• Adam

Bring Your Own Risk

Mobile devices are everywhere, like creatures sharing our environment with non-digital animals and insects. They come in all shapes and sizes: tablets as big as flat screen TVs, wearable technology such as the Apple Watch, fitness bracelet or Bluetooth headset and the undisputed king of mobile devices, our inseparable personal parasite--the “smartphone.” Not only do these devices share our “physical” environment, they permeate our information technology environment. Connected in the atmosphere of the Internet, mobile devices breathe by inhaling and exhaling data, which travels across the globe, nearly instantaneously.

The Bring Your Own Device (“BYOD”) policy approach to employee devices is rampant, although of course adoption and implementation vary widely depending on industry regulatory environment and other variables. BYOD implementation can come in a wide variety of different formulations, but it essentially means that employees are choosing their own hardware and to one degree or another mixing personal and business use on a device. Some of these devices are like domesticated animals or tamed pets—corporate-issued and configured devices, strictly controlled by corporate IT. Others are only partially domesticated—personally selected and purchased devices with corporate information management in the form of “mobile device management” or other controls. But most are just plain wild--personal devices with no control from employers other than perhaps some unmonitored, unenforced and mostly unread policy guidance.

While there is widespread awareness that this commingling of work/life presents some degree of risk—both for the security of business data and the privacy of the individual--this awareness is often embodied by a vague feeling of unease rather than a specific concern about a particular security vulnerability or threat. One school of thought holds that anyone who chooses to use mobile devices and apps is foolish to think they have any vestiges of privacy left. For the employers of such cynics (or realists, depending on your point of view), the security of corporate data on mobile devices in the BYOD era is an issue that cannot be blithely dismissed. A more refined point of view on privacy might take the position that users should be able to rely upon explicit statements in a written privacy policy. For example, if an app provider’s published privacy policy says the app does not collect geo-location data, a user should expect that this commitment be honored.

Going further out on a limb, if an app provider asks users for permission to access certain data, the grant of such permission is not absolute, but rather is impliedly for the limited purposes associated with the purported functionality of the app. For example, if an app requests permission to access the user’s location, the user has a right to assume that this data will be used for purposes associated with what the app does, like providing weather forecasts for the user’s current area. Unfortunately, the reality is that users cannot trust all mobile apps, and the ways in which certain apps misbehave suggests that employers of users of these apps have cause for concern regarding the security of their corporate data on BYOD devices.

At least with respect to Android apps, available on the Google Play store, there are popular apps—apps that have been downloaded by many millions of users—that are seriously disturbing in their potential for misuse. These apps acquire much more extensive “permissions” to access and control the device than might reasonably anticipated by users. For example, the apps will acquire permission to access external storage, activate the device’s camera, mount and un-mount file systems, and pretty much anything else you can think of in terms of having unlimited ability to control and access a mobile device and its content.

In addition, certain apps can and do in fact collect and transmit highly specific data about the device, e.g., location, at regular intervals, in spite of statements explicitly denying such activity in the published privacy policy and in spite of the fact that the purported functionality of the apps has no relation to or legitimate use for location data. Incidentally, some of these “utility” type apps do not even work, i.e., they do not perform the functionality advertised. Do these apps sound like good neighbors or playmates for sensitive corporate data inhabiting the same device?

It is commonly assumed that Apple iOS devices, and apps sold through the iTunes Store, are inherently more secure than Android devices and apps. Android is open-source and based on Linux. Apple maintains much closer control over its closed platform and the Apple platform may be relatively more secure than Android in terms of the capacity for app developers to commit atrocities to security and privacy. However, to think that Apple devices are immune from the same kind of highly sophisticated actors that prey upon Android mobile devices would be naïve.

As widely reported in September of 2015, for example in the Wall Street Journal, the iTunes store is not immune from malware infections. The reported infections were the result of an attack against copies of Apple’s software developer toolkit and persisted despite explicit warnings to the developers of the dangers in the code they were using. As a result, the apps allowed for a horror show of privacy and security problems of a similarly disturbing nature to those described above in connection with Android apps.

There is no right answer to reducing the risk from mobile devices. BYOD is a reality of our environment and taking away everyone’s toys is not going to happen. But a company that cares at all about its data needs to stay abreast of the security risks mobile devices engender. There are many ways to combine policy and technology in ways that address these risks—maybe not by eliminating them, but at least by identifying them and adapting appropriately.

Nor is there a magical technical solution, even though vendors claim otherwise. Do not believe them—the claim is simply inconsistent with the ever-changing nature of technology. There is an iterative cycle where technical hardware and software is created for business or pleasure, the risks of the new technology are identified, and technical means of managing these risks are developed. Accordingly, relying on current technology is never enough. In the mobile jungle, awareness and adaptability are the most important traits for achieving any measure of relative security.

7 views0 comments

Recent Posts

See All

DevOps and the Fate of Secure Software Development

Reconciling Technology Development, Security and the Lawyer’s Role (originally published in the Cybersecurity Law Report) No matter how much new law is written on the topic of cybersecurity or data pr