Mobile privacy is a critical issue that every app developer must address. Your users expect that their private information will be collected and treated appropriately by your app. Also, there are an increasing number of jurisdictions that now have legal requirements regarding mobile privacy practices.
This guide on mobile app privacy should be considered a primer addressing some the most significant issues. It outlines some broadly accepted best practices and provides references to other more detailed guides and references.
Collection of sensitive information: An app's collection of sensitive personal information raises important privacy concerns. Examples of sensitive personal information include financial information, health information, and information from or about children. It also includes information gathered from certain sensors and databases typically found on mobile devices and tablets, such as geolocation information, contacts/phonebook, microphone/camera, and stored pictures/videos. See the following documentation pages for more information: camera, capture, contacts, and geolocation. Generally, you should obtain a user's express permission before collecting sensitive information and, if possible, provide a control mechanism that allows a user to easily change permissions. App operating systems can help in some instances by presenting just-in-time dialog boxes that ask for the user's permission before collection. In these cases, be sure to take advantage of any opportunity to customize the dialog box text to clarify how the app uses and, if applicable, shares such information.
Avoiding user surprise: If the app collects or uses information in a way that may be surprising to users in light of the primary purpose of your app (for example, a music player that accesses stored pictures), you should take similar steps as with the collection of sensitive personal information. That is, you should strongly consider the use of just-in-time dialog boxes to inform the user about the collection or use of that information and, if appropriate, provide a corresponding privacy control.
Collection limitation and security: Your users entrust your app with their information and they expect that you will take appropriate security precautions to protect it. One of the best ways to avoid security compromises of personal information is not to collect the information in the first place unless your app has a specific and legitimate business reason for the collection. For information that does need to be collected, ensure that you provide appropriate security controls to protect that information, whether it is stored on the device or on your backend servers. You should also develop an appropriate data retention policy that is implemented within the app and on your backend servers.
Following are some additional helpful mobile privacy guides for developers:
California Attorney General, Privacy on the Go: Recommendations for the Mobile Ecosystem
Center for Democracy & Technology, Future of Privacy Forum, Best Practices for Mobile App Developers
CTIA-The Wireless Association, Best Practices and Guidelines for Location Based Services
Federal Trade Commission, Mobile Privacy Disclosures: Building Trust Through Transparency
Future of Privacy Forum, Application Privacy Website
© 2012, 2013, 2015 The Apache Software Foundation
Licensed under the Apache License 2.0.