With the current pandemic situation, where people are compelled to do the majority of their activities online, from work to live and play, mobile applications are becoming more and more ubiquitous.
For Guangdong Bai, Senior Lecturer at the University of Queensland, such apps are already an integral part of our daily life, but people should be wary about using applications that may collect personal data.
During his session “Hey, You, Get off My Private Data: Do Apps Respect Your Privacy as They Claim?” in Black Hat Asia 2021, Bai discussed the kind of data that apps are collecting and how countries are acting to maintain privacy in cyberspace.
“First of all, when we give access to those applications, we don't know how they are going to use our data and to whom they are going to share our data with”, said Bai. This data may include location, device ID, SIM info and even purchase or browsing history.
Bai added that these apps might use the said data for various purposes, such as analytics, functionality, product personalisation and advertising. However, Bai warned that some applications are not really being honest with the said reasons.
As an example, Bai explained that a messaging app may ask for data that is not relevant to your user experience, like your purchase history and financial information.
In protecting data, Bai noted that many countries and regions have already put in place some strict data protection regulations. For instance, the General Data Protection Regulation (GDPR) in the European Union, California Consumer Privacy Act (CCPA) in the United States and Personal Data Protection Act in Singapore.
In discussing further just what some applications are doing with your data, Zhang Qing, Senior Security Researcher at Bytedance, listed a logic-level breakdown where apps provide users’ choice and control. This includes the illegal collection of user data, illegal use of user data, illegal transfer of user data and illegal storage of user data.
As a solution, Bai proposed a framework that can be used to audit applications for private information, called collection behaviours. This is to provide analysts and auditors with enforcement-level tools and techniques for the hands-on and practical auditing of data.
For users, Bai advised them to pay attention to the apps they are using and inspect privacy policies released by the applications to check how the applications collect, use, and share personal data.