Business Mobile Apps Usage is Still Growing — And So Are The Privacy Risks

The Shift to Business Mobile Apps is Here to Stay — And So Are The Privacy Risks

The switch to remote work, education and socialization sparked a surge in mobile app downloads in early 2020. At the peak, 70 percent of Americans were teleworking and 62 percent had downloaded new tools and platforms due to the pandemic. Two years later, even as many workers return to their offices, the trend is holding strong. According to App Annie, we’re spending more time in Business apps than ever before. “Mobile connectivity is more important than ever as employees and businesses embrace a hybrid, or even fully remote, working model.” But recent headlines indicate that the convenience these apps offer may come with a hidden cost: surveillance.

Big Brother? There’s an app for that

Most consumers recognize that by sharing their data with a mobile application, that data may be anonymized and shared with advertising partners. Yet recent headlines have shown that it’s not just private companies that pay for access to this data. Government agencies do as well.

70% of Americans are currently teleworking and 62% have downloaded new tools and platforms due to the pandemic.

Early in March, a group called Protocol shared the results of an investigation to a company called Babel Street. The company contracts with the federal government and police departments, leveraging publicly available social media data to stop criminal activity in real-time. In addition to these services, however, the company offers a product — tellingly not mentioned on its website — called “Locate X.” This product allows users to create a digital geographical circle and not only identify mobile devices used within it, but also uses cell phone location data to see where those same mobile devices have traveled previously.

Location data can help keep us safe

This is not to say that these surveillance techniques can’t be put to good use. Location data, for instance, offered crucial insights into which states were complying with shelter-in-place orders during late March and early April. And they’ve also been used to advance U.S. national security interests. Researchers at Mississippi State University, for instance, were able to use “Locate X” to follow 48 mobile devices as they moved from a missile test site in Russia to Moscow, secure Russian military districts and even to a resort. Federal agencies, including the CIA, NSA, and Departments of Justice and Homeland Security, are also contracted with Babel Street and use its technologies to defend us both at home and abroad.

…but data is easily weaponized in the wrong hands

But those very same kinds of tools we use to defend ourselves can also be weaponized against us. When fitness app Strava publicized a map of three trillion data points covering user running or cycling routes, researchers were able to find U.S. bases operated in Afghanistan and secret CIA locations. Even a seemingly innocuous app available for free download on any phone can have devastating consequences for national security.

Who’s watching — and why you should care

It might be easy to assume that because you are not a member of the U.S. military or employed by a federal agency that you are not subject to scrutiny by the government or its contractors. Research indicates that many Americans accept the use of location data for these purposes. But the frustrating reality is that we have no visibility into other uses of our location data, nor into what other kinds of data federal agencies collect and analyze. And if researchers at a public university can successfully track movement at U.S. and foreign embassies and the Kremlin, it’s reasonable to assume that the federal government’s tracing capabilities are far more extensive.

Surveillance risks for organizations

90% of cyber attacks on organizations rely on social engineering. When apps leak data, scammers, hackers, competitors and anyone willing to pay a price can gain access to details only employees should know — in other words, prime fodder for a social engineering attack.

Even more sinister, it’s not hard to imagine the consequences of location data being used to map the inside of your facilities, or even track individual employees' locations like a real-life Marauder's Map.

Organizations go to great lengths to secure their facilities and protect their IP. The same should be true for employee privacy.

How to protect privacy — for you, and your organization

A good offense is your best defense. A few simple steps can help reduce risk. (Tip: Share this list with your team, HR, CISO, or IT lead to help spread the word at your organization.)

App privacy precautions every employee should take:

• Use the official app store - Always download directly from your device’s official app store. That’s the App Store on iPhone or Google Play on Android.
• Pause before you download - Be sure you trust the creator of the app and fully understand what data it will gather and how that information will be used. You can find this information by reading the app’s privacy policy.
• Check with your security team - Always check with IT or your data security team to ensure that the business app you’re downloading has been approved for use.
• Control what you share - Pay attention when an app asks for access to your data. Does the app really need access to your contacts or photos? Consider turning off location services on your mobile apps as well as your Google account. You can also switch off your mobile ad ID, which is used by your phone to track, assemble, and share your online activity with advertisers and app developers.
• Practice good password hygiene - A tool like IDX Password Manager makes it easy to generate and use strong passwords every time — without having to remember them.
• Use a burner email to set up new accounts - Another trick is to not only use a new password for each account you make but to create a unique email for each account as well. Data companies do all they can to collect and profit off your information.

Want to learn even more? Get our How You Can Be a Defender of Privacy »