保護DataHogo
Security Encyclopedia/OWASP Mobile Top 10
mediumCWE-359M6:2024

Inadequate Privacy Controls

Mobile app collects, stores, or transmits personally identifiable information (PII) without proper consent, encryption, or data minimization practices.

How It Works

Mobile apps have access to sensitive device data: contacts, location, photos, camera, and microphone. Inadequate privacy controls include collecting more data than needed, not encrypting PII at rest, sharing data with third-party SDKs without disclosure, lacking a privacy policy, or not providing data deletion options. App store reviews increasingly enforce privacy requirements, and GDPR/CCPA violations carry heavy fines.

Vulnerable Code
// Collecting unnecessary data
const userData = {
  email: user.email,
  phone: user.phone,
  location: await getLocation(),
  contacts: await getContacts(),
  deviceId: getUniqueId()
};
Secure Code
// Collecting only what's needed
const userData = {
  email: user.email  // Only collect what the feature requires
};
// Location only when user explicitly triggers it
// No contacts collection unless core feature

Real-World Example

In 2022, Google fined Meta $400 million for GDPR violations related to how Instagram collected and processed children's data. The app was exposing email addresses and phone numbers of minors through the business account feature.

How to Prevent It

  • Only collect data that's strictly necessary for app functionality
  • Encrypt all PII at rest and in transit
  • Provide clear privacy policy and data deletion options
  • Audit third-party SDKs for data collection practices

Affected Technologies

MobileReact NativeFlutter

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Improper Credential Usage

critical

Hardcoded API keys, passwords, or tokens directly in mobile app source code — easily extracted by decompiling the app bundle.

CWE-798M1:2024

Mobile Supply Chain Security

medium

Vulnerable SDKs, outdated native libraries, or compromised third-party modules in your mobile app introduce security risks from your dependencies.

CWE-1395M2:2024

Insecure Authentication/Authorization

high

Mobile apps with weak authentication — storing sessions insecurely, missing token refresh, or authorization checks only on the client side.

CWE-287M3:2024

Insufficient Input/Output Validation

medium

Mobile apps that don't validate user input or sanitize output are vulnerable to injection attacks, data corruption, and unexpected behavior.

CWE-20M4:2024