Why Mobile App Data Slurping is an Enterprise Security Issue

Enterprise

Data_Slurp_Security

Is your business being slurped?

Mobile app data slurping sounds harmless and cutesy — it’s not. What it means is that data on your smart device is being recorded by an app (slurped) and transmitted to the app vendor. The mobile app gains access to device information through permissions and can include requests for location, access to media storage, the ability to send data and SMSs, and access to contacts. The list goes on and on, but you get the picture.

Gone Afowl

The biggest offenders can be the most innocuous apps on an end user’s device. For example, the Angry Birds family of apps has been flagged for slurping up unencrypted data that can be intercepted by state-sponsored digital data collectors on its route to the vendor. True to form, the near omnipresent Angry Birds apps require an excessive list of permissions that allow them to read and transmit personal and profile data.

Some free apps justify this requirement, claiming it’s necessary for serving up targeted ads. Other apps don’t work unless you open your information to them. Even worse, some apps bypass the permissions systems and transmit your data without your consent.

It’s not just game apps that lack credible security. Recent research from Ariel Sanchez, a blogger at IOActive, found that out of 40 iOS banking apps used by 60 banks in about 20 countries, 70% of the apps offered no support for two-factor authentication (2FA), and 40% of the apps weren’t validating SSL certificates. In other words, they were unable to notice bogus SSL certificates when accessing supposedly secure HTTPS traffic and couldn’t, therefore, stop a theoretical man-in-the-middle attack.

Apps in the BYOD workplace

While the danger lies primarily with personal-use apps, mobile data slurping still poses a threat to businesses by transmitting data on employees’ BYOD devices.

A paper released by Symphony Luo and Peter Yan from Trend Micro reported that

“A survey of the top 50 free apps available for download in (one of the most popular app stores) revealed that almost 80% of the samples had fake versions. These apps span a wide range of categories, including Business, Media & Video, and Games.”


Luo and Yan go on to say

“Fake apps were more likely to be high-risk apps or malware rather than just mere harmless copycats. As of April this year, of the 890,482 sample fake apps discovered from various sources, 59,185 were detected as aggressive adware and 394,263 were detected as malware. Among the fake apps, more than 50% were deemed malicious.”


 

For personal mobile smartphones and tablets used in the workplace, it’s paramount that companies review and manage app permissions. At a minimum, each business must risk assess if the device is suitable for use in the workplace . At least article reported that updating some consumer smart devices will report back about 500 records describing how the device was used by its owner.

Many vendors are reportedly retrieving more data than is necessary for legitimate purposes and often don’t bother to encrypt it during transit.

In the UK and other locations, mobile data slurping collides with important legal considerations. The Data Protection Act applies to businesses and not to individuals, but BYOD can cause confusion about which is which. One fact that’s clear is that if an employee uses a personal device to access customer data, such as contact or account details, the data is subject to the laws on data protection. If your business holds and processes information about your clients, employees or suppliers, you are legally obliged to protect that information.

CIOs Take Note

Before you allow an app to be installed on any work device, the app must be checked to ensure it is data-protect compliant. If not, your business may get hit with a substantial fine – or much worse. Imagine the reputational hit if your customers’ details end up on a marketer’s sales list.

The next slurping incident you encounter could be your career going down the drain.

Guidance on the Data Protection Act for EU business

 

 

 

 

About Frank O'Kelly

Frank is a Commercial Manager based in the UK. He has worked for many years in ICT and Telecoms and is passionate about Information Security especially in the mobile space. When not working or writing Frank is usually planning his a trip to a classic car show!

Join the conversation

Show comments Hide comments
+ -
blog comments powered by Disqus