How to secure your mobile apps & avoid data leaks

Delving a few months back in time, USA was witness to an outright, well schemed and open robbery in pure daylight. No, we’re not talking about any bank robbery. Neither are we referring to an economic scam or a political scandal that seems to have gained a fair share of popularity. The crooks in this crime were armed with the most modern form of weaponry in today’s digital age – Tools to exploit mobile app safety!

People in the US had their personal details palmed off by an e-mail subscription service to Uber. Most of them were consumers of Lyft, a competitor of Uber. And the name of this offending e-mail service was Unroll.me.

It was widely reported in the American press that Uber had fingerprinted its users. This meant that even after a user deleted the Uber app from his/her mobile phone, Uber would still be able to track the user’s mobile usage.

This crime found an identical twin in the security breaches of 17 million accounts with Zomato and 3 billion accounts with Yahoo.

Scary, isn’t it? One moment you entrust your information in the hands of the world’s top global service providers and in the next, some unknown hacker is memorizing your password in the comforts of his room.

However scary it may sound, we can not run away from the tech world , almost every aspect of our life is dependent on technology.  Our saviour is awareness and adoption of good practices to ensure our mobile apps do not compromise our privacy.

  • Read the fine print

    You must read the privacy policies of all the apps that they intend to use. To be fair to Unroll.me, the Company had declared its intention to share users’ data to third parties. Unfortunately, many subscribers of the e-mail service ignored the fine print.

We should go thorough all terms and conditions of the apps before we grant any permission to them. Got no time for this? Then atleast do following:

Scan through the terms and conditions , your sixth sense may spot something critical.

Use Google / Quora to serach “Is <app name> safe/secure to use?” or “How does <app name> make money?”.

  • Check app’s business model

    It is likely that the app that you are going to sign up for is free to use and doesn’t have any advertisements running either. Now, doesn’t it sound funny to you? How would this app make revenue for itself?

Some apps that are free and do not even serve ads, share users’ data like email, phone number, income, etc. with third parties.All this information is incredibly valuable to many marketing companies.

It is strongly suggested that you should check the business model of the app that you are interested in. A little bit of research in the present can save you the troubles of many problems in the future.

  • Review apps and permissions

    We should periodically audit our apps. Now what does that mean?

It means that once in a while, you must scan your phone and delete the apps that have been idle for a long time. Chances are, you have used your Twitter, Facebook or Google accounts to access these apps. Over a period, you tend to forget you ever downloaded them but they are present on your devices, leeching off information.

Google and Apple have recognized the data security and privacy threats posed by mobile apps. Over last few years they have strengthened the Android and iOS platforms to empower the users so they decide which app can access their data. While granting any permission to an app, you need to wear a critical hat. Grant the access only if you are 100% sure about the purpose and need of that permission. If in doubt, do not grant.

In today’s world, data theft is an extremely hideous crime of serious nature that must be dealt with an equally serious attitude. The first step to protecting yourself is believing the fact that you need protection. And in this case, all you need to do is Read, Check and Review.

GDPR – in simple terms & It’s impact on Indian Consumer

What is the GDPR?

GDPR is a set of data privacy guidelines which came into force in European Union nations from May 2018.  These guidelines were approved in 2016 and there was a 2 year transition period. The acronym GDPR stands for General Data Protection Regulation.  It is a result of 4 years of labor by EU member states.

What does it replace?

GDPR replaces an old data protection directive of 1995. Good part is that the across all 28 member states of EU, only one standard is to be met, thus simplifying the process. But the standard is very high and difficult to meet and administer.

Why GDPR?

There are now new ways of data collection & which could not be foreseen in a pre dot-com era and therefore not covered by the 1995 directive. GDPR aims to address this and regulates the exporting of personal data from EU to outside world.

  • EU wants people to have more control over their data
  • Internet brought in new ways of exploiting the personal data which needs to be addressed
  • Enhance people’s trust in digital economy
  • Bring in a simpler and clearer legal framework throughout EU with regards to data protection

What are GDPR Requirements?

The GDPR requirements will force the companies to change the way they process, store, and protect customers’ personal data.

Consent:  Companies will be allowed to store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.”

Portability: Personal data must also be portable from one company to another. Companies now must store people’s information in commonly used formats (such as CSV), so that they can move a person’s data to another organisation (free of cost) if the person requests it.

Right to Access: People can ask for access at “reasonable intervals”, and controllers must usually respond within one month. They can also ask for that data, if it is incorrect or incomplete, to be rectified whenever they want

Right to know:  how they collect data, what they do with it, and how they process it . Companies must explain it to them in a clear & plain language. why that data is being processed, how long it’s stored for, and who gets to see it

Right to be forgotten: Companies must erase personal data upon request. Users have right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected. They can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed.

Reasonable data protection & privacy: Companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” is not well defined, though.

Report Data Breaches: What could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected.

Performing impact assessments: It is intended to help in identifying vulnerabilities and how to address them.

Where do Indian Laws Stand?

Indian Information Technology Act, 2000 (IT Act) provides for general obligations for the collection, transfer and use of personal information.

The Privacy Rules (Information Technology Rules 2011) broadly define two classes of information: “Personal Information”, which includes any information that relates to a natural person, which directly or indirectly, is capable of identifying a person; and a another set of Personal Information known as “SPDI” (Sensitive Personal Data or Information), which includes  passwords, financial information such as bank account or credit card details, physical or mental health information. biometric information etc

The Privacy Rules set out various obligations including mandatory consent and disclosure requirements for data collection, usage, processing, storage and transfer, and requirements for appointment of a grievance officer. These Rules also require every company to have information security practices, programmes and policies which are in proportion to the information being protected.

Further Department of Electronics and Information Technology published in 2013, a set of rules for the regulation of data privacy and personal data protection including  mandatory notification requirements (Cert-In Rules).

While India has laws in place which govern many aspects of data protection, breach and privacy, but the enforcement remains a question.

Will the Indian & Non-EU Consumers gain from GDPR?

Many companies directly or indirectly operate or deal with EU residents and thus they will be required to comply with GDPR. Indian companies having branch offices in European Union member states and also the companies which provide back-office data processing services to EU companies would be affected. Many big E-commerce, food tech and ride hailing companies in India are operating or planning to operate internationally.

As these companies will improve their privacy standards for compliance with GDPR, the Indian & non-EU residents would gain as a side effect.