How mobile apps can take whatever data they want from a smartphone

According to some research, more than 70% of organizations permit use of personally owned devices for business purposes. If your company is among them, read on. I have some eye-opening information that might make you rethink your BYOD policy and the measures you take to protect corporate data.

I recently interviewed Domingo Guerra, president and co-founder of Appthority, a company that analyzes mobile applications to discover what they do, not just from a functionality perspective, but also what the apps do under the hood. By this I mean, what information the app collects from the device the owner may or may not know about, such as the user's contact list, the device's location and other private information. After talking with Guerra, I was ready to rip a bunch of apps off my smartphone -- and you might be too. Just think what these apps could be collecting from your enterprise.

Let's start with a bit of background on mobile versus traditional applications development. In a traditional commercial software market, a small number of companies produce software for public consumption -- companies like Microsoft, Symantec, SAP, etc. These companies make their money by selling a license to use the software, annual renewals or upgrades, and perhaps some services or a support contract. They invest heavily in quality control of their products. If they didn't, they'd quickly go out of business.

In the mobile app development world, there are hundreds of thousands of unique developers. They put their code together quickly to rush the app to market, maybe for the Apple or Android marketplaces, where an app is often free or very low cost. The 99 cents a developer charges for his app (minus the commission paid to the app store) may be all the money he ever collects from the buyer. Consequently, the developer looks for other means of revenue. This is where ad networks enter the market.

[ IN THE NEWS: California AG: Mobile apps should limit data collection ]

Ad networks are happy to pay mobile developers for information they can collect from users' devices. This is why an app will request to collect information that isn't directly related to the app. For example, a game might ask to collect the device's location information, even though the location has no bearing on the game. Once the app is able to collect the user's location, he can be tracked anywhere he goes. Think about this: your sales people can be tracked to customer locations; your executives can be tracked as they go to a secret merger & acquisition meeting; your staff can be tracked to their homes.

Developers in search of revenue don't necessarily wait for permission to collect data. Even if a user denies an app access to his location information, the app can figure it out using geo-IP tracking, cellphone triangulation or Wi-Fi network recognition. The mere presence of the app on a smartphone can be betraying the user's trust without his knowledge or permission.

Sometimes the user agreement that users accept (and hardly ever read) when downloading an app grants permission to collect and share data beyond that particular app. Guerra says that there's often a mismatch between what the users perceive they are giving permission to and what permission is actually being granted. Permission is being granted to the app itself, but people don't realize that the app may have code from ad networks or analytic frameworks built in. Therefore, the permission is grandfathered to those third parties as well. This means the contact list on the phone can be sucked right out and sent to the ad network. If a user has his work email synched to his smartphone, his work contact list can be sent outside the company without anyone's knowledge.

Guerra says it's also common for permissions to be written so generically that it's not explicit what the user is granting access to. There are apps that say they are going to work in the background but what they really mean is that the app will be on all the time and therefore collecting data all the time, even when the user is not necessarily using it. The app can be surreptitiously collecting information on the user 24/7.

When an app developer works with an ad network, he is able to make money as long as the application is on the user's device -- whether it's actively used or not. What's more, the developer is not constrained to just one ad network. Appthority has seen apps with more than 15 ad networks in them! And because ad networks get themselves embedded in numerous apps, a network can track a person's usage from app to app.

Obviously this is some disturbing -- albeit legal -- activity that no enterprise wants to contend with. Yet lax BYOD policies can allow it all in the front door on workers' smartphones. Tune in next week to learn a few ways you can keep your enterprise safe and secure.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.

______________________________________________________________

About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies