With more than a million apps available for download, it's not realistic to ask users to review app permissions every time they're going to download a mobile app. Even if they do, there are a number of ways for developers to go around app permissions and collect user data without asking for it. The mobile apps we download have access to an enormous amount of personal data. As we start using our phones and tablets for work, we're also putting corporate data at risk.
Free mobile apps are generally the biggest privacy culprits. Since app developers need to generate revenue, many free apps will collect and share user data with outside parties, such as ad networks and analytics companies, in order to generate a profit. As a general rule, ad networks will pay more money for more user data collected from app developers.
Some apps use clear language when asking for permission to collect user data. But a large number of apps use generic language that can be deceptive, asking for one thing but doing another. There's a disconnect between the permissions that apps are asking for and what they're actually doing behind the scenes. For example, some apps will run constantly in the background, operating even when not in use, draining battery life and data, and collecting information on the user 24/7.
App permissions can also be “grandfathered in” to third parties that operate within the app. For instance, if you download a mobile game and grant it access to your contact list, it may also share your contacts with any ad networks with which it does business.
Mobile app developers can also take advantage of a number of loopholes to go around app permissions. For example, if a user denies access to their phone's GPS, a developer can use GOIP tracking, cell phone tracking or their Wi-Fi network to determine location.
The bring-your-own-device (BYOD) movement has created a unique set of challenges for IT to manage, from Android malware accessing the corporate network to employees' lost or stolen phones exposing company info. But the real, immediate threat to businesses is how mobile apps are handling enterprise data. In fact, according to our latest App Reputation Report, 79 percent of the top free iOS and Android apps are associated with security and privacy issues.
We've entered the era of “bring-your-own-apps.” The app ecosystem is transforming how IT manages mobile devices in the workplace. It used to be the case where IT managers only had to manage a handful of enterprise software vendors. In the app world, there are hundreds of thousands of different developers. Beyond knowing developers, it's also about what code they're using. Comparatively, it's a very fragmented ecosystem.
We also can't trust Apple and Google as app gatekeepers for the enterprise. What's good for the consumer isn't always the same case for the workplace. As we work to protect company data, it's less about the device itself and more about the content on the device and any data risk. It's time we focus on mobile app risk in building BYOD policies for the workplace.