Basic Security Assessment Questions

These following questions comprise our basic security assessment. You have several options for navigating these questions, and learning more about data security. This page contains 10 basic questions that relate to the most important privacy and security observational practices of smart devices and mobile applications. The full security assessment questions integrate the Consumer Reports Digital Standard questions, Ranking Digital Rights questions, and OWASP IoT project questions into a single full security assessment framework.

1. Device Collection

Criteria:

  • Personal information
  • Metadata information
  • Camera access
  • Video access
  • Microphone access
  • Location access

Indicators:

  • Assess whether personal information, voice information, photographic information, meta-data, and/or video information is collected by the device or application on a mobile device.

Questions:

  • Personal Information: Does the application or service collect Personally Identifiable Information (PII)?
  • Voice Information: Does the application or service collect voice recording data?
  • Image Information: Does the application or service collect photographic or video information?
  • Location Information: Does the application or service collect precise geolocation data?
  • Health Information: Does the application or service collect health or biometric data?
  • Behavioral Information: Does the application or service collect behavioral data?
  • Metadata Information: Does the application or service automatically collect any usage information or metadata?

2. Device Sharing

Criteria:

  • Unknown third parties
  • Type of data shared

Indicators:

  • Assess whether the application or service shares data with thrid party companies not listed in its privacy policy.
  • Assess whether different types of personal information is shared with third parties that is not disclosed in the privacy policy.

Questions:

  • Third Parties: Does the application or service share data with third parties not listed in the privacy policy?
  • Data Shared: Does the application or service share data not disclosed in the privacy policy?

3. Privacy Controls

Criteria:

  • App permissions
  • Data sharing controls
  • Opt-out of first- or third-party marketing
  • Age gate in place for children
  • Parental controls available

Indicators:

  • Assess whether there are restrictions on children creating accounts and methods for a parent or guardian to provide consent.
  • Assess whether the default settings for privacy controls or preferences on the mobile application are better privacy protections for the user.

Questions:

  • Data Access: Does the application or service provide users the ability to access data in their account?
  • Data Modification: Does the application or service provide users the ability to modify data in their account?
  • Data Deletion: Does the application or service provide users the ability to delete data in their account?
  • Account Deletion: Does the application or service provide users the ability to terminate their account?
  • Device Permissions: Does the application or service still provide functionality if all user permissions for data access are declined?
  • Default Privacy: Does the application or service set privacy settings or protections by default?
  • Collection Consent: Does the application or service provide a choice for users to consent to provide optional information beyond what is necessary?
  • Parental Controls: Does the application or service provide managed accounts or parental controls to provide consent?
  • Child Age Gate: Does the application or service require a bithdate for account registration to determine if the user is under 13 years of age?

4. Account Protection

Criteria:

  • Changes to account
  • Strong passwords used
  • Password recovery
  • Account lock-out

Indicators:

  • Assess whether there is a strong password or complex passphrase requirement to create an account, and no default username or password is used.

Questions:

  • Strong Password: Does the application or service require the user to create a strong passphrase or complex password?
  • Existing Password: Does the application or service require the existing password for the user in order to change the password?
  • Password Recovery: Does the web service provide a secure password recovery mechanism?
  • Password Expires: Does the web service provide for the expiration of user passwords?
  • Change Defaults: Does the web service require the default username and password to be changed?
  • Account Changes: Does the web service provide an ability for the user to change their username and password?
  • Account Lockout: Does the web service lockout an account after a specified number of failed attempts for authorization?
  • Two-Factor Authentication: Does the web service provide two-factor authentication for any area where authorized access is required?

5. Device Safety

Criteria:

Indicators:

Questions:

  • Social Interactions:
  • Visible Data:
  • User Content:

6. Device Security

Criteria:

  • Encryption used
  • Secure Wi-Fi
  • Secure Bluetooth

Indicators:

  • Assess whether the application or device's network traffic over Wi-Fi is encrypted.
  • Assess whether any Bluetooth connection between the device and mobile application is secured with pin pairing.

Questions:

  • Web Support Encryption: Does the web service use HTTPS for the homepage, login page, or pages accessed while logged in?
  • Web Encryption Required: Does the homepage, login page, or pages accessed while logged in force encryption back to HTTPS if changed to HTTP?
  • Data Secure: Does the mobile application encrypt communication between devices and the Internet?
  • Storage Encryption: Does the mobile application encrypt data stored on the mobile device?
  • Secure Cookies: Does the web service require persistent or session cookies to require a secure flag?

7. Ads & Tracking Requests

Criteria:

  • Ads displayed
  • Advertising requests
  • Tracking requests

Indicators:

  • Assess the solution to determine whether the service displays traditional advertisements.
  • Assess the solution to determine whether the services provide targeted advertisements.
  • Assess whether the application or service connects to known advertising or tracking servers or domains.

Questions:

  • Advertising Displayed: Does the application or service display advertisements?
  • Advertising Requests: Does the application or service send advertising requests to third parties?
  • Tracking Requests: Does the application or service send tracking requests to third parties?

8. Software Updates

Criteria:

  • Automatic software and/or firmware updates
  • Encrypted software updates

Indicators:

  • Assess whether the application or device receives firmware (software on the device used for operation) or update files using encryption.
  • Assess whether software or firmware updates are easy to install or automatic.

Questions:

  • Updates Available: Is the software kept protected with software updates for a clearly defined and communicated period of time (i.e., the product life cycle)?
  • Update Encryption: Does the application or service encrypt updates files transmitted to the device?
  • Update Notice: Is the user notified software updates are available or that updates have been installed?
  • Update Process: Is the software update process simple for the user to complete?
  • Signed Updates: Does the application or service sign and validate update files transmitted to the device?
  • Automatic Updates: Can the user change the software update process to be automatic?
  • Firmware Update: Is the device firmware able to be modified or updated?