IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Why IT should worry about Android app data sharing

Android and iOS apps are sending out data to parties that users have no knowledge of, making IT's job of locking down business information that much harder.

Android

COMMENT Android doesn't have the finest security reputation in the mobile OS space. Revelations this week have only exacerbated the situation for Google. And businesses should be worried too, not just consumers.

A Channel 4 investigation, in collaboration with security firm MWR Infosecurity, found that ad networks had access to user data from certain Android apps.

Permissions granted to those apps, many of which were in the top 50 apps list, were also granted to advertisers, MWR claimed. The security vendor said contacts, calendar and location data was being shared thanks to code created by US ad network MobClix.

Google responded saying it has best practice guides for developers when it comes to user data but it does not screen apps for not following recommendations before they are shoved on the Android Market. The company does remove rogue applications that do bad things with that information, however.

So-called consumerisation' is even more complex than IT departments had first feared.

Even Viviane Reding, the European Commission's commissioner for justice, waded in to share her concerns.

"This is against the law because nobody has the right to get your personal data without you agreeing to this," Reding said.

"Maybe you want somebody to get this data and agree and it's fine. You're an adult and you can do whatever you want. But normally you have no idea what others are doing with your data. They are spotting you, they are following you, they are getting information about your friends, about your whereabouts about your preferences.

"That is certainly not what you thought you bought into when you downloaded a free-of-charge app. That's exactly what we have to change."

Just last week, Android was in privacy hot water again, when a New York Times investigation found that any Android app with permission to access the internet could post images to a remote server. Google has acknowledged the problem, saying it related to a design choice made to accommodate the way early Android phones stored data when photos were often saved onto a removable disk. The company even said it was considering changing its processes. Nevertheless, the flaw has not been fixed.

Apple iOS apps were also found to be doing something similar. Any developer could view people's photos as long as they permitted use of location data.

The business problem

On the face of it, these issues are largely consumer-related. But as with so many things in today's hyper-connected world, businesses can be hurt by such lax client security too.

Whilst business mobiles can be locked down, and apps provisioned from a central source ensuring no crazy permissions are granted to developers, consumer devices are much more difficult to lock down. It's particularly hard to stop business information from getting on worker phones.

Now, by sending data to a host of other parties, these Android apps are potentially making mobile management for IT teams even more of a nightmare than it already is. If apps can access a range of data on a mobile device, then it's likely they will see information related to that person's employer, whether in contacts and calenders or from social networks, text messages and photos. This means business information which could be anything from copied work emails to corporate IP is not just being taken out of the network on user devices, it is being disseminated to unknown parties across the globe.

What if those ad networks are doing naughty things with that data, passing it on to yet more companies? What if those ad networks don't have sound data protection policies, or have malicious insiders? What if those businesses got hacked, leaking a tonne of companies' information, not just their own?

What's clear from these latest developments is that so-called consumerisation' is even more complex than IT departments had first feared. Data is being leaked from surprising sources. And, in the case of these Android and iOS apps, there is little CIOs can do about it right now.

Instead, they will have to hope mobile OS makers stop allowing developers and ad networks to get hold of so much information without users knowing. Thus far, they have little to get excited about.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Google Earth Engine open for business on Google Cloud, in corporate sustainability push
Cloud

Google Earth Engine open for business on Google Cloud, in corporate sustainability push

28 Jun 2022
Apple executive rejoins Google over remote work policy
flexible working

Apple executive rejoins Google over remote work policy

18 May 2022
Here’s the first look at Google’s new Bay View campus
Business operations

Here’s the first look at Google’s new Bay View campus

17 May 2022
Google offers UK SMBs £87,000 scholarships to boost tech skills
Careers & training

Google offers UK SMBs £87,000 scholarships to boost tech skills

10 May 2022

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022