Third-party apps are the weakest link in user privacy on smart phones. They often get access to large quantities of user data, and there are few rules covering how they must handle that data once they have it. Worse yet, few third-party apps have a privacy policy telling users what they intend to do.

That was the message delivered at a hearing of the U.S. Senate committee on Commerce, Science, and Transportation held yesterday. Companies and regulators are struggling to find ways to ensure that user data is handled properly by apps installed on smart phones, but the way apps are designed makes this difficult.

Mobile privacy has come under extreme scrutiny since revelations that Apple’s iPhone and Google’s Android software collect and store users’ location data. Last week, a U.S. Senate subcommittee questioned those two companies on their handling of personal data. This week, Facebook joined Google and Apple on the hot seat.

But all three companies run platforms that support thousands of third-party developers, and how to make sure those apps respect users’ privacy, and explain their rules, is a major question. Sen. Mark Pryor (D-Arkansas) said at the hearing, “It’s not clear that Americans understand how their information may be shared or transferred.”

The hearing also highlighted several reasons why it’ll be difficult to control what apps are doing with user data. It’s not clear which laws should be used to regulate third-party apps, and, in some cases, it’s hard to design proper technical requirements. “There’s no privacy law for general commerce whatsoever,” said Sen. John Kerry (D-Massachusetts). “Data collectors alone are setting the rules.”

A major initiative designed to improve consumer privacy on the Web—the proposed “Do Not Track” bill—could be hard to apply to mobile devices, regulators said. The bill would allow consumers to opt out of having their online activity tracked.

For mobile devices, the situation is more complicated, partly because the devices can observe users’ physical location, as well the sites a user visits or apps he or she uses. David Vladeck, director of the U.S. Federal Trade Commission’s Bureau of Consumer Protection, says the Do Not Track bill is designed to cover online movements, not geolocation, which might need its own protection.

While Do Not Track protects consumers from being tracked when they move from one website to another, Vladeck said, it’s not always clear within an app when this is happening. Princeton University’s director for Information Technology Policy, Edward Felten, who is consulting with the FTC on this issue, explains that, while third-party code on a website clearly comes from a different server than the rest of the site, all the code in an app looks the same no matter where it originated.

The key goals, Felten says, are to give users a simple way to opt out of sharing data beyond the site they’re interacting with, and to follow through technically on users’ wishes. He says that doing so on mobile devices is certainly possible, but it requires additional thinking, since not all the technology can be adapted directly from what’s being done in the browser.

Some app developers may be hesitant to explain how they will use data—to leave the door open for opportunities that may arise in the future. Morgan Reed, executive director for the Association for Competitive Technology, said during the hearing that app makers struggle to provide privacy policies that “work for today but also for tomorrow.” He also pointed out that Google, Apple, and Facebook can change their policies at any time, which could, in turn, affect app makers.

Whatever regulators decide, there is significant momentum toward giving users more information and control over what third-party apps can do. For example, a company called Whisper Systems is providing a modified version of Google’s Android that allows users to see and control where their personal information is going. This week, Twitter announced that its permissions screen for apps will be more detailed. Other companies may follow that lead.