Don't Overlook API Privacy, Security, FTC Official Says

Thursday. Unlike with desktops, “With the rapid evolution of the internet and the spread of malware, it soon became clear that not all applications could be trusted,” he wrote. In computing, “privilege” is the right to perform an action like accessing a device resource while “sandboxing” is implementing the privileges necessary to “complete the job,” Sannappa said. Though “nearly all modern mobile operating systems feature sandboxing,” there are various approaches on how and when an app should be permitted to access things like a device camera or mic, or a user’s contacts or calendar, Sannappa said. APIs decide which resources a developer needs and how users should be informed of that access. Mozilla’s Firefox OS prevents third-party applications from accessing the device’s telephony API, Sannappa said. “According to its documentation, Mozilla restricted access to this API in order to prevent the creation of malicious applications that surreptitiously dial premium phone numbers, a practice known as ‘toll fraud,’” Sannappa said. “Google’s Android operating system provides developers with a telephony API, as well as many other APIs that are not accessible on other operating systems,” he said. “Providing developers with too much flexibility can create privacy and security risks.” The FTC previously filed a complaint against HTC America alleging a vulnerable application pre-installed on the company’s Android devices copied sensitive personal information, such as location data and text messages, to the system log, potentially exposing this information to third-party applications, Sannappa said. He also cited 2013 comments from Facebook that developers were copying Facebook user IDs to their system logs, and that after Apple began in 2010 a policy prohibiting developers from collecting users' personal information like contacts and calendars, apps continued to abuse these APIs.