About 66 percent of Android apps in India have access to users’ details about email IDs and social media accounts, and 69 percent have access to their exact location, a report by Mumbai-based Information Risk Management firm Arrka has claimed in its second edition of the Arrka Privacy Study of Indian Mobile Apps and Websites report. The firm says that for the study covers 100 Indian organisations and each organisation has been studied across three key digital channels: one of its mobile apps – both Android and iOS versions - and its website.
The study paints a worrisome picture as it claims that apps, especially on the Android platform, are breaching its user’s privacy. According to the study, one of the key reasons for this behaviour is the absence of a dedicated Data Protection & Privacy law. “The combination of the large digital population with no real curbs on who uses this population’s data and how makes digital Indians particularly vulnerable,” said the company in its report. Data Privacy is still at a nascent stage in India and the government is already working on a Personal Data Protection Bill 2018 to plug the loopholes and tighten the screws as far as digital privacy is concerned.
Android apps: The report says that a whopping 88 percent apps can write to users’ external storage, 79 percent of them have access to the smartphone’s call details, 66 percent have access to details about users’ email and social media accounts and 69 percent have access to the exact location details of the user. What’s more, 50 percent of the apps have access to the camera, 53 percent can read messages and 27 percent have microphone access.
iOS apps: The apps on Apple’s App Store are no different, though they do not peek into a user’s privacy, some still have access to key areas. “The permission structure of iOS is a little different from that of Android. There are 16 Permissions in all, some of which are common with Android (eg: Contacts, Camera) while some are different (Apple Music, TV Account). Moreover, certain permissions ( i.e. Microphone and Camera) can be configured such that they can be accessed in one of two modes – ‘While Using the App’ or ‘Always’,” the report noted.
On an average, an iOS App accesses 3.9 (out of 16) permissions. According to the study, 79 percent iOS apps track camera only when the app is in use, 29 percent of apps “Always” track user location regardless of whether the app is in use or not. This is far lesser when compared to Android apps. When it comes to categorising apps on the basis of “Most accessed permission”, 88 percent of apps seek permission to access to photos, 79 percent ask to access camera and a whopping 72 percent want to access location.
Kids are no safer when it comes to children-friendly Android apps. The key findings said that 29 percent of the apps took NO permissions to access the different elements and the same percentage of apps had access to location and phone details. Further, 71 percent of kids-centric apps had access to storage. Citing its analysis, Arkka claims that 56 percent of the permissions accessed were not required. Moreover, 100 percent of the apps have links to other apps.
Additionally, 71 percent of the apps were found to contain in-app ads and the ads were not found to be child safe. Ads shown were for shopping, part-time studies, women entrepreneurs, real estate, physiotherapy and healthcare, and they were also found redirecting the user to other websites without any consent. A total of 43 percent of the apps offered In-app purchase options and no consent or verification of an adult was found required to make the purchases. “Nearly 29 percent of apps did not have a Notice addressing children under age 13, and in 86 percent of the Android apps, the consent to access elements was not taken. Even when consent was taken there was no verification to check if the person was an adult,” the report claims.
Where does this data go? Well, to the third party organisations
Google as an entity (aggregated across all their properties) was found to be where the highest percentage of traffic was headed out to. Interestingly, the share of Google-bound traffic from Websites (58 percent) was found to be significantly higher than from their Android and iOS (30-38 percent) counterparts. Facebook came a distant second spot with a presence across all three channels (9-14 percent).
It was also observed that some third parties were channel-specific, for example, Microsoft was primarily seen on websites whereas Amazon was primarily seen in mobile apps. All in all, the number of third parties identified in Android Apps is significantly higher (1.6 times) as compared to websites and iOS Apps. This can be possibly attributed to the Open Source coding and exchanging of codes within the Web developer community.
The study also identified the first destination country where the data was heading out to. A whopping 99 percent of organisations studied sent data across the borders. No rewards for guessing, the US is the primary destination of all the data being transferred outside India with more than 81-97 percent of the traffic being directed there. This could be owing to the fact that most of the third party advertisers and analytics companies are based out of the US. At a distant second came Ireland, Singapore and France. Russia and Tanzania were the two outlier countries which featured only in a single instance of data transfer.
Also, the top categories of third parties with whom data was being shared with were advertising, analytics and development (used to add functionality to Apps), authentication (where platforms like Google are used to authenticate users), social Media and trackers (usage statistics). “However, there was high variation in third party categories composition across mobile apps and websites. While advertising was the highest category that data was being shared with by Websites (30 percent), analytics was the highest category in iOS (47 percent) and development was the highest in Android (48 percent),” the firm said.