Apple’s website shows you the many ways apps use the privacy permissions you have allowed them. “With iOS 15.2 and iPadOS 15.2, users can turn on the App Privacy Report to see details about how often apps access your data—like your location, camera, microphone, and more. You can also see information about each app’s network activity and website network activity, as well as the web domains that all apps contact most frequently.”
We interviewed Aron Seader, Eclypses Sr. Director of Core Engineering to get his insight on the App Privacy Report, see his answers below.
Does the App Privacy Report go far enough in protecting from malicious apps? How would MTE technology add more protection?
Giving a user more visibility into where and how their data is being used is a fantastic practice for businesses to follow and should happen in more areas of our lives. However, the trouble with this approach is that it is reactive instead of proactive. It gives the user information on which apps may be malicious and use their data in negative ways, but that is only after that application has had a chance to perform those malicious actions. Instead of being notified after the fact and hoping no sensitive data was compromised, data itself needs protection that renders it unusable if stolen. This level of data protection can only be achieved at data origination, isolating the data from external threats like malicious apps or operating system vulnerabilities. Eclypses’ MTE technology does just that. MTE provides an easy-to-use cryptographic library built into an application putting data security control with those who create and manage the data.
What responsibility should be on app developers to create more secure, private apps?
In my opinion, all responsibility should be on the app developer to ensure the data generated and used within the application remains secure from threats. The customers of these applications expect utmost care when handling their data, but application developers try and wash their hands of responsibility, claiming it is the operating system’s job to ensure data is protected. This stance either comes from ignorance or laziness, but with the constant stream of zero-day attacks and the overwhelming number of malicious applications, it frankly needs to change.
Should there be an App Security Report next where apps are held to a higher degree of security?
Yes, there should be. Users need to know when applications are irresponsible with their data and hold them responsible for their actions. Applications need to stop trusting third parties to protect information and take responsibility for the security of their customers’ data. Applications must ensure that any data within them or moving from the phone to the server is immutable and secured to the highest degree possible. This sounds like a monumental task, but it is relatively easy to achieve and doesn’t require much change to app functionality. The biggest hurdle to overcome is looking at security from a different perspective and going away from the operating system-controlled, zero-knowledge, session-based securities of the past.
Aron Seader is the Senior Director of Core Engineering at Eclypses. Aron leads the Core Engineering team, overseeing implementation and software development projects and conducting product management of Eclypses’ MTE technology. For more information on Aron, click here to read his bio.
