OTA Home Publications Best Practices IoT Committees All Resources

Building Trust 1 October 2017

Best Practices: Mobile App Privacy & Security

As mobile usage and application development continues to grow, the need to adopt best practices in data
security, app security and privacy have been highlighted. To aid developers while enhancing online trust,
consumer protection, and regulatory compliance, OTA has provided the following outline. As learned in the
development of website and software applications, developers can overlook basic standards and guidelines
and fail to uniformly apply and maintain them between versions and device platforms. Creating a security
and privacy discipline including robust integration from inception throughout an app’s life-cycle pays long-
term dividends to a company and to its users. Note as the landscape is rapidly evolving, developers need to
conduct their own review for regulatory compliance.  

These resources serve as a tool to help developers. OTA recommends brands and developers move from a
minimal compliance point-of-view to one of stewardship, making security and privacy a competitive
business advantage.  As outlined, it is paramount that developers implement adequate security controls,
provide appropriate notification and understand privacy implications and boundaries of collection and use of
data.

Privacy
At the forefront of the consumer privacy landscape is the data collection, sharing and usage of user data on
websites and by mobile apps.  Recent high profile media attention, class action lawsuits and dependence on
mobile devices have prompted close scrutiny of developer, advertisers and platform practices and controls.
Regulators on the state, national and international level are actively encouraging (and enforcing) consumer
privacy rights against app developers that misuse or surreptitiously access user data. Developers should
build privacy into their mobile apps from the start in order to foster trust and confidence in the mobile app
ecosystem. If the app is ad-supported the app should include access to preference management tools that
indicate advertising preferences. In addition, OTA recommends that unless related to a core capability of the
app, apps should not access sensitive data.       

Security
Apps are not just about innovation, but are also about security and a safe user experience. Many apps heavily
rely on sensitive user information, making them a target and vulnerable to hackers, malware and more. There
is no “one-size-fits-all” approach to the development process and needs for each app. However, certain
“bedrock” measures are essential.  All sensitive information must be encrypted during transmission over any
network or communication link. Once sensitive data has been entered, it should not be displayed in plain text
anywhere in the application. Sensitive data should always be protected by a password and if an app uses
passwords or other sensitive data, the passwords or other sensitive data should not be stored in the device
and not echoed when entered into the application. Security also includes secure code development and code
signing to help protect applications from being compromised by other apps or the code being unknowingly
manipulated.

User Control
While there are limitations based on platforms technologies, developers should strive to provide users
choice and control around the unexpected collection and use of personal information. Mobile app developers
should only collect the minimum amount of data required to provide the service, with an eye towards ways
to archive the functionality while anonymizing personal information. When this data is used outside the
scope of what users would reasonably expect, make sure users can easily opt-out.  OTA recommends that
unless related to a core capability of the app, do not access sensitive data unless related to the app’s core
capability.  In addition, developers are able to provide “enhanced notice and choice” to users when most
relevant, within the OS design framework. A best practice is to do this before data is collected, transmitted
or used. OTA also recommends providing periodic reminders and visual indicators to users that the app is
collecting their personal data.
 

Notice
When it comes to best practices, disclosure and transparency are fundamental. An app’s data use, sharing
and retention practices should be available to users before the app is downloaded .  A best practice is
making the Privacy Policy discoverable from the app platform or store without requiring a user to download
the app. The policy should be written in plain English at the reading level of the target audience(s).  While the
app may be in English, having the privacy policy and terms of use in other languages is highly recommended
to maximize user’s ability in comprehending the app’s data practices. (See OTA’s  multi-lingual privacy
policy). Due to limitations of the screen size of mobile devices, OTA recommends developers consider a short
form notice highlighting key data practices which are disclosed in detail in the full privacy policy.  Third party
solutions from leading companies such as TRUSTe and others provide tools to help create these notices
including additional contextual, “just in time notices”. 

Resources
Federal Trade Commission (FTC)  Mobile App Developers: Start with Security  (February 2013)
FTC Staff Report Recommends Ways to Improve Mobile Privacy Disclosures  (February 2013)

Office of the Privacy Commissioner of Canada;  Seizing Opportunity: Good Privacy Practices for
Mobile Apps (October 2012)
California Attorney General – Privacy Recommendations on the Go (January 2013)

US National Telecommunications and Information Administration (NTIA), Mobile App Privacy Code

of Conduct (draft, July 2013) 
Electronic Frontier Foundation – Mobile User Privacy Bill of Rights (March 2012)

Future of Privacy Forum & Center for Democracy & Technology –  Best Practice Mobile Application
Developers
Future of Privacy Forum – Mobile Application Privacy

Android App Security & Privacy Best Practices (Google)

AVG PrivacyFix Site Ratings
 

Building Trust, Privacy, Security, Best Practices, Mobile, Online Trust Alliance, OTA

‹ Back   

Related articles
Building Trust 31
Building
AugustTrust
2020 1Building
NovemberTrust
2019 1 November 2019

Policy Toolkit Security

on IoT Factsheet:
Security
Security Keeping
Factsheet: Why
and PrivacyYour Workplace Should Safe
Municipalities
Online Make
Network and Data Security a
The Policy Toolkit
Foron
many
IoT Security
of us theand
Internet is a staple
Priority?
Privacy is a practical
in our resource
day-to-day forlives – especially at
policymakers andourregulators
jobs. But... to
Communities can minimize risk by
strengthen the...
being intentional about how and by
whom networks and devices are used.
These are...

Join the conversation with Internet Society members around the

world
 Become a member

Our Community Our Ecosystem Our Resources Our Projects

Individual members About the Internet About the Internet Community

Engineering Task Networks
Chapters ARPANET & the
Force (IETF) and the
history of the Infrastructure and
Special interest Internet Society
Internet Community
groups (SIGs)
About Public Development
Internet
Organization Interest Registry
technologies Measuring the
members (PIR) and the
Internet
Internet Society Resource library
Partners
Encryption
About the Internet Global Internet
Society Foundation Report Internet Way of
Networking
Newsroom
Mutually Agreed
Blog
Norms for Routing
Security (MANRS)
Network and
Distributed System
Security (NDSS)
Symposium

     
Privacy Notice  |   Terms of Use  |   Legal  |   Financials  |   Contact Us  |   Careers  |   Follow Us  |   A liated Sites

USA Switzerland
11710 Plaza America Rue Vallin 2
Drive
CH-1201 Geneva
Suite 400
+41-22-807-1444
Reston, VA 20190
Other O ces
+1-703-439-2120

© 2022 Internet Society