Hot on the heels of Uber's PR disaster, news about the app's Android permissions has forced the public to consider what's more important: convenient apps that have dramatically shifted the paradigm of one of the oldest industries, or privacy.
According to BGR, the Uber app can see a lot of personal data, including whether or not a device is rooted, has malware on or is vulnerable to Heartbleed. It also has access to users' cameras, phone calls, neighboring Wi-Fi networks and more. That level of sensitive-data collection isn't just intimidating for the average user who's looking for a safe ride home — it's also a big deal for Uber and other popular apps that request personal information to make their apps function more efficiently. How does this affect you? Here's a closer look.
Every time a user trusts an app, she or he is also trusting that app's ability to protect a staggering amount of data. Considering the permission Uber requests and receives from hundreds of thousands of users, the data contained in its servers is likely as valuable as anything in an online bank. Not only does the company store credit card numbers, but it can also triangulate users' home addresses and access their cameras, device IDs and messaging/calling histories.
Uber is not alone in this: Tons of mobile applications have permission to access almost everything on a user's phone - and efforts to better map permissions have proven challanging. If anyone hacks your application, it won't matter how pure your intent was — all users will remember is that their sensitive data was compromised when they were using your app, which is enough to lose their trust completely.
The challenge of proving yourself secure and valuable to users is a difficult one. As is often the case in the tech world, raising peoples' eyebrows is easier than gaining their trust. As public awareness of and sensitivity to data collection grows, there are a few things developers must consider in order to maintain their reputations — and their customer bases. As you work your app through the software development lifecycle, keep the following in mind:
1. Operating systems. "The way Android handles privacy is a weakness," says Re/code. "The way the current system is designed, it forces Android app makers to ask for a lot more up front. Uber rival Lyft's list of Android permissions is even more extensive, including additions like the ability to send SMS messages and 'read calendar events plus confidential information.'" And though Uber does explain why it requests access to certain features, according to Phoenix-based security researcher Joe Giron, "The question then becomes, what are they going to take and use?" You likely know that different apps have different quirks and requirements. Keep those quirks in mind, and consider how they might impact your app in any worst-case scenarios.
2. Transparency. In a Computer Weekly article, Jon Holttum — founder of software company Spaggetti and founding member of the Open Mobile Security Alliance — suggests that developers ask for just a few crucial pieces of information and explain why they want it. Then, further into the app's evolution, developers can collect further information in exchange for greater functionality. "If you go back to users with an update, and capture a bit more data, then you are back in contact with them; this makes the app more sticky," Holttum says. In other words, asking only for what you need and being open with users will help you gain their trust. Then they'll be more willing to grant you access to information when you seek to improve your app.
3. Security. Thankfully, we haven't seen much in the way of major app attacks — but that doesn't mean there isn't one around the corner. By implementing an Agile development process, you can close up gaps in your app security, leaving it less vulnerable to future attacks or malicious activity. Rigorously testing both in-house and third-party code, knowing your vendors and leaving nothing until the last minute will help your app pass muster. When you can promise (and prove) your app's security, you'll gain a greater user base.
As developers, it's important to consider Uber's recent PR woes and recognize the lessons they teach. When users grant apps permission to access sensitive data, they deserve trust, transparency and security in return. Without that exchange, there's far more than cab fare at stake.
Photo Source: Flickr