M6: Inadequate Privacy Controls

Inadequate privacy controls mean the app collects, processes, or shares personal data without sufficient transparency, consent, or safeguards. Regulations such as GDPR, CCPA, and regional privacy acts make uncontrolled data handling a legal and reputational risk. Mobile platforms grant access to sensors, location, contact lists, and unique identifiers—mismanaging any of these can expose users to tracking or unwanted disclosure.

Typical Weakness Patterns

• Collecting more data than is necessary for the core feature set, or failing to offer opt-in controls.
• Sharing personal data with third-party analytics or advertising SDKs without explicit user consent.
• Logging sensitive details (PII, health records, geolocation) to device storage or remote logging endpoints.
• Not honouring platform privacy requirements such as Android data safety declarations or iOS privacy nutrition labels.

Detection Cues

• Static analysis of code paths that access sensitive APIs (camera, microphone, contacts) without checks for runtime permissions.
• Privacy-focused dynamic testing that monitors outbound network calls for unexpected data attributes.
• Reviewing telemetry, crash reports, and analytics payloads to ensure they are de-identified or aggregated.

Mitigation

• Adopt data minimisation: collect only the information required for the feature and purge anything that is no longer needed.
• Provide user-facing controls for sensitive features and document how data is used, stored, and shared.
• Reduce reliance on invasive third-party SDKs, or sandbox their execution using privacy gateways and strict configuration.
• Anonymise logs, encrypt sensitive attributes, and align retention policies with regulatory requirements.