Protecting user data in the post-PC era

Turn the current security model on its head.
Written by Adrian Kingsley-Hughes, Senior Contributing Editor

'A stitch in time saves nine.'

'Look before you leap.'

'Prevention is better than cure.'

As we move from an era dominated by the PC into the post-PC era, we're increasingly turning our backs on desktop systems in preference for more smaller, more personal devices such as smartphones and tablets. These personalized devices have the effect of encouraging us to store and carry with us more and more sensitive information so that we have it close at hand 24/7, but a negative side-effect of this is that it creates a treasure trove of data that installed apps (rogue or otherwise) can plunder without our direct knowledge or consent.

Many ideas and mechanisms have been put forward as to how best to deal with this problem, but in my opinion they're doomed to failure because, just like the existing permissions model found in the Android OS, they seem to rely on users making an informed choice. Bottom line, you can't rely on users to make an informed choice.

The security model is worse for Apple's iOS. There you have control over some data that's sent to third parties (such as location data), but no control whatsoever over other data.

As I see if there's two issues that make it easy for data such as contact information to be plundered from smartphones and tablets:

  • Unlike PCs, where information can be stored all over the place, data is stored in known places on portable devices
  • Permission models are so open on that there's either no obstacle to accessing the data (like on iOS), or you can almost guaranteed that users will give the app permission to access the data (like on Android

Combine this ease of access to the data with the fact that this sort of data is valuable for those who want to data mine it, and it's no wonder that apps are lifting user information and whisking it away to their servers.

Given the wide range of potentially sensitive information people keep stored in their electronic devices, it now seems unthinkable to me that the apps you install onto your smartphone or tablets have such easy access to stored information. On a PC, an application that decided to go snooping thorough your hard drive, sending back to the mothership anything interesting it found, would be considered to be malware, but on portable devices some companies seems to think that this behavior is acceptable, until they're caught out, and which point they come out with a lame apology.

Bottom line, it's far too easy for apps to go rummaging through your contacts list and grab whatever they want. There's only one-way to stop it from happening, and that's to change the defaults.

What do I mean by this? I mean turn the current security model on its head. Start by placing a default block on all apps accessing personal information stored on a smartphone or tablet. In fact, go as far as to quarantine the data. Better still, encrypt. Then, if an app wants access to specific data, inform the users in clear terms what granting the app the desired permissions means. Then, if user still wants to grant an app access to their data, make the process more involved than just clicking a box.

This would send a message to developers telling them that limitless, covert access to stored user data is no longer a default. At best, they're going to have to work to get access to it, and at worse, they're not going to get access to any of it. Take away the expectation, and most developers will give up on the idea of data harvesting.

Apple, by virtue of tightly controlling what APIs developers can use, could easily go one step further and show users exactly what data an app is accessing and what would be transmitted from the iPhone or iPad by that app. This would be a level of transparency that I think would put most companies off the idea of plundering user's address books and contacts.

Users have the right to make sure their data protected from plundering by third-parties, now it's time for Apple and Google to put mechanism in place to make that happen.


Editorial standards