Source: Threatpost
20 Nov 2020

Just as consumers now automatically accept cookies and agree to privacy policies, they may also ignore privacy labels in their rush to download an app.

Emma Bickerstaffe, Senior Research Analyst at the ISF

Developers will have to reveal how data is shared with any “third-party partners,” which include analytics tools, advertising networks, third-party SDKs or other external vendors.

After years of complaints about over-permissioned apps that collect, use and share private user information, Apple will be making developer privacy policies more transparent for consumers.

Starting Dec. 8, iOS and macOS developers will be required to provide detailed information about how their apps collect information, which data they collect and what it will be used for, according to an Apple post on its developer support page. They’ll also have to report whether their apps track users, which permissions they request, and if the data is anonymized or linked to the user.

And, developers will have to reveal how it shares data with any “third-party partners,” which include analytics tools, advertising networks, third-party SDKs or other external vendors whose code they’ve added to an app.

If the data isn’t provided, the app won’t be allowed into the official iOS App Store or Mac App Store, Apple said.

The detailed information will be turned into “privacy labels” for apps so that users can easily see how their data is being handled. The labels will show up on apps’ pages in the App Stores, so that users will see it at the moment of download instead of having to parse through lengthy privacy policies.

Developers can submit the information via the App Store Connect website, according to Apple. Once submitted, it’s up to them to keep the information up-to-date and to make sure it reflects any changes in the app – a potential loophole, according to some researchers.

Transparency?

“Apple’s requirement to force developers to reveal what apps are doing with user data is a good step for privacy, but the fact that this is developer-provided means there are too many loopholes,” according to Duo Security, in a Tuesday posting. “It is up to the developer to make sure the labels are up-to-date and reflect the latest information whenever changes are made or functionality added. There doesn’t seem to be a mechanism for Apple to verify developers are telling the whole truth about their data partnerships, so users are left hoping that maybe they know enough from the labels to make an informed choice.”

Emma Bickerstaffe, senior research analyst at the Information Security Forum, agreed. She told Threatpost, “This is an important step on Apple’s behalf towards making both the consumer and developer aware of privacy rights and obligations. At first glance, it is a welcome development, however, there are questions around how this self-assessment model will be implemented, and whether the consumer will have the inclination to read it when installing an app. Just as consumers now automatically accept cookies and agree to privacy policies, they may also ignore privacy labels in their rush to download an app.”

Read Full Article