Is your business being slurped?
Mobile app data slurping sounds harmless and cutesy — it’s
not. What it means is that data on your smart device is being recorded by an
app (slurped) and transmitted to the app vendor. The mobile app gains access to
device information through permissions and can include requests for location,
access to media storage, the ability to send data and SMSs, and access to
contacts. The list goes on and on, but you get the picture.
Gone Afowl
The biggest offenders can be the most innocuous apps on an
end user’s device. For example, the Angry Birds family of apps has been flagged
for slurping up unencrypted data that can be intercepted by state-sponsored
digital data collectors on its route to the vendor. True to form, the near
omnipresent Angry Birds apps require an excessive list of permissions that
allow them to read and transmit personal and profile data.
Some free apps justify this requirement, claiming it’s
necessary for serving up targeted ads. Other apps don’t work unless you open
your information to them. Even worse, some apps bypass the permissions systems
and transmit your data without your consent.
It’s not just game apps that lack credible security. Recent
research from Ariel Sanchez, a blogger at IOActive, found that out of 40 iOS
banking apps used by 60 banks in about 20 countries, 70% of the apps offered no
support for two-factor authentication (2FA), and 40% of the apps weren’t
validating SSL certificates. In other words, they were unable to notice bogus
SSL certificates when accessing supposedly secure HTTPS traffic and couldn’t,
therefore, stop a theoretical man-in-the-middle attack.
Apps in the BYOD workplace
While the danger lies primarily with personal-use apps,
mobile data slurping still poses a threat to businesses by transmitting data on
employees’ BYOD devices.
A paper released by Symphony Luo and Peter Yan from Trend
Micro reported that
“A survey of the top 50 free apps available for download in
(one of the most popular app stores) revealed that almost 80% of the samples
had fake versions. These apps span a wide range of categories, including
Business, Media & Video, and Games.”
Luo and Yan go on to say
“Fake apps were more likely to be high-risk apps or malware
rather than just mere harmless copycats. As of April this year, of the 890,482
sample fake apps discovered from various sources, 59,185 were detected as
aggressive adware and 394,263 were detected as malware. Among the fake apps,
more than 50% were deemed malicious.”
For personal mobile smartphones and tablets used in the
workplace, it’s paramount that companies review and manage app permissions. At
a minimum, each business must risk assess if the device is suitable for use inthe workplace.
At least one article reported that updating some consumer smart
devices will report back about 500 records describing how the device was used
by its owner.
Many vendors are reportedly retrieving more data than is
necessary for legitimate purposes and often don’t bother to encrypt it during
transit.
In the UK and other locations, mobile data slurping collides
with important legal considerations. The Data Protection Act applies to
businesses and not to individuals, but BYOD can cause confusion about which is
which. One fact that’s clear is that if an employee uses a personal device to
access customer data, such as contact or account details, the data is subject
to the laws on data protection. If your business holds and processes
information about your clients, employees or suppliers, you are legally obliged
to protect that information.
CIOs Take Note
Before you allow an app to be installed on any work device,
the app must be checked to ensure it is data-protect compliant. If not, your
business may get hit with a substantial fine – or much worse. Imagine the
reputational hit if your customers’ details end up on a marketer’s sales list.
The next slurping incident you encounter could be your career
going down the drain.
No comments:
Post a Comment