By Adam Cohen
“It’s a mobile jungle out there, and your corporate data is too valuable to just bungle through it.”
Little computers, generically called “mobile devices,” are everywhere, like creatures sharing our environment with non-digital animals and insects. They come in all shapes and sizes: tablets as big as flat-screen TVs; wearable technology such as the Apple Watch, fitness bracelet or Bluetooth headset; and the undisputed king of mobile devices, our inseparable personal parasite — the smartphone. Not only do these devices share our “physical” environment, they permeate our information technology environment. Connected in the atmosphere of the Internet, mobile devices breathe by inhaling and exhaling data, which travels across the globe, nearly instantaneously.The Bring Your Own Device (BYOD) policy approach to employee devices is rampant, although of course adoption and implementation varies widely depending on industry regulatory environment and other variables. BYOD implementation can come in a wide variety of different formulations, but it essentially means that employees are choosing their own hardware and, to one degree or another, mixing personal and business use on a device. Some of these devices are like domesticated animals or tamed pets — corporate-issued and configured, and strictly controlled by corporate IT. Others are only partially domesticated — personally selected and purchased devices with corporate information management in the form of “mobile device management” or other controls. But most are just plain wild — personal devices with no control from employers other than perhaps some unmonitored, unenforced, and mostly unread policy guidance.
While there is widespread awareness that this commingling of work/life presents some degree of risk, both for the security of business data and the privacy of the individual, this awareness is often embodied by a vague feeling of unease rather than a specific concern about a particular security vulnerability or threat. Read along as I attempt to ferret out some of the less talked-about specific underlying security and privacy risks arising in the mobile ecosystem. Without spoiling the story, and in the interest of capturing your continued attention, it turns out there really is something to worry about. However, once we have identified what we are worrying about, we can actually do something about it.
Trouble in the Air
It is a fact of our wireless lifestyle that wireless networking involves security compromises in opening data traffic to electronic eavesdropping, or “sniffing.” It’s not that being plugged in makes it impossible to eavesdrop, but that going wireless makes it much easier. The spread of wireless networking and the proliferation of mobile devices are interdependent phenomena that feed each other. We have not only more new devices, but also more ways to access the Internet wirelessly by using these devices. These avenues to the Internet include a plethora of public WiFi hotspots (e.g., at your local coffee shop, the gym, the airport). Ask yourself: Does a “public WiFi hotspot” sound like a safe place for sensitive corporate data?
When users connect to these networks with their mobile devices – which more often than not mix business and personal data — they are assuming a certain risk, as are their employers whose policies permit this confluence of device, data, and connection. There may well be no control as to who else is on the network and what they are doing. Strangers are in the sandbox where our mobile devices are innocently playing. This is disturbing when, as is routine, sensitive data is on the devices connected to these public networks. Unknown individuals with the appetite for such data, seeking pleasure or profit, may connect their own predatory devices to public WiFi networks and deploy “packet-sniffing” tools in an effort to catch juicy morsels of data as they waft across the airwaves. With the powerful, user-friendly tools available online for free, turning a laptop into a packet-sniffing predator is a snap.
Apart from WiFi, another wireless technology commonly deployed on mobile devices is Bluetooth, which is a standard for short-range wireless connections between devices. People walking around talking to themselves used to be called crazy; now we know they’re just using Bluetooth headsets to talk on the phone.
Bluetooth can be vulnerable to attacks, utilizing cute-sounding names like “Bluejacking” and “Bluesnarfing,” for example. Bluejacking involves using Bluetooth to send unsolicited messages; it is essentially spam for Bluetooth. The more sinister Bluesnarfing involves using the short-range communications technology to access content on the target device. If you are not using your Bluetooth capability, you might want to disable it, as you might consider doing in public areas filled with unknown, untrusted devices. Not all pets are friendly — some bite.
Although real and worth worrying about, the danger of illicit network “wiretapping” activity coming to fruition is relatively rare. Much more significant are two major risks discussed next: 1) the creation and persistence of data on mobile devices that is stored in ways that may not be known or may be challenging to identify and access; and 2) mobile apps that have broad access to user data and device functionality, and that collect and transmit that data or have the potential to do so.
Mobile Device Data Chameleons, Hiding in Plain Sight
A problem in information management is the persistence of data that users think is gone. There are many examples of such data, including that deleted on hard drives, or deleted e-mails on mail servers. For self-evident reasons, when we believe that data doesn’t exist, we can’t do a good job of managing it. For example, if corporate retention policy dictates the destruction of certain data by a certain date, that date is likely to pass without further steps to destroy the data in question if the data owner or other individual responsible for implementing the retention policy believes that it has already been destroyed.
With mobile devices and apps, the problem has taken new forms and monumental proportions. Consider Snapchat’s run-in with the Federal Trade Commission (FTC). The explosive popularity of Snapchat, a social media photo and video messaging app, was built on the claim that the service automatically deletes the photos or videos sent seconds after they are viewed by the receiver. This turned out to be less than totally accurate, and Snapchat entered into a settlement agreement with the FTC. See Wortham, Jenna, “Off the Record in a Chat App? Don’t Be Sure,” New York Times (May 8, 2014), available at: http://tinyurl.com/nb84nmu.
Leaving aside a situation like the Snapchat debacle, there are many apps that do not appear to retain data at first glance, and so to the casual user the assumption is that the data is gone, or at least not on the device. Time and again, we see lawyers come to us frustrated because they cannot find critical evidence on a mobile device. They are frustrated because: 1) their witness is telling them there was a conversation using a certain messaging app; but 2) their vendors are telling them the messages cannot be found.
The messages are there and are highly relevant. However, they cannot be found by simply following the instructions for the industry-standard tools. Retrieving the critical evidence instead requires thorough understanding of how the app and the device store data, and where the data can be found and intelligently analyzed. The rest is easy.
In a sense, this is a less “sophisticated” approach. Instead of using state-of-the-art technical tools to find the evidence, this approach requires experience and expertise. It also requires recognizing that even “state of the art” in forensics is necessarily behind developments in smartphone or social media user functionality. Forensic tools are developed reactively, and reaction is never simultaneous or instantaneous, although it may not be far behind.
Defensive and investigative tools are always chasing new developments in mobile device technology from a stance of having missed the starting gun. In other words, they are reactive — being able to deal with data created by a new app, for example, is functionality that has to be developed after the app has been studied and dissected. This takes time. Accordingly, if forensics professionals rely on commercially available tools, they are sure to miss critical potential evidence.
When users and others with a role in managing and securing corporate data do not realize that mobile-app generated data is recoverable, that data cannot be managed appropriately, and becomes a security risk, in that people who know it is there may be able to steal it with impunity. Those with interests adverse to the user or the user’s employer may be able to leverage the failure to disclose the data or the contents of the data in legal proceedings.
Going further out on a limb, if an app provider asks users for permission to access certain data, the granting of such permission is not absolute, but rather implied for the limited purposes associated with the purported functionality of the app. For example, if an app requests permission to access the user’s location, the user has a right to assume that this data will be used for purposes associated with what the app does, like providing weather forecasts for the user’s current area. Unfortunately, the reality is that users cannot trust all mobile apps, and the ways in which certain apps misbehave suggests that employers have cause for concern regarding the security of their corporate data on BYOD devices.
At least with respect to Android apps, available in the Google Play store, there are popular apps — those that have been downloaded by many millions of users — that are seriously disturbing in their potential for misuse. These apps acquire much more extensive “permissions” to access and control the device than might reasonably be anticipated by users. For example, the apps will acquire permission to access external storage, activate the device’s camera, mount and un-mount file systems, and pretty much anything else you can think of in terms of having unlimited ability to control and access a mobile device and its content.
In addition, certain apps can and do in fact collect and transmit highly specific data about the device (e.g., location) at regular intervals, in spite of statements explicitly denying such activity in the published privacy policies, and in spite of the fact that the purported functionality of the apps has no relation to or legitimate use for location data. Incidentally, some of these “utility” type apps do not even work (i.e., they do not perform the functionality advertised). Do these apps sound like good neighbors or playmates for sensitive corporate data inhabiting the same device?
It is commonly assumed that Apple iOS devices, and apps sold through the iTunes Store, are inherently more secure than Android devices and apps. Android is open-source and based on Linux. Apple maintains much closer control over its closed platform, which may be relatively more secure than Android in terms of the capacity for app developers to commit atrocities to security and privacy. However, to think that Apple devices are immune from the same kind of highly sophisticated actors that prey upon Android mobile devices would be naïve.
As widely reported in September 2015, the iTunes store is not immune from malware infections. See Chin, Josh, “Apple Targeted as Malware Infects China Mobile Apps,” The Wall Street Journal (updated Sept. 20, 2015). The reported infections were the result of an attack against copies of Apple’s software developer toolkit, and persisted despite explicit warnings to the developers of the dangers in the code they were using. As a result, the apps allowed for a horror show of privacy and security problems of a similarly disturbing nature to those described above in connection with Android apps.
There is no right answer to reducing the risk from mobile devices. BYOD is a reality of our environment, and taking away everyone’s toys is not going to happen. But a company that cares at all about its data needs to stay abreast of the security risks mobile devices engender. There are many ways to combine policy and technology in ways that address these risks — maybe not by eliminating them, but at least by identifying them and adapting appropriately.
Nor is there a magical technical solution, even though vendors claim otherwise. Do not believe them — the claim is simply inconsistent with the ever-changing nature of technology. There is an iterative cycle where technical hardware and software is created for business or pleasure, the risks of the new technology are identified, and technical means of managing these risks are developed. Accordingly, relying on current technology is never enough. In the mobile jungle, awareness and adaptability are the most important traits for achieving any measure of relative security.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.