The study, which examined 1,200 mobile apps globally, reported that one in three apps appeared to request an excessive number of permissions to access additional personal information.
The study found that 32% of apps requested location information, 15% asked for access to other accounts, while 10% wanted access to the smartphone's camera.
In a guide published last year for app developers, the ICO stated: "You should only collect and process the minimum data necessary for the tasks that you want your app to perform.
"Collecting data just in case you may need it in future is bad practice, even when the user has consented to provide that information.
"It's also in your interest not to hold data you don't need because this automatically reduces the risk that you might accidentally lose or mishandle it."
Data collection unnecessary
Jon Holttum, a founding member of the Open Mobile Security Alliance (OMSA) and founder of software company Spaggetti, said the collection of so much personal information was unnecessary.
"If you download a social media app, it may ask for access to your camera and contacts. But there is no need for app developers to collect all this information," he said.
Read more on data privacy
Clearly, companies regard an app as a one-stop-shop to collect as much information as possible when the user downloads and installs it.
The ICO guidelines go against the trend among apps developers and marketing departments, which gather demographics information, age and location, among other things, to cross-sell additional products to the user and, increasingly, target the user’s contacts.
For Holttum, the issue is that when a user downloads an app, there appears to be a blasé attitude to data collection.
By installing an app, the user accepts the app’s terms and conditions, which the app’s developer then assumes, giving them carte blanche to use all the features on the smartphone that the user has unwittingly given them access to.
"In the mobile apps market it is easier to collect information, especially if this requires user input," said Jose Talavera, solution consultant at testing company Keynote. "But this has meant users share a lot of information that they are not always aware of."
App users' privacy rights
Privacy is one of the areas highlighted in a paper from Aqua, the app quality alliance, which is funded by AT&T, Sony, LG, Samsung, Nokia and Oracle. Aqua's Best Practice Guidelines for producing high-quality mobile applications stated: "Active consent must be obtained separately from approval of service terms or privacy notice/policy."
App developers should enable users to unsubscribe from marketing messages and to request that the developer stops using their personal data for direct marketing or market research purposes, according to Aqua's guidelines.
The alliance urged app developers to seek active consent from users to use their data for purposes that are outside the main scope of the app, such as targeted advertising or analytics.
The guide also recommended that app developers periodically remind users or provide a visual indicator when location data – GPS, IP address, cell tower, Wi-Fi-based location data – or user information is being sent to any other service.
From a user’s perspective, it is far too easy, for instance, to connect accidentally to LinkedIn or Facebook contacts, thereby giving the app access to everyone on their social networks.
Some people would argue that the app has no right to this information. It certainly opens up potential security risks, especially if access is inadvertently given to the contacts and the calendar, which happen to be linked to the corporate Microsoft Exchange server.
Exchanging information for added features
"The reason the app wants to access your contacts is never explained," said Holttum. "And when you try to remove the access, you have to go deep into the company’s website and app privacy settings."
Users share a lot of information that they are not always aware of
Jose Talavera, Keynote
Rather than attempting to collect all information up front, Holttum recommended app developers start small by explaining why they want the information.
At a later date, the app developer could then collect some additional information, such as the user’s mobile number to provide SMS-based track-and-trace for an e-commerce order.
"You give people the ability to move on, to get more benefits based on what they sign up to," he said.
Holttum suggested it would be more beneficial for the app developer to ask users to drip-feed personal information over a protracted period of time, in exchange for greater functionality.
"You hope people will use the app, but if you go back to users with an update, and capture a bit more data then you are back in contact with them, this makes the app more sticky, in terms of keeping customers engaged," he said.