South African Android Applications, Their Security Permissions and Compliance With the Protection of Personal Information Act

South Africa's promulgated privacy law the Protection of Personal Information Act No. 4 of 2013 (POPIA) - demands careful consideration from every entity that processes personal identifiable information (PII). Though the law is not yet in effect, compliance is a big concern, and there is a much uncertainty surrounding the effort that will be required to be compliant. The security principle of least privilege plays a significant role in privacy and privacy protection, and consequently features in much privacy legislation. A particular area of concern is the Android software market in which application developers are (for the most part) unregulated. The uncertainties around compliance, and the ease of entry to the Android software market exposes the unwary application developer to the (eventual, but unavoidable) force of POPIA. Moreover, the access control model in Android allows applications access to personal information stored on user devices (once they are installed with consent). This paper reports on an investigation into Android security permissions and the alignment of these permissions with POPIA. Twenty-one Android applications - designed and released for the South African market were reviewed, and for each, the requested access were examined, and how this compares to the required permissions according to the application's end -user agreement. Compliance of the applications was assessed in accordance with chapter three of POPIA (which defines eight conditions for the lawful processing of personal information); however, the investigation was limited to what was observable without needing access to intellectual property. Findings indicate that, for the application versions investigated many are not fully compliant with POPIA, and that the granularity of permissions in Android may cause significant problems for South African applications. This also indicates that free-lance developers may incur significant risk in developing and releasing software if care isn't taken with the permission model. Moreover, it indicates that training and awareness of POPIA especially for software developers should receive more attention.