COMMENT Android doesn't have the finest security reputation in the mobile OS space. Revelations this week have only exacerbated the situation for Google. And businesses should be worried too, not just consumers.
A Channel 4 investigation, in collaboration with security firm MWR Infosecurity, found that ad networks had access to user data from certain Android apps.
Permissions granted to those apps, many of which were in the top 50 apps list, were also granted to advertisers, MWR claimed. The security vendor said contacts, calendar and location data was being shared thanks to code created by US ad network MobClix.
Google responded saying it has best practice guides for developers when it comes to user data but it does not screen apps for not following recommendations before they are shoved on the Android Market. The company does remove rogue applications that do bad things with that information, however.
So-called consumerisation' is even more complex than IT departments had first feared.
Even Viviane Reding, the European Commission's commissioner for justice, waded in to share her concerns.
"This is against the law because nobody has the right to get your personal data without you agreeing to this," Reding said.
"Maybe you want somebody to get this data and agree and it's fine. You're an adult and you can do whatever you want. But normally you have no idea what others are doing with your data. They are spotting you, they are following you, they are getting information about your friends, about your whereabouts about your preferences.
"That is certainly not what you thought you bought into when you downloaded a free-of-charge app. That's exactly what we have to change."
Just last week, Android was in privacy hot water again, when a New York Times investigation found that any Android app with permission to access the internet could post images to a remote server. Google has acknowledged the problem, saying it related to a design choice made to accommodate the way early Android phones stored data when photos were often saved onto a removable disk. The company even said it was considering changing its processes. Nevertheless, the flaw has not been fixed.
Apple iOS apps were also found to be doing something similar. Any developer could view people's photos as long as they permitted use of location data.
The business problem
On the face of it, these issues are largely consumer-related. But as with so many things in today's hyper-connected world, businesses can be hurt by such lax client security too.
Whilst business mobiles can be locked down, and apps provisioned from a central source ensuring no crazy permissions are granted to developers, consumer devices are much more difficult to lock down. It's particularly hard to stop business information from getting on worker phones.
Now, by sending data to a host of other parties, these Android apps are potentially making mobile management for IT teams even more of a nightmare than it already is. If apps can access a range of data on a mobile device, then it's likely they will see information related to that person's employer, whether in contacts and calenders or from social networks, text messages and photos. This means business information which could be anything from copied work emails to corporate IP is not just being taken out of the network on user devices, it is being disseminated to unknown parties across the globe.
What if those ad networks are doing naughty things with that data, passing it on to yet more companies? What if those ad networks don't have sound data protection policies, or have malicious insiders? What if those businesses got hacked, leaking a tonne of companies' information, not just their own?
What's clear from these latest developments is that so-called consumerisation' is even more complex than IT departments had first feared. Data is being leaked from surprising sources. And, in the case of these Android and iOS apps, there is little CIOs can do about it right now.
Instead, they will have to hope mobile OS makers stop allowing developers and ad networks to get hold of so much information without users knowing. Thus far, they have little to get excited about.
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto NetworksCase study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
-
Putting small language models under the microscopeITPro Podcast The benefits of small language models are undeniable – but they're no silver bullet
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three yearsNews Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring serviceNews New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customersNews The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessedNews The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breachNews The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
