It was revealed recently that many smartphones, such as the Apple iPhone and Google Android, have been collecting location-related data and, in the case of Android, sending it back to Google several times an hour.
Not only does this raise concerns about vendor ethics and privacy, but also about what other kinds of sensitive data apps may be transmitting without the user’s knowledge or consent. What can enterprises do to mitigate the security risks of mobile location-based services technology, specifically as it pertains to smartphone applications? That’s what we’ll discuss in this tip.
Currently, there is no comprehensive federal law protecting data on mobile devices, including location data, from being shared or sold to commercial partners. There’s a possibility the federal government will step in to try and protect the privacy of mobile users, but it would likely be a long time before any law effects how vendors collect data from mobile phones and applications, and they certainly can’t be relied upon to provide the level of security many enterprises need.
Google has disabled several apps that violated its licensing agreements, but the general lack of detailed information about exactly how an app uses and shares data, along with vague click-through agreements during installation, mean apps that are allowed to access communication channels may pose a risk to an organization’s compliance and data security.
One solution for enterprises is to forbid the use of location-based services. Apple, Microsoft and BlackBerry maker Research In Motion Ltd. turn on location services by default, but all provide the option to turn them off. However, location data helps cellphone networks route calls faster and more efficiently, and employees are going to find many useful tools suddenly not so useful without location services. Apart from the ethical question of collecting location data though, most users are unlikely to be in a position where this information presents a real risk. But, what other information is being sent from smartphones?
Research by the Wall Street Journal found 47 of the 101 most-popular smartphone apps sent location information to other companies, and five sent age, gender and other information. Pandora was one of the apps tested and it transmitted location data to seven different companies, unique phone IDs to three and demographic data to two. Researchers from Pennsylvania State University, Duke University and Intel Labs investigated the behavior of 30 popular Android apps and found two-thirds of them displayed what the researchers called ”suspicious handling” of sensitive data. Others sent phone numbers or SIM card serial numbers without any clear consent. The information Google app developers and their affiliates were able to gather as a result included what applications were downloaded by users and what they viewed, read and bought.
Careful reading of any application or plug-in’s end-user license agreement (EULA) is the first step in evaluating whether it is suitable for enterprise use. Google removed at least two games from its Chrome Web Store after learning the apps were able to access all browsing history, website data and bookmarks on users' computers. Hidden in the depth of the EULA of one app, a blogger found a page that read, "This item can read every page that you visit. … Besides seeing all your pages, this item could use your credentials (cookies) to request data from websites." These unbelievably broad permissions were the default installation setting!
Even if a EULA appears acceptable, enterprises can’t blindly trust applications to handle data they can access or gather. Considering, in order to truly mitigate the risks posed by smartphone applications sending data to third parties, a full risk assessment must be carried out on any apps to be used on phones that access the enterprise network. This will entail using a network protocol analyzer such as Wireshark or Ethereal to capture and browse the traffic generated by the application. If such tests reveal data is being sent violates security policy, the app shouldn’t be approved.
Given the number of programs that connect back to their respective vendor’s servers, this type of test should also be carried out on regular desktop applications. Most check back to see if there are updates to be installed, but even this may entail capturing and sending operating environment data that shouldn’t shared outside the enterprise.
This type of traffic analysis combined with data loss prevention (DLP) technology can help detect and prevent the unauthorized use and transmission of confidential information by installed applications. But, as security is always weaker outside of the enterprise network perimeter, the data accessible by smartphones should always be controlled and the device treated as untrusted.