8 Steps to Promote Secure Mobile AppsFTC Issues Guide on Getting It Right from the Start
Developing secure mobile applications is just one part of the process in creating new programs. Communicating how applications are secured - whether informing end users in your enterprise or marketing to consumers - is crucial in building IT security awareness among stakeholders.
The Federal Trade Commission has just published a guide to help mobile application developers observe truth-in-advertising and basic privacy principles when marketing new mobile apps. The FTC's new publication, Marketing Your Mobile App: Get It Right from the Start, notes that there are eight general guidelines that all app developers should consider.
With thousands of new developers - many of them small enterprises - creating mobile apps for consumers and businesses, the FTC issued to the guide to make them aware of federal regulations regarding information security and privacy.
"Quite honestly, we've heard from them that they think the law doesn't apply to them because they're not making money yet, so the guide offers tips to that kind of audience," says Laura Berger, an attorney in the FTC's Division of Privacy and Identity Protection.
And, the guide could prove useful for other mobile app developers as well. At a time when many organizations are developing mobile apps internally, rather than subject their users to the inherent security risks of third-party apps, the FTC's new guide offers much-needed advice.
"Fundamentally, applications developers are the only ones who know what security and privacy their applications provide," says Jeff Williams, CEO of Aspect Security, an application security consultancy, reacting to the FTC's guide. "Otherwise users can't make informed decisions on the risks they're taking when downloading the app."
The FTIC guidelines are:
- Tell the truth about what the app can do. False or misleading claims, as well as the omission of certain important information, can irritate users and land the application developer in legal hot water.
- Disclose key information clearly and conspicuously. Most people react negatively if they think a company tries to pull a fast one by hiding important information. Users are more likely to continue to do business with an organization that gives them the straight story up front.
- Build privacy considerations in from the start. Limit the information collected, securely store data and safely dispose of information no longer needed. For any collection or sharing of information that's not apparent, get users' express agreement. That way, customers aren't unwittingly disclosing information they didn't mean to share.
- Offer choices that are easy to find and easy to use. Make it easy for people to find the tools that are offered and design them so they're simple to use. Follow through by honoring the choices users have made.
- Honor privacy promises. Chances are assurances are made to users about the security standards and how personally identifiable information is used. App developers must live up to those promises.
- Protect children's privacy. Mobile application developers have additional requirements under the federal Children's Online Privacy Protection Act if the application is designed for minors or if the application collects personal information about children.
- Collect sensitive information only with consent. Even when not dealing with children's information, it's important to get users' approval before collecting any sensitive data from them, such as medical, financial or precise geolocation information.
- Keep user data secure. The law requires application developers marketing their programs to take reasonable steps to keep sensitive data secure. One way to make that task easier: Don't collect information in the first place if there's no specific need for it.
Williams says he hopes the FTC will go beyond just issuing a guide on best practices and develop regulations with teeth. "People rely on mobile technology for a lot of stuff," he says. "And they need to know what the developer has done to lock down apps, to protect against the types of attacks we're seeing. ... It's a serious disclosure issue that goes beyond just mobile applications."
Berger says the FTC has no plans to ask Congress to give it more authority to deal specifically with mobile-app privacy matters, but is asking lawmakers to enact legislation to require businesses to assure the online privacy of consumers through its privacy framework [see FTC Proposes Online Privacy Framework].