A federal lawsuit filed recently in California claims that The Walt Disney Company “secretly collects personal information on some of their youngest customers and shares that data illegally with advertisers without parental consent.”
The complaint (PDF) alleges that Disney, and the creators of popular third party advertising libraries and SDKs (software development kits) Upsight, Unity, and Kochava that are embedded into 43 popular Disney apps, are violating the law by harvesting information about users under the age of 13 for “commercial exploitation.”
If true, this could mean that the parties involved violated COPPA (Children’s Online Privacy Protection Act). Disney denies any wrongdoing, stating that they have a “robust” COPPA compliance program and that they complied with the law’s privacy disclosure requirements.
>See also: Severe: the security risk to UK mobile app users
The lawsuit claims the advertising SDKs collect device and user persistent identifiers, which are considered PII (Personally Identifiable Information), to track users across different apps and services, and then share that collected data with advertising services that provide targeted ads. The complaint then argues that the apps fail to properly verify parental consent for these invasive behaviours in apps that are clearly targeting children under 13.
So, what does this news mean with respect to enterprise mobile security?
1. The news highlights how often even large companies rely on third party developers to either outsource the entire development of their apps or provide third party SDKs and libraries to add functionality and advertising or tracking capabilities.
The use of third party software often introduces behaviours and risks that even the app developer is not aware of, which could expose large companies to bad press, hurt their brand, or worse, cause legal action related to compliance issues around security and privacy.
Not all app risk comes from malware or with malicious intent. More often than not, risk is introduced by accident, so it’s important for enterprise security teams to leverage services like app security testing.
A MARS (Mobile Application Reputation Service) can be used not just to automatically analyse apps on employees devices, but also to analyse enterprise developed apps (whether developed in-house or through a third party) before they are published to internal enterprise app stores or external app stores for customer distribution.
>See also: The right to privacy: a digital disconnect
Another point this news brings home is that even free apps aren’t really free. Apps rely on monetising user data. And, if children’s game apps from reputable companies like Disney can exhibit this type of user surveillance, what can we expect from apps that don’t have strict COPPA requirements? Developers have to support their development efforts to create content, make updates, provide support, add new features, etc.
However, the app ecosystem has evolved in a way that makes it difficult to sell apps, as most users often choose free apps. In order for users to receive these apps for “free,” developers rely on ad networks and tracking solutions to learn everything they can about the users and then sell targeted ads. However, it’s also worth noting that smartphones are the perfect spying tool.
They are with us 24/7, they are always on, and they have multiple cameras, a microphone, GPS, as well as ALL of our most precious data. It makes sense that it’s not just ad networks that are investing in user surveillance, but also governments and bad actors who wish to gain insight into users, or the users employers.
Lastly, employees are consumers too. Do your employees know what risks are found in the apps they use every day, whether for work or for personal use? Many parents would think twice about allowing their kids to use apps if they knew how the apps behave in the background. Many users would think twice about using certain apps if they knew they didn’t properly protect personal data.
>See also: The UK app economy: it’s big but is it secure?
However, most just don’t know the risks. Enterprises can change that by deploying a Mobile Threat Protection solution, so employees have the power to learn about app risks before they even install potentially risky apps on their devices.
Obviously this change of behaviour (vs just downloading apps from the official app stores without any knowledge of risks) protects user’s data, but vicariously, it also protects the enterprise. Win-win.
Sourced by Domingo Guerra, president and co-founder of Appthority
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here