What do the latest privacy scares mean for your mobile and cloud strategy?

A discussion of app permissions, mobile threat defense, and BYOD policy.

Since news of the Cambridge Analytica scandal broke here in the US, there has been a new wave of talk about privacy. As a consumer, I feel resigned to the inevitable, but as part of the enterprise mobility and EUC community, it’s a good time to wade in and talk about how this affects us.

We’re not alone

First off, just like when we started crafting policies about the consumerization of IT and BYOD a few years ago, we have to acknowledge that this isn’t something for EUC admins to be dealing with on their own. This is a compliance, legal, and boardroom-level issue; and beyond these levels, a societal issue. It’s not going to be solved by EUC admins, any single EMM or security vendor, or blog post.

App permissions

Now that we’ve gotten that out of the way, let’s look at the mobile angle. It’s great that mobile devices have user-controlled permissions for accessing sensitive data (i.e. apps have to specifically request access to your photos, location, contacts, etc.). Plus, these permissions are getting better: iOS now requires developers to state why they’re asking for access; Android permissions have become more granular; and these types of controls are coming to desktop OSes and browsers.

However, there are plenty of caveats, and it almost feels quaint talking about permissions. Aside from permission-protected data sources, we give apps and services all our data directly (i.e. we open the app, interact with it, type data into text fields, etc.). Some apps will ask for access to permission-protected data sources specifically to serve us ads, as outlined this Appthority report that landed in my inbox yesterday.

There are all sorts of ways that permission-protected data can be abused once we grant an app access. Sometimes it’s obvious—the app will ask to use our contacts so that we do one-off “sharing” with friends, but then it will vacuum up all the contacts and spam them.

Other times it’s less apparent on the surface, but then once you know what’s going on, you think, “Of course, why didn’t I realize that before!” For example, an app can ask for access to your camera roll, and then use the metadata in geotagged photos to figure out lots of information about where you’ve been, without asking for access to your location. (Check out this proof of concept.)

Enterprises use tons of free apps

We can read the EULAs on all our enterprise apps, and talk with vendors about their data policies, but there are tons of free and often troubling apps and services that companies use but my not examine as closely; or are they are forced to use them.

In 2018, every business has to have a presence on all the popular social media platforms, so you more than likely have users in the marketing department that use Facebook, YouTube, LinkedIn, Instagram, Pintarest, Twitter, etc. every day. Even if your official policy is to block social media on the network and lock down corporate devices, it still has to be there.

Then there are all the apps that users find on their own to solve business problems. For example, mobile email clients have had built in document viewers for a long time, but in an environment of any size, you’ll find plenty of sketchy third-party PDF viewers, file converters, unzipping apps, and so on.


This is where all these recent tools come in: We have enterprise mobility management to make sure we can give users all the mobile tools they need, instead of leaving them to find sketchy alternatives. Mobile app management and data loss protection can keep data in the apps and services we want, and out of those that we don’t want.

Mobile app reputation services (a feature of many mobile threat defense products) and inspection of cloud apps (part of cloud access security brokers) can help vet the apps and services chosen by the enterprise and by individual users.

What’s reasonable?

As a consumer, I’m throwing up my hands. I can take certain reasonable security and privacy measures, but I don’t think deleting Facebook or giving up Google is going to do all that much—the data-oriented companies of the world already have plenty of information on me. (Good thing this is an enterprise blog and I don’t have to figure this out here.)

On the enterprise side, there is a very large conversation to be had, but one thing that has become more clear recently is around BYOD. Even though it may not seem fashionable, there are plenty of environments that call for tight controls around BYOD, and in many cases, having two seperate phones for work and personal usage is the logical choice.

That recent incident where Strava accidentally confirmed the location of secret military bases is a prime example. They released a map of users’ running and cycling routes. Of course, it was anonymous, but the very routes themselves revealed a lot of information, including the military bases. These are environments where it’s probably appropriate to prohibit any personal apps with location tracking capabilities, and to do that, some sort of mobile app reputation service would help.


Other than these comments here, I don’t really have any other answers to this huge problem of our day. What’s your company and IT department doing in the wake of the latest privacy scares?

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

It’s a massive topic over here in Europe with the incoming GDPR privacy legislation.
Conversation previously was focused on preventing corporate data leaking out but now there is also a lot of concern about employee personal data leaking IN!

Clear separation of personal and work in BYOD and COPE is challenging although arguably more controls exist than a Windows desktop with DLP, MAM etc. (windows 10 in fairness has some good options here too with WIP)

Android with Android Enterprise are providing some great controls for separating data and defining data flows. iOS has some fantastic privacy and DLP controls also but suffers in a BYOD environment as you have written about previously. MDM vs MAM and use of Cloud proxies etc are all great security controls however they can harvest a lot of personal data for example app inventory so configuration needs to be more thoughtful than many organisations have considered previously.

It’s a very interesting time now with data privacy incidents making lots of headlines and the potential for significant regulatory impact once GDPR lands in May.