A few days ago, Macworld (and a few other sites) ran an article on a panel session during the 2012 State of the Mobile Net conference. You can listen to the audio recording which can be found on the conference website here. It makes for great listening.
The crux of the discussion seems to be focused on who should bear responsibility for enforcing privacy restrictions and controls and on limiting information that apps can collect. There was some discussion on who might this be: developers, mobile network operator, app marketplace operators or consumers.
A lot of the discussion revolved around placing the bulk of the responsibility on the app developer, the app marketplace and the consumer. At some points of the discussion, shared responsibility among the various players in the value chain was mooted.
I think the discussion could be framed by the types of apps which we are concerned about: (i) malicious apps (malware) whose main intent is to steal and use personal information and (ii) apps which inadvertently or without ill-intent obtain and use personal information unknown to the user. You would have some common solutions and approaches to both but some different solutions to either problem.
So, in the case of apps falling within category (i), the issue really would be one of mitigation and security (and multiple layers of it). The solution here would not be one of focusing on creating standards for app developers to follow, or placing responsibility on app developers as the premise of that solution is that the developer is without ill-intent (and I agree with Todd Moore's rejection of placing too much responsibility on the app developer on this narrow point). The malicious developer would find many ways and means to upload his malicious app on the app marketplace of his choice, and would definitely find attractive ways to entice users to download the app.
So, the first layer of prevention would be at the level of the app marketplace in its review of the app (this is important as most infections come from app markets - primarily Android marketplaces). But that can be easily circumvented by malicious developers creating different identities and uploading malicious apps using the new identity. And there is a real commercial incentive for the app marketplace operator to push the app out quickly onto the marketplace as there is revenue share involved (which may militate against any in-depth review).
The next layer of prevention (and most powerful but most illusive) would be education at the consumer level as downloading the app and granting permissions is ultimately the consumer's choice. In life, that would translate into various things our parents taught us: "Don't walk down dark alleys/that neighbourhood/that street at night" "If it is too good to be true, it probably is". However, I think everyone will agree that education is really an uphill task. First, who is going to conduct the education (the app developer? the social media site? the app marketplace operator?) and who will bear the cost? Second, consumer habits and as Ashkan Soltani mentions in the conference "behavourial economics". How many consumers when wanting a game or RSS feed aggregator or social networking app, will download it regardless of the levels of access permissions being requested for by the app?
The next layer of prevention is really by installing mobile security software to minimise the risks (though we know that only a small proportion of users actually have security software or use security software on their mobile phone). Also, I think there may be some doubt as to the effectiveness of the current slate of mobile security software given the limited access to APIs given to developers (which would include security software vendors).
The last aspect of an approach to this issue would be the deterrent effect of a criminal prosecution (i.e effective enforcement of regulations). This of course assumes that you could find the individual in question and prosecute. As with most criminal activity, stopping malicious apps and their unfortunate consequences will be impossible, and most steps or solutions are merely steps in mitigation.
Where apps fall into the second category (that is apps which inadvertently or without ill-intent obtain and use personal information unknown to the user), the premise would be that these developers are well-intentioned but perhaps unenlightened (privacy-wise), clumsy or careless, and that the developers are incentivised to engage in a scaleable and repeatable business model. As such, I would agree that having certain standards (enforced by the app marketplace operator) would be helpful. Why the app marketplace operator? For the simple reason that they hold the key to the monetary incentive that the developer depends on, and the developer falling within this category would be eager to ensure compliance with these standards to obtain that reward. As a thought, if app marketplace operators required app developers to implement Privacy by Design and made this as one basis for approving the app, this would be very helpful (I don't think the costs of implementing this would dent the profits Apple and Google make - though it may be difficult for some third party stores).
In addition, and specifically for Android, users should be allowed to change permission settings after installation instead of the current situation where permission settings cannot be changed after installation. Education would of course be important here as well though with the same issues which are mentioned above. Effective enforcement of regulations would be effective here as legitimate developers would be wary of penalties.
I think one of the things which the panelists did not acknowledge enough was the responsibility at the O/S level. For example, the consolidated.db controversy with the iOS where location data (or approximate location data) of users could be gleaned from the consolidated.db file which was stored unencrypted on the desktop when the user's iPhone was synced. No app was involved. Just something that Apple didn't know or consider was an issue until it was pointed out to them.
Ultimately, an interesting discussion with a lot of issues to think about. Ideally, the solution to this would be a holistic approach which involves commercial and technical co-operation between the various stakeholders (whether developers, handset manufacturers, mobile network operators), standards, regulations and effective enforcement of the regulations, and education. That however would require a number of large organisations with sometimes conflicting interests to co-operate. And we all know how difficult it is to get elephants to dance together.