Focus on the CNIL’s Recommendations for Mobile Applications

Why Are Mobile Applications a Major Security Concern?

Mobile applications have become essential tools in our daily lives, both for personal and professional use. They contain a wealth of sensitive data and interact with various systems, making them prime targets for cyberattacks.

To address these risks, the Commission Nationale de l’Informatique et des Libertés (CNIL)—the French data protection authority—has published a set of recommendations aimed at strengthening mobile application security and protecting users' personal data. The CNIL is an independent administrative body responsible for ensuring compliance with data protection laws in France and plays a key role in shaping privacy regulations at the European level. As part of the European Data Protection Board (EDPB), it contributes to the enforcement of the General Data Protection Regulation (GDPR), a framework that standardizes data privacy laws across the European Union.

“The mobile environment presents greater risks than the web for data privacy and security.” CNIL – Mobile Applications: The CNIL Publishes Its Recommendations to Better Protect Privacy

These recommendations have a clear objective: to help publishers, developers, and other stakeholders comply with the General Data Protection Regulation (GDPR) while adopting best practices to minimize risks. But how do these guidelines translate into concrete actions? And how does Pradeo support companies in this approach?

Understanding the Responsibilities of Each Stakeholder

The CNIL emphasizes the need for a clear definition of roles among all participants in the mobile application ecosystem. Publishers, developers, SDK providers, app store managers, and operating system vendors must determine whether they act as data controllers, processors, or joint controllers for certain data processing activities. This distinction is crucial as it defines their respective responsibilities and obligations.

For example, a developer creating an application on behalf of a publisher without handling personal data collection does not have the same obligations as an application publisher using an SDK with advertising trackers for targeting purposes.

• Application publishers must ensure their applications' security by justifying and complying with data collection requirements and ensuring that third-party libraries do not exhibit unexpected behaviors. Security measures should be integrated from the development phase to prevent vulnerabilities.
• SDK providers must document their practices and inform publishers about the actual use of collected data.
• Operating system vendors must enforce strict permission policies, limit access to sensitive data, and integrate advanced security mechanisms.
• App stores must establish transparent validation criteria and verify that applications comply with data protection principles.

Transparency and Compliant User Consent

Transparency toward users is a key principle. When an application collects personal data, users must be clearly and comprehensibly informed about how their data will be used. Privacy policies are often lengthy, technical, or missing altogether. The CNIL recommends using accessible language and providing this information at the right time: before installation, during the first use, or at the point of data collection.

Asking users to accept general terms and conditions is not enough: consent must be freely given, informed, and collected for each distinct purpose. For example, an app cannot require users to agree to share their data with third parties unless it is strictly necessary for the service's operation.

Additionally, merely requesting permission to access smartphone features (such as the camera or GPS) is insufficient to ensure valid consent under the GDPR. A mechanism must be provided for users to easily withdraw their consent.

Sanctions and Legal Risks

The CNIL has already sanctioned several companies for failing to comply with its recommendations. Notable cases include:

• Apps collecting personal data without explicit user consent.
• Companies using non-compliant advertising trackers.

To enforce its directives, the CNIL has also announced an inspection campaign starting in Spring 2025, highlighting its commitment to ensuring industry-wide compliance.

How to Secure Mobile Applications?

The Privacy by Design approach recommended by the CNIL means that data protection should not be an afterthought but an integral part of application development.

This includes minimizing data collection, implementing strong security measures (such as encrypting sensitive information), and carefully monitoring third-party components integrated into the application, particularly SDKs.

Simplifying Application Security with Pradeo

To assist companies in this process, Pradeo offers a suite of application security solutions that ensure mobile applications comply with security best practices and CNIL requirements.

• APP SECURITY TESTING: Our automated mobile app audit detects unwanted behaviors, such as advertising trackers or personal data manipulation, as well as vulnerabilities. The tool then guides companies through the remediation process.
• SHIELDING: Our shielding solution provides advanced protection for code and intellectual property by blocking malicious code injections and securing mobile applications against reverse engineering and unauthorized reproduction.
• RUNTIME APPLICATION SELF-PROTECTION (RASP): Our embedded security library enables mobile applications to actively defend against threats, ensuring real-time protection against attacks.