You know that web2.0 world it’s plenty of leak of any kind (profiling, profiling, profiling) related to Privacy and users starts being concerned about it.
Users continuously download applications without knowing the details of what they do, for example iFart just because are cool, are fun and sometime are useful.
On mobile phones users install from 1000% up to 10.000% more applications than on a PC, and those apps may contain malware or other unexpected functionalities.
Recently infobyte analyzed ubertwitter client and discovered that the client was leaking and sending to their server many personal and sensitive data such as:
- Blackberry PIN
- Phone Number
- Email Address
- Geographic positioning information
Read about UbertTwitter ‘spyware’ features discovery here by infoByte .
It’s plenty of applications leaking private and sensitive information but just nobody have a look at it.
Should mandatory data retention and privacy policies became part of application development and submission guideline for mobile application?
Imho a users must not only be warned about the application capabilities and API usage but also what will do with which kind of information it’s going to handle inside the mobile phone.
Capabilities means authorizing the application to use a certain functionalities, for example to use GeoLocation API, but what the application will do and to who will provide such information once the user have authorized it?
That’s a security profiling level that mobile phone manufacturer does not provide and they should, because it focus on the information and not on the application authorization/permission respect to the usage of device capabilities.
p.s. yes! ok! I agree! This kind of post would require 3-4 pages long discussion as the topic is hot and quite articulated but it’s saturday morning and i gotta go!