Attack of the apps
It seems like a fair trade: Get your favorite mobile apps for free, be shown annoying ads in return.
But that’s not all you’re doing in return. In reality, this trade has you giving up a great deal of personal information. Mobile apps collect a massive amount of personal data — your location, your online history, your contacts, your schedule, your identity and more. And all that data is instantly shared with mobile advertising networks, which use it to determine the best ad for any given user at any given time and place.
So, the trade-off isn’t really ads for apps — it’s intrusive mobile surveillance for apps. By agreeing to free, ad-sponsored mobile apps, we’ve consented to an economic model that entails continuous and comprehensive personal surveillance. It’s what Al Gore accurately characterized as the stalker economy.
Why is our personal, locational and behavioral data so coveted by marketers? Because a smartphone is something that we as consumers carry everywhere we go, and it’s constantly broadcasting personal data of all kinds. If advertisers know who we are, where we are and what we’re doing, they can deliver more effective ads. It’s called proximity marketing. It’s the Rite Aid ad that pings your phone as you walk through the aisles: “Save 10% now on mouthwash.”
Sounds innocuous, if annoying. But it goes much further than this. We’ve now enabled a system where a major retailer can know, for example, that a teenager is pregnant before her parents do simply by correlating her activity, search and purchase data. That retailer can then reach out via mail or email, or target her via phone when she is near a point of sale. This intrusion on our collective privacy isn’t going away anytime soon (if ever), as the economic incentives for app developers and advertisers are too strong.
OK, agreed, this kind of consumer surveillance is intrusive and creepy. But how does it threaten enterprise security? Simple. As more personal mobile devices invade the business world, leaks from those devices are opening the door to corporate hacks, stolen business data and crippling cyberattacks.
For instance, if a company lets its employees sync their corporate calendars and email accounts to their personal mobile devices, this opens up all sorts of risks. Suddenly, employees’ phones contain or can access the contact information of everyone in the organization. Further, any other mobile app that requests access to the employees’ contacts and calendar also gets access to the names and titles of company employees, as well as the dial-in codes for all private conference calls. This information can easily be put to effective use in a spear-phishing attack by a malicious app or hacker.
Worse, many apps monetize their user bases by sharing data with ad networks that share and combine data with other networks, so it’s impossible to know where exactly data is going and whether it’s being handled in a secure fashion by any of the many parties that have access to it. All of this sharing means a malicious hacker doesn’t even have to directly access an employee’s phone to attack a company. He can hack an ad network that has information from millions of users and go from there.
Stolen information can also be used to attack an enterprise through a watering-hole attack. Say a small group of executives have lunch regularly at a local restaurant. An attacker with access to their geolocation data could easily know this. The attacker correctly assumes that some of the execs are accessing the restaurant’s website to make reservations and browse the menu before lunch. By placing malware on the lightly defended site, the attacker is able to compromise the office computer or mobile device of one or more company executives. From there, a successful breach is launched.
A compromised smartphone represents a threat not just to the targeted employee but to the entire company. Information about employees’ activities, both on the job and elsewhere, combined with any company-related emails, documents or sensitive information, can be devastating to an organization if it gets into the wrong hands.
Originally appeared on TechCrunch. To read more about what enterprises should do to combat the threat, click here.