Over Half of Android Apps Infringe on Upcoming European Privacy Regulations

May 4, 2018


Privacy is on everyone’s minds

It seems like privacy is an increasingly pressing issue for consumers, businesses, and now governments are following suit. New European privacy regulations and Google Play privacy policies are going into effect this spring, and according to a report from SafeDK, more than 55 percent of all mobile apps may not comply with them. Users are becoming increasingly aware of their private information, and so are governments and the app stores themselves. The choice of integrating a new software development kit (SDK) is no longer just about which features it will provide and how it will help increase revenue – it is also a question of app safety and stability.

The problem with SDKs

SDK is a set of tools that can be used to develop software applications targeting a specific platform. These tools are implemented within apps, yet run separate code. They can be considered a security risk because malicious SDKs may violate users’ data privacy, damage app performance, or even cause apps to be banned from Google Play or iTunes. To that end, some new technologies allow app developers to control and monitor client SDKs in real time.

New regulations are coming

After a two-year transition period, on May 25th 2018 the European Union’s General Data Protection Regulation (GDPR) goes onto effect, replacing the 1995 EU Data Protection Directive. The legislation will reinforce EU individuals’ rights to control the use of their personal information, as well as unify data protection laws across Europe, regardless of where that data is processed. It also addresses the export of personal data outside the EU. While the GDPR will make it easier for non-European companies to comply with data protection regulations, it comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.

After the GDPR becomes enforceable, app companies will have to make users aware if their information is collected or transmitted to third parties. Users will also have the right to have all their personal data deleted from the companies’ servers. Google stated that it would also strengthen its private user data access regulations. As of February 2018, all apps must only access information integral to their core functionality or provide information about the data being collected.

SDK are still going strong

SafeDK, a marketplace that monitors the use of SDKs in mobile apps, released a report revealing that more than half of the hundreds of thousands of Android apps in the study used at least one SDK that accessed users’ private data. As of December 2017, the most commonly accessed data was the user’s location (25 percent), followed by which apps are installed on the user’s device (15 percent). Around 5 percent of the apps used an SDK that accessed a user’s contacts. Additionally, 55 percent of ad network SDKs also accessed a user’s location, while 34 percent viewed the user’s apps. To put that into perspective, the average number of mobile SDKs in an app is now 18.5 (up from 16.6 in Q3 2016), with analytics, advertising, and social SDKs being the most popular among developers. Payment SDKs are experiencing significant growth as people are giving up cash at an increasing pace. In terms of providers, Google and Facebook’s SDK are still the most popular, with a presence of 97.5 percent and 49 percent, respectively.

An interesting trend pointed out by SafeDK is that while apps were using more SDKs this quarter, and therefore more apps have SDKs accessing private user data, the access is made by fewer SDKs. The fact that some popular ad-network SDKs were no longer accessing user apps indicated that developers are indeed preparing their SDKs for the new regulations. According to SafeDK, app publishers will have to make changes to their code, as well as evaluate and monitor their third-party SDKs. Since SDK often contain third-party code, they have been sources of lawsuits about the collection of private user data from underage users.

What’s to come…

Despite their inherent security risks, it is highly likely that that SDKs won’t be phased out anytime soon. However, the GDPR will no doubt force companies to take a closer look at what code goes into their apps and how it affects their users. A unified set of regulations will definitely make it easier for companies to stay compliant with the EU’s new data protection regulations, but only time will tell how the app development landscape, and SDKs in particular will be affected by the changes.