Digital Canary in the Virtual Mine #2: What’s In Your Apps? Prying Eyes Are Ready To Discover . . .

The last time I flapped my wings your way, I tried to make at least enough noise about your mobile phone to make you more than a little bit uncomfortable.  I hope I did.  If enough of us become anxious enough about the known and unknown unknowns and knowns in our mobile phones, then we can start making wise decisions about how to manage that information and its resultant investigations. Today, I’d like to put a finer point on the last installment’s topic by asking a question that seemed to catch most attendees off-guard at a conference panel that I moderated last week:  is there discoverable personal information in a mobile app?  Our panelists’ answer was a uniform “yes” with one stating that, if he had to choose only one type of data that he could discover from a mobile phone, he’d choose app data.  Why?  Because there’s simply so much of it and because almost all of it is objective – not just user-created like an email – but machine-tracked like GPS, usage duration, log in and log out times, browsed web addresses, browsed actual addresses.   Also, most of us seem to have the idea that data doesn’t actually “stick” to our mobile devices the way it “sticks” to our hard drives.  Maybe there’s a disconnect based on the fact that our phones are mobile so we assume the data is mobile to? 


The last time I flapped my wings your way, I tried to make at least enough noise about your mobile phone to make you more than a little bit uncomfortable.  I hope I did.  If enough of us become anxious enough about the known and unknown unknowns and knowns in our mobile phones, then we can start making wise decisions about how to manage that information and its resultant investigations.

Today, I’d like to put a finer point on the last installment’s topic by asking a question that seemed to catch most attendees off-guard at a conference panel that I moderated last week:  is there discoverable personal information in a mobile app?  Our panelists’ answer was a uniform “yes” with one stating that, if he had to choose only one type of data that he could discover from a mobile phone, he’d choose app data.  Why?  Because there’s simply so much of it and because almost all of it is objective – not just user-created like an email – but machine-tracked like GPS, usage duration, log in and log out times, browsed web addresses, browsed actual addresses.   Also, most of us seem to have the idea that data doesn’t actually “stick” to our mobile devices the way it “sticks” to our hard drives.  Maybe there’s a disconnect based on the fact that our phones are mobile so we assume the data is mobile to?  That it “mobilizes” its way out of discoverability?  I’m not sure.  But I know that I was wrong about this too, until I attended the right webinar on a day when I was able to listen.  And I know that when we think we aren’t leaving much of a footprint, we are not terribly careful about where we step.

The truth is that all the data your phone has ever processed is likely still sitting there.  Maybe you can’t see it, but it’s there.  If you, like me, own an iPhone, try this experiment:  go to the App Store and select “Updates”.  Now choose the tab “Purchased” and then “Not On This Phone”.  Each of those “deleted” apps, in whatever short time it was active, requested information from you directly and indirectly and stashed that data on your device.  Later, you decided to “delete” the app and clean it off your phone.  You held down your button until the icons began to shake and you “x’d” it away.  OK.  Why is it still here?  Just like a desktop hard drive, data on your phone is never actually “erased”.  It is simply written-over.  But not until the capacity of the drive has been reached and, then, it still isn’t completely gone.  It just isn’t indexed any longer.

Again, why should you be concerned that your apps or your clients’/employees’ apps are discoverable?  Isn’t it just personal, chatty, ephemeral stuff that really doesn’t add up to the cost in obtaining it?  If anyone gets my text messages, can’t I just say that I was informally chatting and not serious and anyway you can’t prove that I was the one who typed it?

Well, actually, the data trail you leave behind with your phone is not the sort of data that can be explained away as a misinterpretation of language. This data, in fact, is arguably even more directly tied to you than a workstation PC.  Either you were the one carrying your phone when you entered your log-in password to check your checking account at 11:57am, just before your GPS tracked you into your bank, and you texted your friend from your contacts while waiting in line for a teller – or someone else just happened to know your credentials, have your phone on their person and know what to say to which of your friends that would fool them into thinking you were texting them.  This is both personal data and objective data.  This data watches your clock, tracks your browsing activity, and follows your footsteps.

If I have your phone and a tool that can examine it, I know where you were, when you were there, who you were talking to, and what you were browsing on the Web.  Oh, and I also know your passwords and other credentials now.  Thank you very much.

Sponsored

Today’s take-away is:  protect yourself by assuming that nothing you do on your phone is any more secure than anything you do on your desktop.  Conduct yourself accordingly.  Educate yourself by attending one of our upcoming free webinars on mobile device discovery.

And, start looking today for an affordable and effective tool that will allow you to discover what’s on the other-side’s mobile devices.  After all, the best defense is a good offense.

Sponsored