Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Users Don't Trust Mobile Apps

Posted by Soulskill on from the all-of-the-convenience-none-of-the-security dept.

snydeq writes "Fatal Exception's Neil McAllister writes of the growing unease among consumers around mobile data privacy, and how this distrust will impact mobile app development. 'When every week seems to bring another news story about a data breach resulting in the theft of customer data, customers are growing increasingly jealous of their privacy. Given the unique nature of the data to be found on smartphones, it's only natural that they have begun to view mobile apps with a skeptical eye. If you're developing apps that use customers' mobile data, you need to do more than recognize these realities. You need to develop a policy that places secure, ethical, and appropriate handling of user data at the core of your application development process.'"

13 of 153 comments (clear)

  1. Wow by 0123456 · · Score: 5, Insightful

    It's almost as though downloading random apps from the Internet to run on a device you use for personal information might be a bad idea.

    1. Re:Wow by tripleevenfall · · Score: 4, Insightful

      The thing is, they CAN'T be upfront about how free apps get converted into revenue. All these "markets" (facebook, etc.) revolve around harvesting consumer data.

      People don't want their information harvested, and will say "No" to that if confronted honestly.

      But that blows the trend we've seen in recent years where you can use software for free that we used to walk into a store and buy in a box for $50.

      Will we go back to the $50 model, or will people surrender privacy in exchange for "free"?

    2. Re:Wow by h4rr4r · · Score: 4, Insightful

      I take the third option.

      I don't pay for the linux kernel, so far Mr. Torvalds has not stolen nor leaked my Credit Card data. I buy Crossover from Codeweavers, the folks who make Wine just to support Wine. I use Wine instead though, and still Alexandre Julliard has not sold my private details to scammers and advertisers.

      I could go on, but you see where I am going. You are putting forward a false dichotomy. None of the above come in a $50 box and still my information is not sold to every scumbag with a marketing degree.

    3. Re:Wow by tlhIngan · · Score: 2

      Do you really think half the users even know what all the technobabble you're asking for even means? The reality based on what I've seen and heard from others is that if you're upfront about what you do with data and permissions people get spooked and don't want the app even if it's harmless, but if you don't say a word about it then people don't even give it a second thought and happily download the app.

      It's partly why the Android model isn't that great, either. It's good to enumerate and require the services presented, but after using it a little while, its deficiencies start showing.

      1) If the app demands extra data not in the APK, it means it needs external storage permissions and internet access. (I kinda miss the iOS method where you download it all self-contained, sans DLC of course, but getting a 200MB file and it has everything).

      2) Users don't read dialogs. As tech people we should know this. Even if it's a highly inofrmative dialog like "Could not write file - the disk is full. Please delete something and try again" the user will still ask for support even though they're able to solve the problem themselves.

      3) Dialogs get in the way. As part of 2, they'll make a beeline for whatever gets them to their goal the fastest. If your app really wants to do something bad, I suggest not enumerating just the permissions you need, but every permission you can request. Somewhere between the third and forth permission item they'll just get bored and scroll and tap "install". It's human nature.

      4) If the user likes apps, they'll probably just blindly click Install anyways without bothering with permissions. After all, that dialog is just another step during app install People just get very mechanical and do things from muscle memory.

      5) Users want to get things done. Installing/deleting/maintenance tasks are chores and get in the way of getting things done. If they want the app, anything you throw in the way just annoys and they'll dismiss it without reading.

      It's the reason why few people read EULAs (see 3 and 4), people get called over to handle some stupid task request (2) and the like.

      It's an annoying reality of the world and it really makes things like alerts/popups/etc. utterly worthless and makes it difficult to impossible to design things to get the user informed. iOS's notification system is broken in that way (it pops up and screws up your current task). Doing a deny-by-default just ends up with users getting frustrated when the app constantly complains it needs access to something, etc (see Vista) - devs just make it so anything useful is blocked until some permission is granted (even if that permission is orthogonal to pupose - e.g., request access to SMS while connecting to a server).

      Hell, I thought the Android system was cool, and miles better than the iOS method. Then I realized that half the time I'm tapping Install without looking over the permissions either.

  2. It's not just data on the phone, Watson by trifish · · Score: 2

    People might worry about their data stored in their mobile phones, but what worries me more is that they forget about the built-in microphones and cameras.

  3. Big deal by tripleevenfall · · Score: 5, Insightful

    I see this as having a huge impact for the market for apps and what kinds of apps can be developed.

    The situation is developing where users don't want to give apps access to anything on the phone other than the data pipe, except for maybe a mapping application or something with an obvious need. This is really going to limit where apps can go.Because of the sins of Apple (and others), people don't trust the platform as much as they used to.

    Instead of being a device we voluntarily turned over information to in order to expand its role in our life, we are starting to see it as something that needs to be reigned in, controlled, watched like a hawk.

    Formerly people happily used Windows and IE to bring the internet into their lives. Now these are items you don't trust, you run several other programs on top to police them, etc.

    It's really a shame that this greed for personal information to sell has set back the role that palmtop tech may otherwise have headed toward in our lives.

  4. Shazam! This makes me one Angry Bird! by Maxo-Texas · · Score: 2

    I'm just a Cube Runner and I don't have a degree in Physics but I don't want some stranger to Take Me to My Car by reading my location file.

    Yelp! I'm going to have Words with Friends and dance the Fandango if they have been sharing my information. I may use Device Locater but I don't want others to. Siri ously. They can build their own Empire and Tunein to their own location data but not mine!

    --
    She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
  5. How about this? by killmenow · · Score: 2

    "If you're developing apps that use customers' mobile data..."

    How about not writing mobile apps that store user's data?

    Very few apps need to store user data. Companies aren't using the data because the apps need it. Their ad stream needs it. Which reminds me: if you're not paying for a product/service (google, facebook, slashdot, reddit, etc.) you're not the customer...you're the product.

  6. Android permissions by traindirector · · Score: 4, Insightful

    Android already has a great permissions system by which an application is granted permission to access functions of the phone and the Internet connection on a fairly granular level.

    However, even though they have already implemented this system that could allow the user to control what an application can do on her device, Google has chosen to restrict the end user from obtaining greater privacy and security by restricting an application's permissions. Through the user interface, one must either grant all permissions to an application or choose not to install the application--a single permissions cannot be removed.

    There is a small argument to be made that this makes things easier for developers, but how hard is it to gracefully handle not having certain permissions? For many features like GPS and Internet connectivity, Android could simply respond as if they are turned off if permission is denied. Some members of the Android development team have tried to spin the lack of user permission settings as a benefit to the user with the argument that "if users can disable permissions arbitrarily, then developers will have no incentive to minimize the amount of permissions they declare their applications need, and the average user will be less secure". This is the only somewhat rational explanation I have gleaned from there responses, and while there might be a small bit of merit to that and certain developers might really believe that, I think on the whole it is misguided.

    I believe Google's real goal is to make sure the user has no control over permissions, only a binary install / not install, because they're an advertising company with an interest in your data being sold. They continually ignore this permissions issue even though they have acknowledged it is among the top Android security complaints.

  7. You have no choice if you want to use it by traindirector · · Score: 2

    Lets be honest, there's no accountability on the part of mobile app developers. Before you download an Android app it asks for permission to use certain features, but the developers aren't required to say how they'll use those features, or what they'll do with it.

    And what's worse is that despite having a fairly granular permissions system, the end user is totally denied any ability to selectively remove permissions. Want to remove Internet access from an application that doesn't need it? Tough luck--Google knows what's best for you.

    And then they try to say they don't add this because 90% of users wouldn't use it. So? Bury it deep down in a menu somewhere that only people that really care will find it. The fact is it would be simple, but Google just doesn't want the user to have this power over her device.

    See more from me on this below.

    1. Re:You have no choice if you want to use it by Zan+Lynx · · Score: 2

      Why would the app even know?

      "I'd like a network socket please."
      "Sorry, the user is not connected to the network."

      "I'd like the Contact List please."
      "Sure! Here it is, all 0 contacts."

      "I'd like to send a text message."
      "Ok! Message sent." (to /dev/null!)

      These things could be done by custom ROMs and I'd be surprised if they're not already being done by somebody.

  8. Cyanogenmod 7.1 by traindirector · · Score: 2

    These things could be done by custom ROMs and I'd be surprised if they're not already being done by somebody.

    It's not in any ROMs yet, but a patch is being considered for inclusion in Cyanogenmod 7.1 [javascript required]. Here's the related issue thread.

    It will be great if this is included in custom ROMs, but I strongly feel one shouldn't need to void the device warranty for this simple, important, easy-to-implement feature. Google has no (good) reason for failing to include this in AOSP, and this is becoming more apparent by the day.

  9. Re:Well, let's see a device that can.... by nschubach · · Score: 2

    5) Can pick up sound and conversation

    Except for your first one, which happens even with a dumbphone as cell towers will log your location, all of the other things are optional features that you don't have to use if you don't want to.

    http://www.zdnet.com/news/fbi-taps-cell-phone-mic-as-eavesdropping-tool/150467
    How do I not use that feature?

    --
    Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.