While online users increasingly rely on the use of mobile applications (apps) for their everyday activities and needs, the processing of personal data through such tools poses significant risks to users' security and privacy. Such risks stem mainly from the variety of data and sensors held in mobile devices, the use of different types of identifiers and extended possibility of users' tracking, the complex mobile app ecosystem and limitations of app developers, as well as the extended use of third-party software and services. For these reasons, the implementation of the core data protection principles, as stipulated by the General Data Protection Regulation (GDPR), faces serious challenges in mobile apps. This may hinder compliance of mobile app developers and providers with specific rules of GDPR, e.g. with regard to transparency and consent, data protection by design and by default, as well as security of processing. Against this background, the scope of the present document is to provide a meta-study on privacy and data protection in mobile apps by analysing the features of the app development environment that impact privacy and security, as well as defining relevant best-practices, open issues and gaps in the field. To this end, the document explains the basics of the app development lifecycle and takes a look at different depictions of mobile app ecosystems (development versus deployment). While the ecosystem is complex, an app developer centric approach is taken, while also addressing app providers and other actors in the ecosystem (OS providers, device manufactures, market operators, ad libraries, etc.). Specifically, roles and responsibilities are analysed and aspects of software development are discussed as they can be leveraged as privacy and security action points. A presentation of idealized app lifecycles (data versus development lifecycles) is performed, as well as their potentials for implementing privacy by design. Particular attention is paid to the Agile Secure Development Lifecycle and possible ways of extending it to also cover privacy and data protection requirements. The permission model of apps is used as an example for a more detailed analysis of data protection challenges in the current mobile app development and deployment practices. Moreover, the document focuses on the concept of privacy by design and tries to make it more clear, especially for mobile app developers. Approaches to privacy and data protection by design and by default are presented that help translate the legal requirements into more tangible engineering goals that developers are more comfortable with. In particular, the concepts of data protection goals and privacy design strategies are discussed in general terms, while providing concrete examples from the mobile app development perspective.
