Attack of the apps

It seems like a fair trade: Get your favorite mobile apps for free, be shown annoying ads in return.

But that’s not all you’re doing in return. In reality, this trade has you giving up a great deal of personal information. Mobile apps collect a massive amount of personal data — your location, your online history, your contacts, your schedule, your identity and more. And all that data is instantly shared with mobile advertising networks, which use it to determine the best ad for any given user at any given time and place.

So, the trade-off isn’t really ads for apps — it’s intrusive mobile surveillance for apps. By agreeing to free, ad-sponsored mobile apps, we’ve consented to an economic model that entails continuous and comprehensive personal surveillance. It’s what Al Gore accurately characterized as the stalker economy.

Why is our personal, locational and behavioral data so coveted by marketers? Because a smartphone is something that we as consumers carry everywhere we go, and it’s constantly broadcasting personal data of all kinds. If advertisers know who we are, where we are and what we’re doing, they can deliver more effective ads. It’s called proximity marketing. It’s the Rite Aid ad that pings your phone as you walk through the aisles: “Save 10% now on mouthwash.”

Sounds innocuous, if annoying. But it goes much further than this. We’ve now enabled a system where a major retailer can know, for example, that a teenager is pregnant before her parents do simply by correlating her activity, search and purchase data. That retailer can then reach out via mail or email, or target her via phone when she is near a point of sale. This intrusion on our collective privacy isn’t going away anytime soon (if ever), as the economic incentives for app developers and advertisers are too strong.

A compromised smartphone represents a threat not just to the targeted employee but to the entire company.

OK, agreed, this kind of consumer surveillance is intrusive and creepy. But how does it threaten enterprise security? Simple. As more personal mobile devices invade the business world, leaks from those devices are opening the door to corporate hacks, stolen business data and crippling cyberattacks.

For instance, if a company lets its employees sync their corporate calendars and email accounts to their personal mobile devices, this opens up all sorts of risks. Suddenly, employees’ phones contain or can access the contact information of everyone in the organization. Further, any other mobile app that requests access to the employees’ contacts and calendar also gets access to the names and titles of company employees, as well as the dial-in codes for all private conference calls. This information can easily be put to effective use in a spear-phishing attack by a malicious app or hacker.

Worse, many apps monetize their user bases by sharing data with ad networks that share and combine data with other networks, so it’s impossible to know where exactly data is going and whether it’s being handled in a secure fashion by any of the many parties that have access to it. All of this sharing means a malicious hacker doesn’t even have to directly access an employee’s phone to attack a company. He can hack an ad network that has information from millions of users and go from there.

Stolen information can also be used to attack an enterprise through a watering-hole attack. Say a small group of executives have lunch regularly at a local restaurant. An attacker with access to their geolocation data could easily know this. The attacker correctly assumes that some of the execs are accessing the restaurant’s website to make reservations and browse the menu before lunch. By placing malware on the lightly defended site, the attacker is able to compromise the office computer or mobile device of one or more company executives. From there, a successful breach is launched.

A compromised smartphone represents a threat not just to the targeted employee but to the entire company. Information about employees’ activities, both on the job and elsewhere, combined with any company-related emails, documents or sensitive information, can be devastating to an organization if it gets into the wrong hands.

So what should enterprises do to combat the threat?

The first step is to get visibility into your mobile environment. Your organization needs to know which apps employees are using, what those apps are doing and whether or not they comply with corporate security policies. For example, is there a particularly risky file-sharing app you don’t want employees to use? Is it already being used? If you don’t know the apps employees are using for work, you are flying blind and taking a huge risk.

It is imperative that your enterprise include mobile threat protection as part of its overall security strategy.

Second, you’ll need a policy for managing the use of mobile devices. Most organizations already have policies for other platforms, including managing firewalls and sharing data with partners. It’s equally important to create these policies for mobile. For instance, if employees are using free versions of apps that are approved by the company but ad-supported, create a policy that requires employees to upgrade to the paid version to minimize, if not eliminate, unsanctioned data in the form of ads being sent to employees — though it doesn’t eliminate the relentless collection of personal and private data.

Next, your organization should educate employees about the risks of the apps they download. It’s in your best interest to empower users by arming them with tools and training to make better decisions about which apps they download. For instance, coach your employees to question apps that ask for permission. There are lots of apps that want to access location, contacts or camera. Employees don’t have to say yes automatically. Most apps will work fine if the request is denied, and prompt users if a permission is actually needed. If an app does not say why it needs access, that’s a big red flag.

Finally, all of these areas can be addressed with a good mobile security solution. Any enterprise without a mobile threat protection solution is by definition unaware of what information is leaking and from where, and unable to address the risks that exist in its environment. It is therefore imperative that your enterprise include mobile threat protection as part of its overall security strategy in order to protect employee privacy and company data from the ever-growing threat of mobile surveillance and data gathering.