Anand.
In other words, apps for iPhones and iPads ask for specific permissions as you use the app, the most common being permission to send you notification messages. You can decline certain permissions and still keep the app, though doing so may limit some of the program's functionality. If you find you don't want to grant the requested permissions and don't like how the app functions without those permissions, then you can delete the app from your device.
Why do you need my USB storage?
Some of this is just bad communications, according app developers. For example, the permission to allow modification of USB storage is misleading, says Preet Anand, CEO of BlueLight, a technology company that develops emergency response apps. It generally just means that the app wants permission to download and take up storage space for operations.
A lot of times it looks scarier than it really is.
|-- Ross Hambrick
Stable/Kernel software development firm
Ross Hambrick, director of Android for Stable/Kernel software development firm, agrees. "You may ask, 'Why would a coupon app need access to storage?'" he says. "But maybe the coupon app is downloading coupon images and they need storage to be able to do that. Some of the things may not seem obvious, but are integral to the apps' operations or possible extra functions."
Apps in the iTunes App store don't even ask for this permission. The developers just assume that if you're downloading, you're giving the app permission to take up space on your phone.
The RetailMeNot deal-finder shopping app -- which requests access to areas like system settings, device sleep controls, Wi-Fi connections, and device app usage history -- does so for similar functional reasons, according to RetailMeNot's Vice President of Communications Brian Hoyt.
"Companies are often intentionally vague when describing their data security practices in order to avoid inadvertently revealing potential data security vulnerabilities," he says.
Others permissions, such as to track location or in-app download or purchase history, may be in place to improve customer experience and overall app usability. "For example, RetailMeNot asks consumers to 'favorite' stores they like and 'save' coupons they like," Hoyt explains. "RetailMeNot uses this information to suggest similar stores and coupons that a consumer may not otherwise be aware of or consider when shopping. Similarly, the app can receive periodic updates of a consumer's location and suggest coupons that are redeemable at nearby stores."
Most other apps are not as transparent as RetailMeNot, but that doesn't necessarily mean they're up to no good, says Hambrick. "It would be nice if developers could tell users why those features are out there but that's not always available," Hambrick says. "A lot of times it looks scarier than it really is."
Potential security threats
Privacy experts see things a little differently. They say that giving companies broad access to mobile devices puts consumer privacy -- and information security -- at risk.
"If you can spy on my mobile device, you can spy much more directly on me," says the Electronic Frontier Foundation's Tien, pointing out that location data collection is particularly prevalent. "You have fewer options to escape the data collection on a mobile device."
There's already a great deal of interest in the data that's generated from mobile devices and Tien says he expects to continue to see companies trying to extract that data.
I think getting consumers' consent to access information on their phone or monitor their location is something that could be used to absolutely destroy a person's privacy in the future.
|-- Shirley Inscoe
Based on the CreditCards.com study, it's often hard to tell exactly what user information is gathered by mobile shopping apps, but most privacy policies at least offer examples of what may be collected, such as user-provided account information, financial information provided to make a purchase or app usage history. Wal-Mart, RetailMeNot and Groupon specifically stated that they were only offering examples of the types of user information that may be collected, not a complete list.
And, if you log into the app using your Facebook account -- an option with four of the 12 surveyed apps-- you may also be granting the app company "access to information collected by Facebook," according to the app privacy policies.
Data collection and storage information is often buried within lengthy privacy policies and uses vague language, giving the user some information but not enough. Phrases such as "reasonable safeguards" and "generally accepted industry standards" are frequently used to describe information security protection within the privacy policies.
Although such practices haven't led to any major privacy or security-related breaches yet, that doesn't mean it won't happen, according to Shirley Inscoe, senior analyst with research firm Aite Group, specializing in fraud, data security and consumer compliance issues.
"As people increasingly use their mobile devices to make payments or buy things online ... I think we will see the threat of malware grow," she says.
The consequences could be disastrous. "I think getting consumers' consent to access information on their phone or monitor their location is something that could be used to absolutely destroy a person's privacy in the future," Inscoe says. "Once your data is disclosed, you can't change everything, and once criminals have it that's it."
Inscoe says she'd rather have her credit card details taken than other sensitive personal information. You can always request a new credit card account number if your card is stolen, but you can't change personal information such as your address, birthday or name as easily, if at all.
"If people are that cavalier about the personal information, they are wide open to becoming victims of identity theft and that worries me," Inscoe says.
Clearer language needed
You can protect yourself by reading the fine print for any app you want to use. (For other ways to protect your personal information when using a mobile shopping app, see "4 ways to evaluate mobile shopping app privacy, security.") But developers have a role to play, too in creating more readable policies.
Policies are written by people -- lawyers, in most cases -- who do not have a vested interest in the end user.
|-- Christopher Budd
The CreditCards.com survey found that policy language for the apps we examined was often dense with vague phrases like "proprietary content protections," "company contractual obligations" and "generally accepted industry security standards."
"Policies are written by people -- lawyers, in most cases -- who do not have a vested interest in the end user," says Christopher Budd, global threat communications manager for Internet security firm Trend Micro.
Making privacy policies easier to understand isn't a simple task. If clear writing isn't a priority, greater transparency can lead to longer policies and that's not good, either. The app policies and permissions examined for the CreditCards.com app survey were already fairly extensive, often requiring multiple screen-swipes to get through the whole document or clicking multiple links to find and read all relevant information.
"Regulators acknowledge that the size of policies on a small mobile screen can pose readability problems to the consumer," says Donna Wilson, Privacy and Data Security practice co-chair of Manatt, Phelps and Phillips LLP. "It's about balancing technological and practical challenges by making sure disclosures are made in a way that's meaningful, but that's not easy."
As consumers increasingly rely on smartphones, this isn't an issue that will -- or should -- disappear, according to Anand. It needs to be addressed.
"More than 200 million people got a smartphone for the first time in the past five years," he says. "For that reason alone I think there are companies -- developers and platforms themselves -- that definitely need to do a good job about consumer education."
- Will banks raise APRs if stripped of legal shield provided by arbitration? – Top regulators are feuding about the costs banks might pass on to customers if they're have to drop a shield from class-action lawsuits ...
- Debt relief firm that claimed ties to US government sued by CFPB – The Consumer Financial Protection Bureau sued two companies both known as FDAA for an allegedly illegal debt relief scheme targeting credit card debtors ...
- In the wake of Equifax hack, Congress proposes credit bureau reform – Lawmakers call for changes in credit report system to protect people's data, or at least give them more control over it ...