The Spies Who Eavesdrop on Your Work from Home: Part 2 – Apps

By Rebecca Herold

Last updated: May 17, 2020

In my previous blog post, I described how one of my monthly Privacy Professor Tips readers recently sent me a question about some unusual coincidences where it seemed that home conversations and activities were then known and discussed by workers. When working from home, or mobile working while traveling, it is important to remember that cybercrooks and business competition are actively exploiting the vulnerabilities that are present in most home offices, hotels, restaurants, airports, and a long list of other locations where remote work occurs.

This series of blog posts focuses on fours ways in which digital spies enter home office areas, and mobile working locations, and provides some basic information security and privacy protections you can put in place to shut the holes in the digital pathways created into your organization through working from home office and other remote areas.

Part 1 provided an overview of how digital spies come into your work areas through IOT devices. Part 2 now provides an overview of how spies get into your home through phone and other types of computing device apps.

Spies get into your home through your phone apps

Most folks now have at least one smart phone. And on those smart phones are usually a large number of apps. Most phone owners have completely forgotten about even downloading most of the apps to begin with. However, even if they are not being used, those forgotten apps are still doing what the often-used apps are also often doing; collecting data from the phone’s contact list, accessing the IDs and passwords stored in the phone, making posts on behalf of the phone user, controlling the video, camera and audio recorders, all while sharing any or all of the files on the phone with the app providers and all the third parties associated with them.

Here are four basic security and privacy protection actions to take:

Remove all non-essential apps

When speaking about app security and privacy with my clients and at events, I like to start by asking those present to answer this question, without looking at their phone: How many apps do you have on your phone? Then I have them look at their phones and ask: How many apps are actually on your phone? I’ve never had a situation where the answer to the second question was the same as, or less than, the answer to the first question. Typically, people have many times more apps on their phones than they knew about, or remembered. Some website will download an app without the website visitor realizing it. People also generally forget about an app once they download it. Then, if they never use it again, it could be an app that is still active and recording all activities on the phone and sending back to the app vendor, or listening to everything in the vicinity, recording and sending back the recordings to the app vendor, turning on the video and recording in situations where you may be discussing or doing something confidential and sharing with third parties of the app vendor, and a wide range of other possibilities. Remove all apps from your phone that you have not used in more than a month or two, to limit the data leakage through them.

Disable microphone and video access in the app’s security and privacy settings

Some apps you need to use, for work purposes, or to help you navigate when you are driving, or when using delivery services, to pay bills, etc. However, how many of these apps, that you have determined necessary, need to record what you are saying or doing? Many apps ask for access to control the video, microphone and camera even if such access is not necessary to serve the purpose for which you downloaded the app to begin with. Review the settings of all the apps you actively use and turn off the microphone, video, and camera access from the apps where you do not need to have these tools used.

Limit location permissions

When installing most apps, they will require you to give a large amount of access to basically all information on your phone. The location, or GPS, information is almost always in the list of data types to which apps want to get access. This information may seem innocuous, but be aware that app developers will often share your location with third parties, such as companies who develop targeted ads based on your location and interests. This information can also be used to track your whereabouts, and has been used to stalk and assault people. Keep location sharing turned off in apps to limit the number of people who know at any point in time where you are located.

Use app passwords only with apps

Do not use your social media passwords to authenticate into other apps. App passwords are notoriously vulnerable to capturing when using public networks, when using peer-to-peer (P2P) services, and by the app vendors and their third parties. Some people use the same password for everything; using the same passwords on apps that they use to access their bank, work, and other sites. That is a very risky and bad practice. Hackers love to capture those passwords and sell them on the dark net where they can get rich doing so, and where those cybercrooks purchasing them will then drain your bank accounts, commit identity fraud with your information, or a wide range of other types of nefarious activities that will be harmful to you, your business, or possibly even your customers, coworkers or patients. Never use any of the same passwords for your apps as what you use for your banks, credit card companies, retail stores, social media sites, work sites, etc.

While these four actions will establish a large amount of security and privacy protections on your phone, you still need to do more. Take other actions as applicable to your organization’s type of business. Know and follow your organization’s work from home security and privacy policies and procedures.

If you are responsible for your organization’s policies and procedures, take other actions to ensure employee-owned, as well as organization-owned, IOT devices are appropriately secured, as applicable to your organization’s type of business. Make these actions part of the work from home requirements in your employee work agreements, and incorporate them into your organization’s information security and privacy work from home and mobile working policies and procedures.

The next blog post in this series

Part 3 of this series will provide an overview of how cyber spies get into home and remote offices through wi-fi networks.

For more information, systems, applications and cyber security and privacy blog posts, click here.