How Can You Figure out How Likely an App Is to Have Security Problems?
If we know how to evaluate the privacy impact of a mobile app. How do we determine the second part of the risk function, probability?
There’s no data about the probability of an incident listed in the App Store alongside the app. There’s no metric, information, or even a hint of how seriously this developer—or any other—takes security anywhere near the app listing.
Striking out on the App Store, where can you turn to?
You can search the app/service/developer name to see if there’s any mention or history of security or privacy issues in the past.
This only takes a minute.
Unfortunately, this doesn’t produce any level of assurance unless an issue was big enough or handled poorly enough to get noticed.
Maybe there’s some protection in the law? The US is a major exception here as they don’t have strong, federal privacy legislation (it’s state by state and hit or miss).
Other jurisdictions like Australia, Canada, Japan, and the EU all have overarching privacy legislation that mandates some level of security effort by a company that collects personal data.
The challenge here is that it’s almost always worded as “make a reasonable effort” and the penalties for failing aren’t significant.
The notable exception is the EU where penalties for poor security are up to 2% of an organizations global turnover (and another 4% if they mishandle a breach).
Ok, so what’s the trick then? How can someone who’s about to download something like a mobile app understand what measures are taken to protect their data.