In May, a trio of researchers at Ulm University in Germany revealed
that Google's Android smartphones contained a security flaw that
could potentially affect nearly the entire product line. The flaw was
discovered when the team found that it was "quite easy" for
hackers to intercept data from Google's email, photo-sharing,
calendar and contacts applications.
Not long before the Android breach, Apple came under fire after it
was learned that the tech giant was collecting location information from
its iPhone users. This was a unique type of data breach as it was not
initiated by outside hackers but from the smartphone's parent
company--and apparently done so accidentally. And though a user's
location may not be considered sensitive business information, such a
weakness within the system signals that there is a strong potential for
data breaches involving other, more serious material. Privacy and
"big brother" concerns also abound whenever a company can
collect geopositioning data on consumers.
The most troubling aspect is that these concerns may be just the
beginning. And many security experts fear that mobile apps present one
of the largest new frontiers in cyberrisk.
According to the App Genome Project, there are now more than
400,000 apps in the Android Market and Apple App Store combined. Are the
companies that release these mobile apps putting the appropriate
controls in place to prevent data breaches?
A recent report from Symantec highlights the concern. It found that
Apple and Google are very different when it comes to mobile security,
"creating distinct potential vulnerabilities for enterprises
embracing devices running these operating systems." For instance,
Apple employs what Symantec calls "application provenance," or
identifying, certifying and vetting an app before it is published for
public use. For Google, however, the course of action is much different.
There is no vetting process and apps can be uploaded from just about
anywhere on the internet. So as these user-friendly apps continue to
grow in popularity, so too may security breaches.
Even more concerning is one of the biggest trends in enterprise
mobility: the bring your own device (BYOD) paradigm, in which companies
allow employees to use their personal smartphones for business.
"This has implications on the whole 'command and control'
model that most enterprises are used to and is forcing them to adapt to
a 'monitor and manage' model," said Raffi Tchakmakjian,
vice president of Trellia, a mobile device management company. So
policies are now being defined with a clear delineation between the
consumer and business side--the key is for enterprises to have full
control over their own data and applications, without affecting the
user's personal data on the device.
"The State of Data Security," a report recently issued by
Sophos, a data protection and analysis firm, stated that "Mobile
devices by their very nature are harder to protect and therefore can
represent the weakest technology link in a company's network."
Because of the ever-present risk of personal data loss, some U.S.
states have enacted legislation relating to data protection. California
has had its online privacy protection act (OPPA) in place since 2003,
and just this year, state legislators ruled that a person's ZIP
code is considered personally identifiable information and therefore
covered under the act. Nevada and Massachusetts have also enacted laws
protecting an individual's personal information, requiring
companies to encrypt files, employ up-to-date firewall protections and
train employees on the importance of personal information security.
Consumer advocates hope other states will follow suit.
The risk landscape when it comes to mobile devices and apps is not
all bad, however. Some companies have developed apps designed to help
users manage risk.
Digital Sandbox, a public safety risk management company based in
Virginia, has released what it calls the Risk Analysis Center Mobile
Monitor, which allows Apple iPad and iPhone users to access relevant
safety threat information within that user's unique risk context.
Citicus, a developer of automated risk and compliance tools, developed
MoCA, a smartphone application that allows users to identify worst-case
scenarios and their business impact anywhere, anytime with the touch of
an iPad or iPhone screen. Modulo is yet another company offering users
immediate access to pertinent business statistics with its Risk Manager
Mobile app, which helps organizations develop risk maps, conduct audits,
deliver risk profiles, and perform governance, risk and compliance
Risk managers who use these should still be careful, however. Even
the most risk-concious companies may be challenged by the world of
mobile apps--a world where information security is never guaranteed.