MIT Reviews Smartphone Data Security Issues
IT staff have been aware for some time of the dangers to data security that are presented by employees who use their personal portable devices, whether laptop or smartphone. A recent study by MIT, as reported in the Boston Globe, has confirmed that many Android Apps share information and track the user, even when the user shuts down the app. One researcher, MIT graduate student Frances Zhang indicated that "it seems like people are no longer in control of their own privacy." As Android apps are typically open source, the research team could modify them to determine areas where data privacy was compromised. Unfortunately, with the iOS platform, the team could not determine if a user's privacy is compromised to the same degree, as Apple apps are not open-source.
Of the 36 Android apps reviewed, several had security issues where confidential information was shared, ranging from contacts and GPS tracking to transfer of the device's unique IMEI (International Mobile Equipment Identity) number. While it is understood that some apps notify users that access is required to certain areas, it seems completely unreasonable to share IMEI information with app providers, as an IMEI number is a unique identifier that once known can be used to clone other phones, an illegal practice, obviously.
Issues of this type can hardly be combated by typical users as most will simply cycle through screens, clicking where necessary, installing the desired app as quickly as possible. However, as indicated on Technology Review, crowdsourcing could offer a solution for rating smartphone apps during the development process, assigning a data privacy rating to each released app. This approach would mean that end users would not bear any cost but would still need to take note of the ratings assigned to each app, deciding whether the data compromised is outweighed by the benefits of installing the apps.
For IT departments in midsize companies tasked with data protection along with many other responsibilities, this is of little comfort, as enforcement of a preferred list of apps is almost impossible, especially in the case of BYODs. Therefore, midsized companies need to decide on a more permanent solution, where personal devices are prohibited for work use or where employees are assigned dedicated handsets for use when traveling. An effective data security policy needs to cover all eventualities, and while smartphones are of benefit to workers, they should be treated by all employees as another area where data protection is required, with regularly updated antivirus and malware prevention software installed on all devices.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.