Earlier this month, a security researcher reported the discovery of a suspicious online hoard of data from 31 million consumers of a popular Android app called ai.type. Among the 577 gigabytes of data inadvertently shared through a MongoDB database were phone numbers, names, email addresses, and device identifiers. For 6 million of the users, the data included the entire address book. Breaches like this one indicate that an unwarranted amount of trust is placed in the integrity of apps delivered through Google Play or Apple iTunes.
The ai.type breach passed unnoticed by most Android phone users, since there was no official notice to consumers about the potential exposure of their data. In fact, ai.type currently has dozens of apps that are available for download in the Google Play store that bear no security warnings. The company’s apps include mostly high star ratings (likely fake, as is common across the app ecosystem) and some digging is required to discover a word of caution, such as this review from user totoro: "Keylogger, according to the recent leaked breach. It also collects and logs IMEI, phone number, full name, email address and other personal data and keeps them and other personal data unencrypted. Beware!".
While the seriousness of the ai.type breach has been contested by CEO Eitan Fitusi, the episode is an good example of why the app stores can’t be trusted with protecting us from security threats. Many apps require the user to grant access to a long list of permissions that are hard to understand even for the most technically educated users. In the case of ai.type, the app asks the user to give up some of their most personal data such as the address book, text messages, and audio recordings from the microphone.
For companies, unrestricted mobile app access can bring a tremendous amount of risk. An unregulated company such as ai.type with questionable security practices could be accidently handed the keys to the corporate kingdom through a few clicks by one of their employees. Hackers could gain access to a corporate address book to be used for phishing attempts. They could retrieve two-factor authentication codes stolen from text messages. They could even record audio from the microphone while an employee sits in a company meeting.
To address the need for protecting employee devices, there is a fast growing market for security software called enterprise mobile device management (MDM). This software allows companies to control data, apps, and settings on employee mobile phones. The degree of control can vary depending on the context. In the case of employer-owned devices, all data and software on the phone can be completely controlled. In the case of employee-owned devices that are used for work purposes (also referred to as 'bring your own device'), the MDM systems can provide a partial configuration which locks down employer data while allowing flexibility for personal phone usage.
The rollout of MDM software can be a balancing act between protecting devices and ensuring that employees understand the value of the protection it provides. When multinational consulting company Avanade began installing a new MDM system on employee phones, they noticed a surprising drop-off in the use of the company email system. Within one week, 30% of the initial group of employees had ceased accessing corporate email. The cause of employee concern became clear when employees expressed disapproval that the company would monitor their personal data and social media activity.
The solution was to dial-back the level of control that the MDM software had over employee devices. Instead of requiring employees to allow blanket permissions, the company adjusted the MDM system to restrict permissions at the app level instead of at the device level. This way, an employee could only give permissions for control for official company apps, such as email.
Through a feature called container apps, MDM software can isolate sensitive company data such as email, address books, financials, and files. The container apps can be further locked down with rules for accessing the corporate network, such as switching on additional authentication whenever a phone moves to a new geographic region or travels to another country.
Selecting the right level of control over devices requires balancing employee preferences with a corporate risk profile. At one extreme would be contractors who are given company-owned mobile phones for the purpose of a specific job function such as tracking the location of field service technicians. For these employees, the permissions can be tightly controlled. In other cases, employees will have paid for their own phone and cellular service plan and may feel strongly against providing the company with control over their phone. In this case, corporate data can be protected at the app level along with assistance to the employee in maintaining good security practices.
While mobile phones can allow great productivity for employees at home and on the road, it’s important to provide the tools to keep those devices secured.