Page 4
Relevance of the Personal Data (Privacy) Ordinance to the Security of SSL
Implementation in Mobile Application Development
Data Protection Principles - Security (“DPP4”)
2
under the Personal Data (Privacy) Ordinance
requires a data user to take all reasonably practicable steps to implement security precautions,
the level of which should be commensurate with the seriousness of the potential harm that could
result from a data breach.
The “Personal data privacy protection: what mobile apps developers and their clients should
know”
3
stated that data user should consider the use of technological safeguards, including
encrypting personal data being transmitted to prevent unauthorized interception or access.
For the effective protection of data via encryption technological, the data user and the mobile
app developer should answer to the following questions:
1. Is the transmission of sensitive data properly protected by encryption?
2. Is the strength of encryption technology proportional to the security risks associated?
For critical services such as financial application, cybercriminals have the incentive to
use more advanced attacks to circumvent normal SSL certificate validation. They might
trick the user to install a fake certificate on to a mobile device. In this case, mobile app
owner and developer should consider adopting more advanced technology such as
Certificate Pinning
4
to combat against such attack.
3. Is the encryption properly implemented so that it cannot be easily circumvented?
In the mobile app development, SSL/TLS encryption protocol is commonly used to
encrypt sensitive data during transmission. There are many ways that a faulty
implementation can give opportunity for attackers. For example, if the mobile app does
not validate digital certificate for expiry date, the proper signing certificate authority, and
use of strong state-of-art strong encryption algorithm, attacker can use an expired
certificate, a fake certificate, or a known attack to force the use of a low end encryption
algorithm.
To ensure proper protection of sensitive data in transmission, mobile app owner should put
down the requirements on the selected implementation of encryption and validation of digital
2
Data Protection Principles, Office of the Privacy Commissioner for Personal Data
https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html#4
3
Personal data privacy protection: what mobile apps developers and their clients should know, Office of
the Privacy Commissioner for Personal Data
https://www.pcpd.org.hk/english/resources_centre/publications/files/apps_developers_e.pdf
4
Certificate Pinning, Wikipedia https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning