End-user problems with native mobile apps

With the proliferation of smartphones, there has been a huge growth of native mobile apps as well. One of the biggest advantages of a native app is that it can leverage internal features of the native mobile device's OS ("a closed ecosystem") that are not available to a mobile web app.  But are all native mobile apps as helpful as they look?

Troy Hunt makes some great points on security & privacy issues with native mobile apps. Highlights:

* In the browser world, there are tools to opt out of invasive tracking by websites. But in the mobile world, there is no equivalent, certainly not within a platform like iOS where third party apps can’t be used to intercept your traffic. gender, birth date and mobile number. mobile apps provide access to classes of data that are simply unobtainable in the browser and you can't block access to it like you can with anti-tracking tools in the browser

*  There are third party tracking services (like Gomeeki which calls itself euphemistically a “Multi-Screen Engagement Agency”) used by native mobile apps which transmit personally indentifiable customer (PII) data over a plain HTTP non-secure connection.

* The PayPal app tracks among other things the following key bits:
1. BSSID: This is the unique device ID of a router which is the same as the MAC address. Google got themselves into hot water for siphoning this up via their mapping vehicles a little while back because that one unique ID ties back to my precise device.
2. Device model and name: You could argue that comparable information is sent via your browser courtesy of the user agent, but that would only apply to the model and not the name of the device which is explicitly not passed in requests. This is private – it’s my device name.
3. Internal IP address: The internal address assigned to my iPhone via the router when it associated to the network. This can give a sense of how many devices are on the network.
4. Location: There’s my lat and long again and for all the same reasons I don’t really want to share it with Aussie Farmers, I also don’t really want to share it with PayPal.
5. SSID: We’re talking about the name of my internal network here. I name mine in a non-identifying fashion because frankly, I want to keep it somewhat private and that’s from those in my immediate vicinity, let alone those on the other side of the world.
6. Storage space: Ok, so it’s a 128GB iPhone, do they really need to know that? Back to the user agent comparison, this is not the sort of stuff that’s typically “leaked” by generic requests to the web because it’s an internal metric of no external consequence.

There are no agencies to certify whether an app follows good security & ethical practices & it can help if App Stores can also examine this area and approve

The phone’s home screen is the most valuable real estate on the planet on a per square millimetre basis. The odds of an app that doesn't provide great benefits will be relegated to the second or third screen.

Comments