The Insider recently had the audacity to question the ‘modus operandi’ of free app developers that may be using their seemingly harmless smartphone tools to gather and distribute all kinds of information.
If the story of the Android ‘Torch’ app was not scary enough, the latest news is that employers don’t care if their mobile devices are unwittingly used to breach the security of their employer’s network. This adds a whole new dimension to the arguments for and against BYOD (bring your own device) policies.
If you team up what those evil little ‘free’ apps are doing in the background of most smartphones and add that connectivity to the company network, what is there to prevent some stealthy code from reading the data that comes back to the handset and sending it off to an unknown third party?
Sure, you can enforce some security measures to using company-applied software but these merely confirm who the user is and sometimes limits what they can do on the network via the device. They also prevent upwardly mobile infection of the network, but do they prevent the copying and forwarding of data on the device? My guess is no.
Let me remind you that my simple ‘Torch’ app had the right to “retrieve information about currently and recently running tasks, allowing the app to discover information about which applications are used on the device,” and that it could “create network sockets and use custom network protocols” as well as having permission “to modify the system’s settings data.”
The Insider is a novice in matters of mobile security but this sort of activity must be raising major concerns for corporate IT departments. A quick review of ‘paid’ apps did not generate any greater comfort, either. The theory that free app developers may be hawking their ill-gotten data to others has not gone away, but one would think the guys getting paid might have slightly higher ethics.
Just think of all those apps you downloaded once, activated then never opened again. Surely they can’t be a problem, they are not even running, right? Of course, when your battery runs out after playing with all those apps, you are really safe, right? Think again.
It seems that, for iPhone users at least, tracking continues even after the battery has died thanks to certain apps’ use of the iPhone 5S’ M7 chip, a motion-sensor used by a range of sports-related apps, including one developed by Nike.
Does being disconnected from the network and switching off GPS guarantee you cannot be located? Probably not! Are there any other dirty little secrets we are not made aware of? At least we know none of our communications are private any more but how long before privacy and security become big revenue earners for aspiring entrepreneurs or, better still, network operators?
Surely they would be well placed to offer secure network connectivity to their corporate and enterprise customers, throw in some device security software, private key encryption, virtual private networks and even deep-packet-inspection and investigation services to track what employees are up to.
While all this could be, it probably won’t fly with customers that have had their previous faith in network security destroyed by the Snowden revelations and subsequent admissions by network operators that they were party, not always by choice, to government data collecting activities.
Maybe they will put their trust in existing online security experts like Norton, Kaspersky or Trend Micro, to name a few? How about handset makers like Nokia, sorry Microsoft, Apple, Samsung or LG? OK then how about the network suppliers like Ericsson, Huawei and ZTE?
Maybe we should drop this idea completely and just get used to the fact that privacy and security are now distant memories and that living in a lead-lined cave is our only hope.