14142719_sI’ve been writing about the security woes of Android, the world’s most popular mobile operating system, for a couple years now. And, during that time, Android adoption has only accelerated. Imagine my surprise, then, to read about a new survey that found that smartphone users are “more concerned about mobile privacy than a phone’s brand, screen size, camera resolution or weight.” That survey, sponsored by the firm TRUSTe and conducted by Harris Interactive, polled 900 smartphone users in the United Kingdom to measure what TRUSTe called their “perceptions” on mobile privacy issues like the collection of user data, geolocation tracking, mobile advertising and privacy management. Privacy was a top concern of 20 percent of those surveyed, second only to battery life, which was the big issue with 45% of those surveyed. More than three quarters of respondents indicated that they wouldn’t download a mobile application “they don’t trust.” More than half saying they are “frequently or always” concerned about privacy when banking or shopping online. I wonder: does the TRUSTe survey signify a sea-change in the mobile device world? Have we reached our “Unsafe at Any Speed” tipping point, when the public suddenly started moving their feet to the steady drum beat of warnings from sore-sport security researchers and academics? To tell the truth, I’m not too hopeful. For one thing, there’s little to suggest that shoppers are pivoting in the direction of more secure alternatives. Just the opposite is true. Android – the mobile operating system that is the target of almost all malicious mobile malware – has only extended its lead as the globe’s leading mobile OS, with an 80 percent share of smartphone sales worldwide. As this article makes clear: the drivers for that growth are clear: Android’s “massive app store” and Google’s “competitive licensing costs” (i.e. $0.00) which has led to the many, many vendors who make and sell Android-based phones.” Cheaper? More options? More choice? Is there any real surprise that Android is number one? And let’s not forget the billions of dollars that handset makers like Samsung, HTC and others put into marketing and selling their phones to consumers. The privacy and security camp doesn’t have a marketing group – let alone a marketing budget! So what about those picky consumers – worried about their privacy and wary of malicious mobile? Well, if you read down, the Harris International survey offered plenty of clues why the concerns of mobile phone security and privacy don’t come into play in their buying decisions. First: though most (70 percent of) consumers are “concerned” advertisers tracking them through their mobile device, 46% of those surveyed admitted not being aware that tracking even takes place on their mobile devices. And, while “the vast majority” of users will not voluntarily share contact, web surfing or geolocation information with mobile advertisers, a minority (only 47%) said that concern about privacy would stop them from sharing any personal information in exchange for a free or lower cost mobile application. Given that data snarfing is the business model of almost every mobile application software firm, that’s a discouraging figure. Finally, mobile users still hold themselves responsible for protecting their privacy. Sixty nine percent of those surveyed responded that “they are ultimately responsible for protecting their own privacy,” TRUSTe said. My point: while it might be tempting to think that consumer outrage will drive mobile phone and mobile application makers to adopt more stringent security and privacy protections for their devices, there’s very little evidence that this is true. Consumers might care about privacy and security in the abstract, the data suggests that most put those concerns on a shelf when it comes time to choose a device. 7050230_sIn other words: the kinds of factors that influence buying decisions elsewhere (price, availability, features) are most at sway when buying a phone. Consumers feel that they need a smart phone. And, to paraphrase Donald Rumsfeld, are willing to ‘shop with the phone they have, rather than the phone they might want or wish to have at a later time.’ That’s especially true if data leaks or hacks, when they happen, are more likely to be considered by the owner as “their fault” rather than a failing on the part of the handset maker, mobile OS maker or application developer. What’s the solution? As was the case in the automobile industry, leaving the issue of safety and privacy to the market won’t work. There needs to be a bigger role for government and regulators to set standards that mobile device and application vendors must meet when and if they are transmitting sensitive personal or financial data. Government shouldn’t tell mobile device makers how to make phones – but it can set the rules by which the game is played.

Paul Roberts is an experienced technology writer and editor that has spent the last decade covering hacking, cyber threats, and information technology security, including senior positions as a writer, editor and industry analyst. His work has appeared on NPR’s Marketplace Tech Report, The Boston Globe, Salon.com, Fortune Small Business, as well as ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. He was, yes, a guest on The Oprah Show — but that’s a long story. You can follow Paul on Twitter here or visit his website The Security Ledger.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.