IT is seeing a very dangerous collision of two trends: BYOD and mobile apps. IT’s job is, among other things, to protect corporate data, a portion of the company’s intellectual property. And yet easily downloaded consumer apps are threatening that data security by sharing their sensitive data with mobile apps that have almost infinite capabilities.
Consider this reference from a scary story courtesy of The Intercept: “When launched for the first time, [popular app Sarahah] immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information.”
[ Also on Computerworld: How to expose flaws in custom-built mobile apps ]
“All phone numbers and email addresses in your address book.” You wanted BYOD, and this is the price you pay. What’s to limit the next app to grabbing and sending screen captures to the mothership? How about ongoing geolocation data? Maybe text messages?
Here’s the uncomfortable truth: As long as you permit your corporate apps and data to coexist on the same device as personal apps and data, you have an obligation to police both. It’s either that or insisting on strict partition separation, which is typically next to impossible to enforce or to deploy.
Let me be clear. I am not suggesting that you have any access to one iota of personal data of any kind about your employees. You’re merely offering a free service to check any apps they want to download for security problems. Eventually, if your company is large enough, you’ll run into apps that you have already checked and cleared.
The IT security consulting firm that made the Sarahah discovery (Bishop Fox, if you’re curious) had an app that tracked and intercepted all internet traffic entering and leaving the mobile device. In short, it was doing basic penetration testing. Why wouldn’t your IT team do the same to protect your employees and, not coincidentally, corporate data? A little extra pen testing never hurt.
Let’s get practical. IT is overworked and understaffed, and I’m not winning any IT friends by suggesting new work for them to do. And, yes, doing pen testing on every consumer app any employee uses is a massive task. But it’s one that employees should appreciate, and it’s an excellent way to stop the leak of sensitive data before it starts.
2 obstacles to checking employees’ mobile apps
There are two key obstacles: Getting corporate funding for the extra work involved (whether it’s handled internally or outsourced, it’s going to need funding) and getting employees to cooperate.
As for getting funding, this is a way for your CFO to establish whether she is serious about protecting corporate data. If the CFO understands the risks posed by BYOD device owners downloading any executable they want — viruses, Trojans and simply over-ambitious programming as happened with Sarahah — this gives her a chance to put her money where her apps are.
As for getting employee cooperation, this should be relatively easy. As long as you are merely asking for the name of the app so that you can check it against a list of already-tested apps or run new tests on it, there isn’t a privacy worry. Indeed, it really is a service for employees, whose private data would also be at risk. (Clearly, even already-tested apps should be re-examined periodically.)
I’m not expecting most enterprises to do this, but if only a handful did, app makers would get caught almost immediately when they threatened privacy, and the incentive to push the privacy envelopes would slow way down.