If love is in the air at your workplace this Valentine's Day, better take extra steps to protect your network — whether you embrace a BYOD policy or issue company phones.
A study on popular dating applications by Itasca, Ill.-based Flexera Software suggests employees accessing these applications on personal or company-issued phones can expose a company’s sensitive information.
Flexera Software, a software licensing, compliance, security and installation solutions provider, used its AdminStudio Mobile to test 25 popular dating applications available on iOS — from Tinder and Hinge to Coffee Meets Bagel and Grindr.
The Flexera software allows companies to track and manage mobile apps. In this study, the software tested dating apps’ interactions with iOS devices, looking at features like location services, address books, Bluetooth and cameras.
Ken Hilker, product manager at Flexera, said they looked at dating applications as an example of the many mobile applications and their behaviors companies encounter in their business now.
“So far, the enterprise has kind of just trusted things that come from the store,” Hilker told CMSWire. “The say, ‘Apple looked at it, or Microsoft or Google signed off … It’s in the store. It must be OK.’”
“But every business has very different definitions than Apple and Google and Microsoft may have of what is allowed, what’s good behavior, what’s risky.”
Hilker helps these businesses understand these applications and provide insight on what they want to allow or not allow.
Some places are strict, locking down exactly which applications employees can use, but this is the exception, Hilker says.
Most companies are allowing employees access to the store and applications without considering risks.
Travis Smith, senior security research engineer at Portland, Ore.-based Tripwire, sees companies handling it their own way. “In a BYOD device policy, an organization may have the ability to remotely wipe a phone if stolen, but may lack the ability to remove and/or prevent unapproved apps,” Smith said.
But back to the Flexera survey: The results show that 88 percent of these dating apps can access user's location services. Grindr, OKCupid and Tinder are included in this mix.
About 60 percent can access social networking apps and texting functions, and 36 percent, including Grindr and OKCupid, can access calendars on a device.
Another 24 percent, including Blendr, Hinge and Tinder, can access users’ address books.
“To me, the big ones are calendar and your address book,” Hilker said.
“I’ve got things in my calendar that may mention company data or may mention certain contacts that I consider private and secure information. But these things I’m just randomly from the store for fun, they’re getting into that and can access that information.”
Some dating apps can also display advertisements, which means ad networks using supply code to insert ads in their apps are vulnerable to hacking.
Bluetooth capabilities open up those devices to hacking as well.
According to Flexera, many dating apps support in-app purchasing to unlock bonus features or matches, and company devices may be tied to a company credit card or payment account.
And if employees work somewhere where locations are sensitive — hey, Apple — dating apps are also tracking locations to offer up matches near them.
Other features like sharing functionality, texting and using the phone function on mobile devices can result in leaked company contacts and internal content or non-business expenses. Moreover, a lot of this data is handed off to advertisers.
Protecting the Business
Organizations issuing mobile devices or allowing personal devices to be connected for work can consider testing all apps, mobile or otherwise, that exist on their networks. This way, IT teams can flag any apps that violate company policies, Flexera said.
Hilker also suggests tools from the like of VMware, AirWatch or Microsoft Intune to help monitor and “isolate your applications so that business applications can only talk to applications and consumer public applications can only talk to other consumer public applications.”
“There’s ways of fencing and working around applications,” Hilker said.
Tripwire's Smith said corporate policies are only partly successful. “The problem with policies like these is that they are either ignored or easily forgotten by employees,” he said. “If your organization is worried about end user devices, mobile device management can help enforce corporate security policies.”
Smith said businesses also need to look out for “malicious apps masquerading as valid apps.”
“Typical malicious apps such as these have attempted to steal data local to the phone: email, contact info, etc. However, a targeted attack could detect other devices on the network and attempt to gather data from those.
It’s possible to gather data from the microphone and camera as well, opening the possibility of an attacker listening in on confidential conversations.”
As an added measure, according to Smith, it may be worthwhile for workplaces with a BYOD policy to create a separate network for these devices to connect only to the Internet.