Private Data

Introduction

Smartphones carry a wealth of personal data on them. Depending on the use of your application, you may need to transmit some of your customer's private data to your server. The security of this data is important to your customers, and to your business.

Background

Almost weekly, a large company admits that it has been hacked and that personal customer data has been lost to unknown groups. With the rise of smartphones, valuable personal data has become available for use by your application, but with this availability comes a responsibility to help secure the private data transmitted by your application.

What is private data? If you think about some of the information that mobile applications can obtain from a device, you might come up with a list of personally identifiable information like:

Phone IMEI
Phone Number
E-mail Address
Name
Address
Location
Contacts
Phone number
Applications used
Birthdays
Credit card numbers

The Issue

Sending private data over the internet, without encryption, without any protection, puts your user's private information at risk. This is bad for users and bad for your business.

Best Practice Recommendation

The Best Practice recommendation when your application collects private data and sends it over the internet, is that it should be sent via HTTPS. Better still, the data should be encrypted and/or obfuscated and then sent over HTTPS.

Going one step further, you should investigate where your customer's private data is being sent. By running a Man in the Middle attack, and collecting a network trace, you can see if any libraries or SDKs are collecting your customer's data.

The bottom line - do all that you can to identify any and all private data that is being collected, and then do everything you can to help protect it.