Mobile navigation with real-time traffic information, news and weather reports, social networking… What is the price to pay for all of these wonderful “free” services on smartphones? In the olden days it was simply tolerating a commercial advertisement. But today? It’s letting the provider know everything that’s contained on the phone, leading business mobility consulting and enterprise app development firm On The GoWARE to make its clients aware of the security implications of a recent Yahoo software update.
Last Thursday, Yahoo released a mandatory update for their Yahoo Mail and Messenger Android apps. If the software isn’t updated, it is disabled and can no longer be used. Most people would simply click the convenient “Update” and “Accept & download” buttons and get on with their day, but those who know better look first at the incredible list of permissions the app requires. Here are some of the more frightening ones:
- Modify/delete USB storage contents
- Read SMS or MMS, receive SMS
- Read contact data, read sensitive log data, write contact data
- Act as an account authenticator, manage the accounts list, use the authentication credentials of an account
- Discover known accounts
The last two permissions are particularly disturbing. In the Android App Market, look at each app and scroll to below the “Accept & download” button to see each required permission. Tap on each permission to see Google’s explanations of each of these settings, which grants permissions to the applications that:
Allows an application to use the account authenticator capabilities of the account Manager, including creating accounts and getting and setting their passwords. Allows an application to perform operations like adding, and removing accounts and deleting their password. Allows an application to request authentication tokens. Allows an application to get the list of accounts known by the phone.
- as quoted from the Google Android App Market permission explanation detail page for the Yahoo Mail app
The security bulletin released by On The GoWARE states that “this enables Yahoo not only spy on whatever might be stored on a user’s smartphone, but also what’s stored within any other accounts tied to the user’s phone. Whether Yahoo is now collecting any of this information, and what they may do with it if they are, is yet to be seen. Just know that after the update they will have the right to by the user’s own permission.”
Of course none of this is breaking news. Look closely at the permissions on the apps for Gmail, Facebook, and Twitter or just about every other Internet giant and one might not only be creeped out but may be downright horrified. Spyware, which was once the bigger terror of the personal computer age, is now routine practice for the largest and richest computer companies around.
“Obviously, millions of people are perfectly OK with this,” said Mike Newman of On The GoWARE, “claiming they have nothing to hide or that they trust the security systems of Google and Microsoft and Yahoo and Sony. And maybe they even like the fact that advertisements and promotions are tailored perfectly towards their own interests. That’s great. Live and let live. Who can judge what a person does with their own phone? But when the device is tied to business information systems, that’s a significant concern.”
Millions of smartphones are connected to the business networks of their own employers. The employee who just upgraded Yahoo Messenger just gave Yahoo access to all of the contacts sync’d with their corporate Exchange server. Yahoo now has the rights to access all of the other account information stored on the phone. Those same rights are extended to Google or FaceBook or LinkedIn if the user has installed any of these apps.
For the last several years, a debate has been raging amongst business mobility strategists about the pros-and-cons of corporate-liable or employee-liable mobile devices. The “liable” refers to who pays the bill, but in layman’s terms, corporate-liable means the company owns and control the phones and issues them to the employees. Employee-liable means the employees own their own phones and are permitted to access corporate systems. This question was always no-brainer when laptops were the only practical mobile option. Only corporate-liable laptops were permitted on gain access to corporate networks. It was the only way IT could effectively hope to manage the security of their company’s data.
But employee-liable smartphones have been a growing trend for several years. A) It’s far cheaper for the company, and (B) tech support doesn’t have to listen to how much everyone hates their corporate BlackBerry and wants to get company email on their personal iPhone instead. This trend is coming back to haunt data security professionals in a big way, considering how Internet giants are lobbying hard for all information to be “open,” because open access to information helps Internet giants in their noble cause to be better advertisers.
When asked about the emerging data security threat, Newman explained that “with the mobile security software and systems available today, corporate data confidentiality is hopeless if employee-liable devices of any kind are permitted to be integrated into business networks. As history has shown, even when companies actually do own and issue the devices, they are very difficult to secure.”