Why IT should worry about Android app data sharing


COMMENT Android doesn't have the finest security reputation in the mobile OS space. Revelations this week have only exacerbated the situation for Google. And businesses should be worried too, not just consumers.

A Channel 4 investigation, in collaboration with security firm MWR Infosecurity, found that ad networks had access to user data from certain Android apps.

Permissions granted to those apps, many of which were in the top 50 apps list, were also granted to advertisers, MWR claimed. The security vendor said contacts, calendar and location data was being shared thanks to code created by US ad network MobClix.

Google responded saying it has best practice guides for developers when it comes to user data but it does not screen apps for not following recommendations before they are shoved on the Android Market. The company does remove rogue applications that do bad things with that information, however.

So-called consumerisation' is even more complex than IT departments had first feared.

Even Viviane Reding, the European Commission's commissioner for justice, waded in to share her concerns.

"This is against the law because nobody has the right to get your personal data without you agreeing to this," Reding said.

"Maybe you want somebody to get this data and agree and it's fine. You're an adult and you can do whatever you want. But normally you have no idea what others are doing with your data. They are spotting you, they are following you, they are getting information about your friends, about your whereabouts about your preferences.

"That is certainly not what you thought you bought into when you downloaded a free-of-charge app. That's exactly what we have to change."

Just last week, Android was in privacy hot water again, when a New York Times investigation found that any Android app with permission to access the internet could post images to a remote server. Google has acknowledged the problem, saying it related to a design choice made to accommodate the way early Android phones stored data when photos were often saved onto a removable disk. The company even said it was considering changing its processes. Nevertheless, the flaw has not been fixed.

Apple iOS apps were also found to be doing something similar. Any developer could view people's photos as long as they permitted use of location data.

The business problem

On the face of it, these issues are largely consumer-related. But as with so many things in today's hyper-connected world, businesses can be hurt by such lax client security too.

Whilst business mobiles can be locked down, and apps provisioned from a central source ensuring no crazy permissions are granted to developers, consumer devices are much more difficult to lock down. It's particularly hard to stop business information from getting on worker phones.

Now, by sending data to a host of other parties, these Android apps are potentially making mobile management for IT teams even more of a nightmare than it already is. If apps can access a range of data on a mobile device, then it's likely they will see information related to that person's employer, whether in contacts and calenders or from social networks, text messages and photos. This means business information which could be anything from copied work emails to corporate IP is not just being taken out of the network on user devices, it is being disseminated to unknown parties across the globe.

What if those ad networks are doing naughty things with that data, passing it on to yet more companies? What if those ad networks don't have sound data protection policies, or have malicious insiders? What if those businesses got hacked, leaking a tonne of companies' information, not just their own?

What's clear from these latest developments is that so-called consumerisation' is even more complex than IT departments had first feared. Data is being leaked from surprising sources. And, in the case of these Android and iOS apps, there is little CIOs can do about it right now.

Instead, they will have to hope mobile OS makers stop allowing developers and ad networks to get hold of so much information without users knowing. Thus far, they have little to get excited about.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.