January 4, 2018

Compromising Customer Data? There is an app for that!

Let’s play a game. First, ask yourself this question: How many employees at your institution are allowed to access their work email from a personal device, like a cell phone? Next, look in any old email inbox and see how long it takes you to find sensitive or customer data. In many organizations, email winds up containing a treasure trove of sensitive information. From passwords to big spreadsheets containing customer info, you can wind up finding a lot if you take a peek. Now, consider the fact that this information is synchronized to the personal devices of all employees who have that privilege. At a minimum, you are enforcing (hopefully!) the use of device encryption and PIN codes, but a lost or stolen device isn’t the only threat to this data.

On tablets and cell phones, OS permissions protect data from being accessed and abused by other installed apps. These vary between Android and iOS, and in the case of most portable devices, the user grants these permissions. So… any app that asks for access to data can be granted it, such as by installing that new free “Candy Crushing with Flappy Friends” game. To reinforce the point, here is a list of the permissions requested by a very popular Android “messenger” app (which shall remain nameless):


  • find accounts on the device
  • add or remove accounts
  • read your own contact card


  • find accounts on the device
  • read your contacts
  • modify your contacts


  • approximate location (network-based)
  • precise location (GPS and networ-based)


  • read your text messages (SMS or MMS)
  • receive text messages (MMS)
  • receive text messages (SMS)
  • send SMS messages
  • edit your text messages (SMS or MMS)


  • directly call phone numbers
  • reroute outgoing calls
  • read call log
  • read phone status and identity


  • read the contents of your USB storage
  • modify or delete the contents of your USB storage


  • read the contents of you USB storage
  • modify or delete the contents of your USB storage


  • take pictures and videos


  • record audio

Wi-Fi connection information

  • view Wi-Fi connections

Devic ID & call information

  • read phone status and identity


  • download files without notification
  • receive data from Internet
  • view network connections
  • create accounts and set passwords
  • read battery statistics
  • pair with Bluetooth devices
  • send sticky broadcast
  • change network connectivity
  • full network access
  • change your audio settings
  • control Near Field Communication
  • read sync settings
  • run at startup
  • draw over other apps
  • control vibration
  • prevent device from sleeping
  • toggle sync on and off
  • install shortcuts
  • read Google service configuration

These permissions allow this messenger app to do just about anything with a phone and anything on it. Do you know what apps your users install on their phone with access to work email and what permissions those users are granting? Would you know if a user installed an app from a 3rd party app store that came from a less than reputable source? When allowing users to access email, it is ultimately still the responsibility of the institution to ensure any customer data stored on their personal devices is protected. How do you do this? Here are some suggestions:

  • It all starts with a risk assessment (of course, right?). Make sure your risk assessment adequately covers email access on mobile devices and lists access by malicious apps as one of the risks. This will allow you to determine whether the controls you have in place adequately mitigate the risk to an acceptable level.
  • Be choosy when determining who can get work email on their personal phone or device. If they don’t need it, don’t grant the privilege in the first place.
  • At a minimum, make sure you have a good mobile device policy that conveys to employees the importance of protecting organizational email data. It is also a good idea to have a sign-off for users who will be syncing email, showing they have read and understand the policy.
  • Strongly consider implementing a mobile device management (MDM) solution that will give greater control and visibility into any portable devices accessing sensitive data, including email. An MDM often can enforce app restrictions, prohibit the installation of apps from 3rd party app stores, and can even place email into a separate encrypted container that cannot be accessed by other apps, even if the user grants permissions to see the other email on the device.
  • Make sure mobile device security is part of your ongoing security awareness training.

Past Weekly Security Tips – WST