A Brazilian app for the Android platform called Rastreador de Namorado -- a.k.a. "Boyfriend Tracker" -- recently attracted enough controversy to be removed from the Google Play store. The app is somewhat self-explanatory; once installed on a target's phone, it can be used to track and spy on him or her.
With Boyfriend Tracker, you can secretly:
- Stalk your target through GPS location tracking
- Check your target's call history
- Forward all your target's sent and received text messages to your own phone
- Force your target's phone to quietly call your own phone, "pocket dial" style, so you can listen in on whatever your target is doing
- Hide the app's icon from appearing on your target's phone if you download the paid version.
What's more, the app's official website (where you can still download the app) boasts your target's phone need not even have Internet access for the app to work.
Although an egregious example, Boyfriend Tracker is hardly the only app of its kind. Both Google Play and iTunes have numerous tracking apps available, openly marketed to possessive paramours, protective parents, and prying peers.
More troubling than the general concerns about privacy protection are the potential "off-label" uses for these apps -- including using them to threaten an enterprise's data security.
It is axiomatic (or so we might hope) that security software must protect against more than viruses, but must also block tracking and other, non-whitelisted software that can remotely intercept or control the device. Tracking software concerns raise several other issues for the vigilant CIO, however.
Most people, given the chance, will snoop through the data on another person's phone. In Lost Smartphones Rat Out Nosy Finders, 83 percent of people who found lost smartphones used them to attempt to access proprietary corporate information; this figure includes people who ultimately offered to return the phones they found.
You can imagine how fast and easy it would be for a do-badder to slip a tracking app or other spyware onto a misplaced phone -- or, for that matter, to do so on a phone when the owner is in another room or not paying attention. It may seem like going overboard to have security policies mandating that employees lock and secure their devices when not in use, and that employees self-report when they fail to do so -- but do you really want to entrust your corporate security to, say, a random hotel maid?
Moreover, mobile IT vulnerabilities need not be direct. Your organization may have the strictest mobile security policies around and all your employees may follow it to a T. Imagine, however, that one of your senior managers has an embarrassing personal secret or habit, and that a hacker or corporate spy discovers this thanks to the revealing text message his tracking software just intercepted. Now, this senior manager has gone from being a trusted employee to a liability, one who potentially could be extorted into disclosing confidential company data or siphoning corporate funds.
Certainly, you can restrict personal use of company devices -- but to what extent can you secure against potential breaches of key employees' personal devices?
Just as these widely available apps can clandestinely forward basic information such as location data, SMS messages, and Facebook activity, so too can those with evil on their minds deploy malware to intercept emails, mobile banking and payment information, and pretty much anything else on or accessible via your smartphone. Indeed, mobile financial data vulnerabilities present a special question: If a hacker steals and misappropriates a customer's financial information stored or sent on a company's apps or mobile payment systems, what is your company's liability?
To these ends, you must incorporate effective data security into all company practices and policies because you never know who is watching.
— Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.