An entrepreneur’s smartphone and tablet are stuffed with sensitive information, from customer lists to business strategy notes. Loss or theft isn’t the only way it can fall into the wrong hands. Cyberthieves and unprincipled or ignorant companies could use apps to take data without your even realizing it.
Mobile apps — whether for business or entertainment — can upload your contact lists and access your location and email, though in almost all cases you must give them permission to do so. They may also store personal and other sensitive information, and sell it or share it, without your knowledge.
Your phone is “highly personal and facilitates a huge level of data collection,” says Sarah Downey, a privacy analyst at Abine Inc., a Boston-based privacy software firm. You owe it to yourself, your business and your clients — especially if your company promises them confidentiality — to keep your devices free of malicious apps and to put privacy protections in place.
Here are five tips to consider before downloading a new app on your device:
Despite the media hype, malware on mobile devices is not yet a significant problem. Although malware incidents are on the rise, the majority involve apps acquired from random, untrustworthy websites. Most have targeted the Symbian operating system and, more recently, Android. You can reduce your risk of downloading an outright malicious app to almost zero by acquiring apps only from your operating system maker’s app store.
Google scrutinizes the security of apps sold through Google Play (formerly the Android Market), takes user complaints and removes apps that violate its policies. Apple also vets apps before allowing them to grace its App Store which, experts say, has never distributed a malicious app. Microsoft does the same in its Windows Phone 7 marketplace.
2. Be cautious.
Before downloading an app from a company you’ve never heard of, do a quick web search to make sure it’s legitimate and reputable. People love to complain online, and their grumbles could protect you from a bad actor — or a sloppy newcomer that ignores user privacy.
3. Be socially discerning.
Don’t use your personal Facebook or Twitter account to sign in to a business app. “You want to keep a separation between church and state,” says Pam Dixon, executive director of World Privacy Forum, a San Diego-based advocacy group. “We don’t know all the dangers yet … You need to make sure client data is not getting sucked in [to social networks]. It could be a real competitive issue down the road.”
4. Demand privacy.
Don’t buy an app it if requires permission to access data or take other actions you find intrusive or unnecessary. Few apps need your contacts list or physical location. Even fewer need to access your emails, send text messages or listen in via your microphone.
App developers often seek more permissions than they need in case they might want them for a new feature down the road, Downey says. Many apps don’t have privacy polices (though more will soon), and they often fail to disclose or are vague about how they’ll use your data.
Also, check privacy policies, the documents that give you legal recourse if data are misused. You can use your computer to visit the app store, find the app and click through to the developer’s site to look for the policy. If necessary, email the app maker for more information. Does your note-taking app store a copy of your scribblings on its own servers? Does your project planner transmit your client list?
If you’re not comfortable after your due diligence, don’t install the app and let the maker know why. Mobile privacy is new territory that’s beginning to get public, corporate and government attention.
5. Check your existing apps.
It isn’t quick, easy or fun, but it is helpful to review the privacy policies and permissions given to apps you already own.
Android users can review permissions for individual apps by going to the Settings screen and choosing Device and then Apps. Both Android and iPhone let you adjust or totally turn off their GPS location features within settings. With iPhone, you can see which apps access location and turn each one on or off. Apple plans to provide a similar tool for adjusting permissions to access contacts lists in a future operating system update.
Independent resources for understanding app privacy and security are limited. WhatApp.org has some useful expert reviews but covers a very small number of apps. Common Sense Mediareviews games and other apps popular with kids.
Concerned users may want to consider security software to defend against mobile malware, including spyware apps like FlexiSPY, which are most often planted by jealous lovers but presumably could be installed by corporate spies.
Lookout Inc., a mobile security software maker, offers Privacy Advisor as part of its premium security software package for Android phones and tablets ($3 a month or $30 a year). Privacy Advisor provides a list of which of your apps can access private data, along with reports that explain the risks and capabilities of each app.
Riva Richmond is a freelance journalist who has covered technology for more than 10 years. She writes regularly on electronic security and privacy for The New York Times and its Gadgetwise and Bits blogs. She has also written extensively about small business for The Wall Street Journal and was previously a technology reporter at Dow Jones Newswires.