Introduction

Privacy often feels like it is something that can be bought, sold and/or simply ignored. So many people use the old and worn argument: “If you have nothing to hide, why worry about privacy…” 

Privacy, certainly from an individual’s standpoint, has been center stage for a few years now. Debacles such as the Facebook/Cambridge Analytica scandal have set the scene for hot privacy debates. Now the COVID-19 pandemic has thrown the privacy debate back into center stage as “trace and track” apps have been scrutinized for their approach to privacy.

However, it isn’t just individual privacy that can be at risk from mobile apps. Corporate privacy and associated data security are also in the crosshairs of poorly-developed apps.

Isn’t privacy always about the individual and not the group?

There has been a lot of emphasis on privacy as an individual right. That’s fair enough. However, individual privacy is not the whole story. The idea of corporate privacy may seem like a contradiction, but there is a long-standing societal concept of “group privacy.”

The idea of group privacy is nothing new. In fact it goes back to our Neolithic cousins. Archeologist, Dr. Sophie Moore, who has worked on the site of Çatalhöyük, talks about the notion of “group privacy,” where extended kin groups would come together, sharing the space in a privacy-enhanced way. 

A 2019 paper by Loi, et.al., “Two Concepts of Group Privacy,” discusses this notion of group privacy in a modern data-led context. The paper talks about two types of group privacy:

  • WHVSV privacy, or the “what happens in Vegas stays in Vegas” effect
  • Inferential privacy, or what can be inferred from a person’s actions (behavior) can potentially expose the privacy of another

Privacy, in the case of group privacy, is about retaining group-related data (including behavior) within a “walled garden.” The concept of walled gardens has been known about and used in cybersecurity circles for many years, and it is this concept that may offer a way to minimize and manage the privacy and data protection of the enterprise.

But what are the issues of data privacy that apps create, and how can a walled garden approach help?

App privacy concerns for businesses

App privacy is something that has been under scrutiny by security researchers. A survey from DuckDuckGo on note-taking apps found that half of respondents had placed login credentials and other sensitive data in note-taking apps. The issue is that these apps may not encrypt data by default. 

Lack of awareness of privacy and security issues in apps is a general problem. But this awareness extends to the enterprise management of apps too — mobile device management (MDM) being a key area where app privacy should become part of a wider enterprise privacy strategy.

Some examples of app privacy mishaps and lack of care can impact at the organizational level include the following.

Location tracing and company secrets

The New York Times investigated the mass tracking of smartphone users in the USA. The subsequent article, “Twelve Million Phones, One Dataset, Zero Privacy,” paints a picture of mass location surveillance of Americans. The researchers were able to obtain a file that contained data showing “50 billion location pings from the phones of more than 12 million Americans.” These data showed the precise daily movements of individuals. 

The article went on to note that these data were collected by commercial firms. Companies that created apps that people downloaded and that surreptitiously collected location data. The article states that: “[in] the United States, as in most of the world, no federal law limits what has become a vast and lucrative trade in human tracking.”

As a company, this may seem an issue on the individual level, but these data have the potential to tie a person to a place. If these data are utilized by a competitor or a nefarious element intent on harming an organization, they could track the movement of company executives and place people together at locations and times. This, in turn, builds up a profile of a company’s business.

Zoom

Zoom has found a new audience in business users during the COVID-19 pandemic. But this success has been somewhat marred by Zoombombing incidents. 

Zoom also has an app which has been called out by Kaspersky as being less secure than the Zoom web client, as the latter sits in a sandbox environment. Any employee using the app version of Zoom potentially exposes company discussions that could include information on company secrets.

VPN use and privacy

It is generally believed that the use of a VPN will improve security and enhance privacy. However, a study of 283 Android apps found several instances of VPN apps where serious privacy and security vulnerabilities facilitate data exposure. These issues included insecure VPN tunneling protocols and DNS traffic leakage. 

Enterprise use of VPNs to protect a company’s sensitive data should be evaluated against privacy impact assessments that specifically build app privacy awareness into the process.

Encrypted messaging

Messaging apps are important for remote workers in the modern enterprise. It is a way to quickly keep in touch with team members. These messages must be protected from data leaks. We may not realize it, but even innocuous messages can give a cybercriminal a large amount of information on a company. This can then be used to perform further attacks, such as business email compromise and other scams, that require an element of social engineering.

Also, so-called encrypted messaging isn’t always as secure as it seems. WhatsApp, for example, famously promotes the fact it uses end-to-end encryption. However, the app has security flaws, as is common in all software. For example, a buffer overflow vulnerability was located in the app last year. This has since been fixed.

WhatsApp groups have also suffered from other privacy issues. Recently, private groups on the app were able to be found using a Google search using the “invite to group via link” feature. By making changes to a link URL, you can access closed groups. Once in the group, personal data such as conversations and phone numbers are accessible.

Apps paint a picture from a thousand words

The point is that apps, like any other software, can (and often do) have vulnerabilities that leave them open to exploits. Corporate data may not be explicitly and obviously at risk, but it may be leaked via indirect connections to app users, their personal data and the app’s collection and transmission of these data. 

Cybercriminals are masters of connecting the dots. If you give them enough dots to connect, they can build a very realistic picture of a company and its secrets.

Conclusion: From an app to corporate espionage

Corporate espionage is common. There are countless examples that involve direct human collusion. But this isn’t the only way that corporate secrets can be stolen. Technology is an ideal way for sensitive company information, intellectual property and business details to be blatantly taken or exposed due to poor app privacy and security.

Apps are like any other IT service or application. As such, they should be incorporated into any enterprise security strategy and dealt with in the same way you deal with other IT networks and systems. Security and privacy testing and assessment must be extended to include apps that are used in a corporate context. Security and privacy policies, along with MDM, must augment this by ensuring that employees use apps within the confines of these frameworks. 

 

Sources

  1. Everything you need to know about the NHS test, track and trace app, Wired
  2. Michele Loi and Markus Christen, “Two Concepts of Group Privacy,” Philosophy & Technology, 2020
  3. The Hidden Privacy Risk in Note-Taking Apps, DuckDuckGo
  4. Twelve Million Phones, One Dataset, Zero Privacy, The New York Times
  5. 10 tips for Zoom security and privacy, Kaspersky Daily
  6. Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar, Vern Paxson, “An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps,” IMC ’16: Proceedings of the 2016 Internet Measurement Conference, 2016
  7. CVE-2019-3568, Facebook