Mobile Applications: The End of Data Privacy?


As we all know, mobile devices such as smartphones, tablets, etc. have become commonplace for consumers and business people, opening an enormous vector for both cyber threats and data privacy invasion.  This puts everyone who owns a mobile device at risk of having their private information abused on a daily basis.  Analysis concludes that a plethora of mobile applications such as what are routinely downloaded on Google Store (the majority of which are free) in the millions have unmitigated access to the device’s camera, contact list, photos, and other components of the file system.  In most instances, opting-in to allowing this type of access although obfuscated in the privacy statement is a requirement for ‘free’ use or download of the application.

Aside from the fact that legitimate mobile applications are prone to harvesting private data, there are several malicious forgeries which masquerade as useful mobile applications in order to trick users into downloading it. Together, these characteristics put users in danger of having their sensitive information stolen.  Besides pictures and contacts, more essential privacy information includes stored account passwords, banking information, credit card information, which may be stolen from mobile browsers or online password storage mechanisms.  Fortunately, there are a multitude of anti-malware solutions for mobile devices which perform signature-based and behavioral-based detection of malware.  Some of these include Lookout’s Mobile Threat Protection, FireEye, McAfee Mobile Security, and zIPS.

One of the most topical, contemporary examples of this trend is Pokémon Go, which is a free-to-play mobile gaming application for the iPhone and Android platforms. This extremely popular ‘augmented reality’ smartphone-based game was released on July 6, 2016, and has quickly become the target of criticism for its data collection methods which are deemed by many as overly invasive.  Pokémon Go utilizes Global Positioning System (GPS) data which is harvested from mobile devices to locate individuals playing the game. This is particularly alarming due to the fact that this is a game with an age range of 13 or older.

Recent news has shown that this game can be utilized by criminals to lure under-aged players into situations which compromise their safety. Using the ‘Lure Module’ feature of this game, it places a beacon on the map to attract players. This feature was abused by two teenagers in St. Louis and St. Charles MI on July 11, 2016 to allegedly perform 10 to 11 robberies at gun point, using the mobile application as bait. On July 21, 2016 in Manchester, NH, a man was robbed at knife point while playing Pokémon Go.

Another key privacy concern of mobile applications such as Pokémon Go is that signing into the application using a Google account can grant unmitigated permissions to the underlying information contained within the account. This includes access to read and send your emails, location tracking via GPS data history, Google drive, private photos, and web search history. As bad as this may sound, it is no worse than what many similar mobile applications are capable of by default.

In order to mitigate the risk of having your private data being violated, it is prudent to avoid using your personal accounts for authentication. While the Terms of Service can be ridiculously long and complicated to read, it is important to be aware of everything you are agreeing to before installing and accessing certain mobile application. Opting out of default configurations which provide full access to your personal information is a must.

With the vast ubiquity of mobile applications which harvest private user data on a routine basis, it is important to require and enforce sound regulations and laws to protect consumer data privacy. When mobile applications are used within organizations, it introduces new risks. This is particularly true when storing and transmitting personal data, due to the insecure and invasive nature of these applications.

It is paramount to ensure that sound policies, procedures, and plans are implemented regarding mobile applications within the work place. Acceptable Use of mobile devices should be clearly stated in order to mitigate risk and protect users’ data privacy. If necessary, organizations should take all necessary precautions to secure user data according to the National Institute of Standards and Technology (NIST) Special Publication (SP) best practices such as NIST SP 800-171 and NIST SP 800-53.