Fair trade

It seems like a fair trade: Get your favorite mobile apps for free, be shown annoying ads in return.

But that’s not all you’re doing in return. In reality, this trade has you giving up a great deal of personal information. Mobile apps collect a massive amount of personal data — your location, your online history, your contacts, your schedule, your identity and more. And all that data is instantly shared with mobile advertising networks, which use it to determine the best ad for any given user at any given time and place.

So, the trade-off isn’t really ads for apps — it’s intrusive mobile surveillance for apps. By agreeing to free, ad-sponsored mobile apps, we’ve consented to an economic model that entails continuous and comprehensive personal surveillance. It’s what Al Gore accurately characterized as the stalker economy.

Why is our personal, locational and behavioral data so coveted by marketers? Because a smartphone is something that we as consumers carry everywhere we go, and it’s constantly broadcasting personal data of all kinds. If advertisers know who we are, where we are and what we’re doing, they can deliver more effective ads. It’s called proximity marketing. It’s the Rite Aid ad that pings your phone as you walk through the aisles: “Save 10% now on mouthwash.”

Sounds innocuous, if annoying. But it goes much further than this. We’ve now enabled a system where a major retailer can know, for example, that a teenager is pregnant before her parents do simply by correlating her activity, search and purchase data. That retailer can then reach out via mail or email, or target her via phone when she is near a point of sale. This intrusion on our collective privacy isn’t going away anytime soon (if ever), as the economic incentives for app developers and advertisers are too strong.

OK, agreed, this kind of consumer surveillance is intrusive and creepy. But how does it threaten enterprise security? Simple. As more personal mobile devices invade the business world, leaks from those devices are opening the door to corporate hacks, stolen business data and crippling cyberattacks.

For instance, if a company lets its employees sync their corporate calendars and email accounts to their personal mobile devices, this opens up all sorts of risks. Suddenly, employees’ phones contain or can access the contact information of everyone in the organization. Further, any other mobile app that requests access to the employees’ contacts and calendar also gets access to the names and titles of company employees, as well as the dial-in codes for all private conference calls. This information can easily be put to effective use in a spear-phishing attack by a malicious app or hacker.

Worse, many apps monetize their user bases by sharing data with ad networks that share and combine data with other networks, so it’s impossible to know where exactly data is going and whether it’s being handled in a secure fashion by any of the many parties that have access to it. All of this sharing means a malicious hacker doesn’t even have to directly access an employee’s phone to attack a company. He can hack an ad network that has information from millions of users and go from there.

Stolen information can also be used to attack an enterprise through a watering-hole attack. Say a small group of executives have lunch regularly at a local restaurant. An attacker with access to their geolocation data could easily know this. The attacker correctly assumes that some of the execs are accessing the restaurant’s website to make reservations and browse the menu before lunch. By placing malware on the lightly defended site, the attacker is able to compromise the office computer or mobile device of one or more company executives. From there, a successful breach is launched.

A compromised smartphone represents a threat not just to the targeted employee but to the entire company. Information about employees’ activities, both on the job and elsewhere, combined with any company-related emails, documents or sensitive information, can be devastating to an organization if it gets into the wrong hands.

So what should enterprises do to combat the threat?

The first step is to get visibility into your mobile environment. Your organization needs to know which apps employees are using, what those apps are doing and whether or not they comply with corporate security policies. For example, is there a particularly risky file-sharing app you don’t want employees to use? Is it already being used? If you don’t know the apps employees are using for work, you are flying blind and taking a huge risk.

Second, you’ll need a policy for managing the use of mobile devices. Most organizations already have policies for other platforms, including managing firewalls and sharing data with partners. It’s equally important to create these policies for mobile. For instance, if employees are using free versions of apps that are approved by the company but ad-supported, create a policy that requires employees to upgrade to the paid version to minimize, if not eliminate, unsanctioned data in the form of ads being sent to employees — though it doesn’t eliminate the relentless collection of personal and private data.

Next, your organization should educate employees about the risks of the apps they download. It’s in your best interest to empower users by arming them with tools and training to make better decisions about which apps they download. For instance, coach your employees to question apps that ask for permission. There are lots of apps that want to access location, contacts or camera. Employees don’t have to say yes automatically. Most apps will work fine if the request is denied, and prompt users if a permission is actually needed. If an app does not say why it needs access, that’s a big red flag.

Finally, all of these areas can be addressed with a good mobile security solution. Any enterprise without a mobile threat protection solution is by definition unaware of what information is leaking and from where, and unable to address the risks that exist in its environment. It is therefore imperative that your enterprise include mobile threat protection as part of its overall security strategy in order to protect employee privacy and company data from the ever-growing threat of mobile surveillance and data gathering.

14 comments to “Attack of the apps”

You can leave a reply or Trackback this post.
  1. Business Code - August 20, 2017

    Thanks for the sensible critique. Me and my neighbor were just preparing to do some research on this. We got a grab a book from our local library but I think I learned more from this post. I am very glad to see such fantastic information being shared freely out there.

  2. Automotive Concepts - August 19, 2017

    I want to show some thanks to you just for rescuing me from such a situation. After scouting throughout the world wide web and meeting principles that were not helpful, I assumed my entire life was done. Being alive without the answers to the difficulties you’ve fixed by way of your main blog post is a crucial case, as well as the kind that would have in a wrong way damaged my career if I hadn’t come across the website. Your personal expertise and kindness in touching all the things was invaluable. I’m not sure what I would’ve done if I had not come across such a solution like this. I can now relish my future. Thanks a lot very much for the reliable and results-oriented guide. I won’t think twice to recommend your web sites to any person who needs direction on this situation.

  3. Internet - August 19, 2017

    wonderful points altogether, you just gained a new reader. What could you recommend in regards to your publish that you made a few days ago? Any positive?

  4. More hints - August 10, 2017

    I just want to say I am just very new to blogs and actually liked you’re blog. Probably I’m planning to bookmark your site . You actually have exceptional writings. Regards for sharing your web-site.

  5. future technology - July 27, 2017

    Good website! I really love how it is simple on my eyes and the data are well written. I’m wondering how I could be notified whenever a new post has been made. I have subscribed to your RSS feed which must do the trick! Have a great day!

  6. Stan Lukaszewicz - July 26, 2017

    Thank you for any other wonderful post. The place else could anyone get that type of info in such an ideal approach of writing? I’ve a presentation subsequent week, and I am on the look for such info.

  7. Derek Stoutenburg - July 26, 2017

    As I web-site possessor I believe the content matter here is rattling fantastic , appreciate it for your hard work. You should keep it up forever! Best of luck.

  8. Joie Paden - July 26, 2017

    Fantastic goods from you, man. I have understand your stuff previous to and you are just extremely excellent. I really like what you have acquired here, really like what you’re stating and the way in which you say it. You make it enjoyable and you still take care of to keep it sensible. I cant wait to read much more from you. This is actually a tremendous site.

  9. Action Sports - June 27, 2017

    Pretty nice post. I just stumbled upon your blog and wished to say that I have really enjoyed browsing your blog posts. In any case I will be subscribing to your feed and I hope you write again very soon!

  10. air tickets - June 12, 2017

    Its like you read my mind! You seem to know a lot about this, like you wrote the book in it or something. I think that you can do with some pics to drive the message home a bit, but instead of that, this is fantastic blog. A great read. I’ll definitely be back.

  11. pokemon go gps spoof - March 3, 2017

    Hmm it looks like your website ate my first comment (it was super
    long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your
    blog. I as well am an aspiring blog writer but I’m still new to the whole thing.
    Do you have any recommendations for inexperienced blog writers?
    I’d genuinely appreciate it.

  12. Marni Walde - February 20, 2017

    I love your blog.. very nice colors & theme. Did you create this website yourself? Plz reply back as I’m looking to create my own blog and would like to know wheere u got this from. thanks

  13. Donnie Corak - February 20, 2017

    Thanx for the effort, keep up the good work Great work, I am going to start a small Blog Engine course work using your site I hope you enjoy blogging with the popular BlogEngine.net.Thethoughts you express are really awesome. Hope you will right some more posts.

You must be logged in to post a comment.