Do you think the NSA is the biggest threat to your privacy? Certainly they are collecting a significant amount of personal data. And from the looks of it, with their new facility that may hold up to 12 exabytes (that’s 12,000,000,000,000,000,000 bytes) of data, they appear to be planning to continue collecting, and keeping, more data. This is an important topic, and I’ll look at in more depth in an upcoming blog post. But for now, you need to know and understand that there are many other entities that are collecting data from you and your mobile apps in the same way as NSA is slurping it up, along with several other ways.
Many ways to gobble up your data
Here are just a few ways that unauthorized others (government agencies, marketers, crooks, snoops, disgruntled spouses, and the list could go on endlessly) can get to you data:
1) On the device itself. This is possible in multiple ways. If you are using an unsecured wireless network, anyone else on that network may be able to get to the data on your device. If you lose your device, or if it is stolen, and you have weak security, your data is a vulnerable target.
2) Through the website where the app is based/located. There have been many lapses in website security that have resulted in in privacy breaches. If the app’s website is not appropriately secured, your data is at risk.
3) Through social engineering (phishing, keystroke loggers, IDs/passwords). These online scammers have been around for decades. They will do anything to trick you into clicking a link, or unknowingly downloading malicious code, to your site that will then take all your personal data.
4) From social media sites. More ways are created each day to take all the data possible from you when you use social media sites. Here is a good site that describes many of these ways.
5) As data is flowing through an unsecured wireless network. There are many free tools that can be used to monitor the data flowing through an unsecured (not encrypted) wireless network. There are also many tools to make copies and store specific types of data as it is flowing through those networks.
6) Snoopers can set up a proxy server to view traffic coming and going from the smartphone, or other computing device, where the app is located.
7) Bulk collection from sites such as Google and other app providers. Government agencies, not only in the U.S., but all throughout the world, have tools to collect bulk data when individuals use online sites, such as Google Maps and other social media sites, to collect address books, buddy lists, telephone logs and the geographic data embedded in photographs when someone sends a post to the mobile versions of Facebook, Flickr, LinkedIn, Twitter and other Internet services. Such tools may also be used by career criminals.
8) Reverse engineering app code. This involves basically picking apart the app’s code to determine how to defeat the security controls, and then get to the data collected by the app.
There are more ways, but these are arguably the eight most common.
Consumers, listen up!
Most of the population is using, and many seem to be addicted to, mobile devices, and large numbers of the literally millions of mobile apps that are available to be used on them. As one example, many folks get their email through mobile apps. According to data from the “US Consumer Device Preference Report: Q4 2013” from Movable Ink, way more than half of all email — a full 65 percent — is now being accessed via mobile devices in the U.S. But are they secure? Most aren’t. The 2014 Cenzic Application Security Trends Report study found 96% of applications contained security flaws. Mobile devices are being used without their users being aware of the accompanying significant information security threats to their privacy that come with them.
You need to take actions to help protect yourself, and you also need to demand that app developers build security and privacy protections and controls into their apps. Here are three areas within which you should take actions to improve the security of your personal information.
1. Delete apps you are not using
Most folks don’t know how many apps they have. Have you looked lately? You could have a whole lot!
- iOS7 and up can hold at least 40,500 apps
- iOS6 can hold up to 3,584
- iOS5 and earlier can hold around 180 apps
- iPad can hold over 4,400
- Droid can hold as many apps as possible that will fit into its memory (apps sizes vary, so there is not a set amount)
- Windows 8.1 and Windows RT 8.1 come with built-in apps and can hold as many as you have space for
One of my Facebook friends thought she had around 12 mobile apps. However, when she checked she actually had 280 apps. She had downloaded a lot of apps that she decided she didn’t want to use; but they were still on her device. She also had apps that had been downloaded without her knowledge as a result of clicking to go to a website, play an online game, etc. All those apps may potentially be collecting data from you, even if you aren’t using them. It all depends upon the app and how you installed it. So, be sure to delete all the apps you don’t actually use.
And, ironically enough, there are apps for deleting your apps!
2. Most folks don’t check the app privacy notice before downloading
Don’t be like the majority of folks currently are: they simply don’t check to see if a mobile app has a privacy policy, and don’t read those that do. Make sure the app you want has a privacy policy (often also called a privacy notice). If it doesn’t, don’t download it! (More than 25% of the top 100 free apps do not have a privacy policy.) If the app has a privacy policy, read it! Make sure it is actually a privacy policy and not just a statement of all they rights the app maker has for YOUR data, and how you have no choices about it once you start using it.
If the policy looks appropriate, and you download it, make sure you can get to the privacy policy from within the app itself. Only 1/3 of those 25% that have a privacy policy offer access to the policy from within the app. If you can’t even get to the privacy policy from within the app, chances are the app developer is not doing anything to actually enforce the privacy promises they made in their web-posted privacy policy.
3. Secure the devices your apps are on
With your computer and laptop browser you can tell by the URL and symbols if the data will be encrypted when you send it. Sadly there is no such universal type of symbol on app screens, at least not yet. The safest thing to do is not use an app unless your wi-fi connection is encrypted, but that still leaves your data clear text in storage on your device, laptop, in the app vendor’s servers, and anyone else’s servers they share your data with, unless they have encrypted their storage. And from what I’ve seen very, very few encrypt their data in storage.
Here are basic steps to take to secure the devices your apps are on:
- Delete the apps you aren’t using. Hey, it’s worth repeating.
- Know the apps your kids are using on their devices. You should make sure their devices are also secure.
- Use power-on passwords on your device, regardless of the type of device you’re using.
- Encrypt the data on your device.
- Use anti-malware software on your device.
- Don’t use apps on unsecured networks. Typically free public networks, but also too many home wireless networks are still left unsecured.
- Make regular backups of your data. Your device could be swiped or wiped at any time; don’t lose your data along with your hardware.
- Do not accept certificates that your smartphone or other computing device, doesn’t. A legitimate company will NOT ask you to accept a self-signed certificate.
- Implement a tracking device in the event your device is stolen or lost so you can track where it is. This is tricky, because the tracking tool shouldn’t be on all the time publishing YOUR whereabouts also.
- Install a remote wiping application so that if someone steals your device, you can completely remove all the data from, and possibly disable, the device.
App developers, do these things!
1. Use encryption
Always provide a way for those using your apps to encrypt their data.
2. Post a privacy notice
The notice should describe what *YOU ARE ACTUALLY DOING* to protect the user’s privacy and data. Remember, this notice is a legally binding document. If you use one of those free mobile app privacy policy generators, make sure you customize the policy generated to actually reflect your company’s practices. Put the privacy notice not only on your website, but also in your apps.
3. Don’t share with others unless their security is validated
First of all, don’t share the data you collect through your app with other companies if you state in your posted privacy notice that you do not share data collected from your app users with others.
If you want to share the data with others, perform adequate due diligence to ensure the third party you are passing it off to has appropriate security practices in place, that are, at a minimum, as strong (or stronger) that the practices you have promised to those using your apps.
4. Delete data when it is no longer needed.
This may be the biggest problem with almost every organization that collects data from individuals, or elsewhere. There is a tendency to retain data for an infinitude. However, this stockpiling of data increases dramatically the likelihood of a privacy breach. The more data you have, the more data you have to secure. If you delete data, then you will not have to worry about securing it anymore, and you will not possess data that could be breached.
When you no longer need data, irreversibly delete/destroy it.
Bottom line for all apps users and organizations of all sizes…
Every business, of any size, in any location, that creates and provides mobile apps need to build security and privacy into them, encrypt the data used with them, and post and comply with a privacy notice.
Everyone that uses mobile apps needs to practice safe app use, follow good device security practices, and avoid using apps that do not clearly describe their security practices.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: awareness, compliance, cybercrooks, cybersecurity, data protection, encrypt, encryption, IBM, Information Security, infosec, midmarket, Mobile apps, mobile device, non-compliance, NSA, personal information, personal information identifier, personal information item, PI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, surveillance, training, wearable device, wireless