With more and more companies adopting bring-your-own-device policies to access corporate data, education is sorely needed to plug gaping security holes many apps needlessly leave those devices exposed to.
In an interview with TelecomAsia, Stree Naidu, VP for Asia Pacific and Japan for Imperva, said that the end-user is the weak link.
While the industry has done so much work on technologies to track for data leakage, role-based access management and security in the traditional 9-5 corporate four-walled office, the gaping security risk remains the users themselves with their smart devices, Naidu said.
Too many apps allow access to a phone book, email or even SMS and call records. The EULAs and fine print that users click through without a thought make gathering and profiling that information perfectly legal, if unethical.
Naidu said that while in some cases, such as verification of a phone number for messaging services, there may be a legitimate need to check an SMS, but there is never a legitimate need for perpetual access to these private messages.
“Why does the Facebook app need to access your SMS?” he asked.
This is where the telco comes in, or should come in. Telcos need to spend time educating consumers about the dangers of these apps and become a strong voice to demand that Google and Apple (not to mention Microsoft and BlackBerry) make the fine print expressed in an clear manner to users and developers alike so they can make an informed decision.
This is similar to what happened through the anti-spam battle and now all mailing lists have clear opt-in and opt-out options.
To see the extent of what unfettered access can lead to, Naidu used the example of the app xobni (inbox spelled backwards). this app can go through your email phone and social networks and generate a report on the amount of access, keywords searched, who gets the most email, at which times and on what topics. It can even bring up that person’s social media profiles and photos in the report. While legitimate as an enhanced address book, the same information in the wrong hands is very dangerous. It becomes downright scary when the user or CIO realises that many apps users are installing without a second thought provide access to all of that information.