Trend Five

Mobile users are losing control of their data privacy

As a society, we have come to accept invasive apps and services that collect rafts of personal data in exchange for more personalized services. We have embraced the mobile experience — the one-click access to information and services — and in exchange, we have to trust our devices to hold all our private information. There are a number of key elements that make data privacy a challenge. These include data mishandling, invasive app permissions, Man-in-the-Middle attacks, and data leaks.

Companies misusing data

With so many cases of companies like Facebook and Uber misusing data and funnelling it through to unscrupulous third parties, users are becoming more sensitive to how their data is used. This sentiment is being carried over into the workplace, as IT teams struggle to balance the need for visibility and control over mobile devices with this growing demand for user privacy. Additionally, incidents like the WhatsApp spyware attack have caused consumers to be concerned about the security and stability of apps themselves.

“In many ways, data is now more valuable than currency.”
Jamie Woodruff, Ethical Hacker

Apps asking for too much

It is important to pay attention to the permissions you’re granting all apps (and not just to those apps you would consider to be risky). App permissions determine what functions and data an app has access to on your device, and some are riskier than others. Some apps collect data without explicitly asking permission, while others boldly neglect user preferences entirely (like this Chinese weather app that was using certain permissions, such as location, even if users denied access).

There are variations in app permissions between iOS and Android. iOS has more privacy-focused permissions, while Android tends to expose access to raw parts of the hardware and operating system. For example, iOS has separate permissions for apps to access the camera (to take a photo) and to access the photo library. The equivalent on Android includes access to the camera (same as iOS) and access to either read or write the actual storage device (e.g., flash memory). While it is not a perfect like-for-like, reading external storage is the permission that is required to access the photo gallery on Android. We have analyzed the app permissions for both iOS and Android to see how many apps are asking for some of the most common permissions.

Man-in-the-Middle attacks put data in transit at risk

Public Wi-Fi presents a serious privacy risk when a Man-in-the-Middle (MitM) attack occurs. There are two primary flavors of MitM attacks that we see impacting mobile users. The first is when the attacker has physical control of network infrastructure, such as a fake Wi-Fi access point, and is able to snoop on the traffic that flows through it. The second is when the attacker tampers with the network protocol that is supposed to offer encryption, essentially exposing data that should have been protected.

Many attackers establish fake hotspots that use naming conventions similar to popular access point names. A distracted user could easily be fooled into connecting to a malicious hotspot with a convincing name.

Data leaks

Data leaks certainly don’t get as much attention as active threats like malware and phishing, but a leaking app is one of the biggest threats to user data privacy. By failing to encrypt data, an app or website developer is essentially making user data much more readily available to a MitM sitting on the same network as the device with the leaking app.

Our research shows that a username is exposed in 90% of PII leaks, a password is exposed in 85%, and credit card details in 2.3%. Don’t discount the implications of a password leak. Hackers can easily break into corporate accounts by capturing a user’s credentials with a MitM attack and using a tool to instantaneously plug those credentials into thousands of login pages at once. The scary reality is that using a poorly developed app on public Wi-Fi could lead to a major data breach.

Recommendations for enhancing user privacy

Mobile users are already struggling to regain control of their privacy. That’s why it’s important for IT teams to support them. Most endpoint security solutions allow for basic man-in-the-middle detection by identifying rogue hotspots and suspected MitM activity. However, network-based detection can go a step further by monitoring network transmissions for unencrypted data transfers (data leaks). A network-based policy engine can do even more by blocking data exposures on unsafe networks, therefore enhancing user privacy while also guaranteeing the confidentiality of sensitive data as it is communicated across the network. What’s more, an additional layer of encryption, such as a VPN or encrypted DNS, can help keep user data private and secure from online profiling and theft.

Protecting corporate-enabled devices

This coming year, these five trends will be the most concerning and pervasive among mobile enterprises. With data breaches costing upwards of $3.92 million, prevention is better than remediation. With the right security strategies in place, you’ll be better positioned to protect your organizational data from attacks.

“A vicious cycle of low adoption of MTD solutions leads to low visibility of mobile risks, which, in the absence of spectacular mobile breaches, leads to a continued low perception of mobile risk.”
Gartner Market Guide for MTD 2019

Wandera’s cloud-based security solution addresses all the threats mentioned above: zero-day malware and phishing detection powered by machine learning, application vetting, vulnerability detection for operating systems and applications, jailbreak and rooting detection, MitM detection, data leak detection, secure access to cloud applications, encryption technologies, and more.

If you’d like to learn more about protecting your organization from mobile threats, get in touch with one of our experts today.

Get in touch