How many apps do you have installed on your devices? Nowadays, we use apps for almost everything, from communication with others to writing down our shopping lists. However, some apps may represent an inconspicuous danger to your data security (and privacy). Together with Daniel Chromek, Chief Information Security Officer at ESET, we discussed common ways people endanger their data through app services.
What type of data needs protection?
We daily deal with our own personal data, but also the digital information of our employers, employees, co-workers, and clients. While public data may be easily accessible to anyone who searches for it, many types of digital information need to be handled and protected carefully. These include:
Internal data – i.e., internal communication
Confidential data – i.e., ID numbers
Restricted data – i.e., federally protected data
Understanding the differences between public and sensitive data may help you avoid jeopardizing any digital information that ought to remain private. However, the state of data may also change due to personal, professional, or even political reasons, so never handle any type of digital information carelessly.
Roe v. Wade: When data sensitivity increases unexpectedly
When asked whether he can name any example of people not realizing they may be sharing highly sensitive data, Chromek mentions the situation in the U.S. after the decision on Roe v. Wade. Once abortions became potentially illegal in multiple American states, women were warned about using period tracker apps to document their menstrual cycles or sexual life.
Various sources have suggested that these apps can now be used against their users if accessed by law enforcement to uncover possible illegal abortions. As the Washington Post explains, for instance, “in a criminal abortion case, an IP address would be pertinent because, with the help of internet service providers, law enforcement can trace IP addresses back to individuals.” In this case, data that used to be shared without concern, like IP addresses, quickly became sensitive.
Commonly used apps and their risks
Many people skip reading Terms and Conditions – even though it is highly recommended that you go through them before using any new app or sign up for any new service. It is especially true if you plan to use the app to handle not only your own personal information but also work-related materials. Many apps are so commonly used we may not even think twice about their possible digital security impact. Let’s look at some of the apps that may potentially jeopardize your data safety.
1) Artificial intelligence tools
Advanced machine-learning language models, such as ChatGPT, have been taking over the internet since 2022. At first glance, ChatGPT seems to be a handy instrument that can summarise complex texts, develop new business ideas, or help write a reply to an important email. However, you should be aware that the developers could use each of your entries to upgrade ChatGPT's functionality, and it collects not only your account details and device information but any data you decide to share. This poses a serious risk and ChatGPT data breach was already confirmed. It was caused by a vulnerability in an open-source library that allowed ChatGPT users to see chat data belonging to other users.
The questionable security of OpenAI's tools has raised worried responses from various authorities. Italy, for instance, banned ChatGPT in March 2023, claiming that "the mass collection and storage of personal data for 'training' the algorithm" has no legal basis. Only a month later, however, Italy lifted the ban after OpenAI changed its data policy to allow users to prevent ChatGPT from using their entries for technology improvements.
Even the tech giant Samsung banned employees from using ChatGPT and other generative AI tools in the workplace. It made the decision after confidential data, including company source code, was leaked online by employees using ChatGPT. The company is now reviewing security measures to create a secure environment for safely using generative AI, and it is reportedly developing its own AI service for employees.
When using ChatGPT, users must remember that entering personal or sensitive information into the chat – be it their own, their employers', or their clients' – may endanger their data security. The best practise is not to share confidential data with generative AI tools to avoid leaking them online, as that can also damage a company's reputation.
2) Free translating apps
Translating apps often have to process a large amount of information to transform it into the final, translated text. “It’s not a problem to translate a specific word, but the problem grows bigger with whole paragraphs and documents. When, for instance, a lawyer enters the contents of a sensitive contract into an insecure translating app, the possible consequences are grave – GDPR data breach, revealing highly sensitive corporate information, and so on,” Chromek explains. Be aware of what type of data you enter into translating applications, and be especially careful about free apps without a license.
3) Format-changing apps
Ever needed to quickly compress a document so it would fit into an e-mail? Or change its format, for instance, into a PDF? One of the common ways to do that is to use an online converting tool or a format-changing app. “All that has been said about translating apps also applies to format-changing apps,” Chromek continues. These services must process potentially sensitive data in uploaded documents, so always remain careful to only use pre-approved apps.
4) Shared calendars
“Shared calendars often include lists of contacts. To share your schedule with someone, you need at least their e-mail address. So, unless they are sufficiently secured, these apps may represent a GDPR issue,” Chromek notes. Additionally, some shared calendars can be rather confusing to their users, so they may be unsure of what data they are sharing with whom: whether they only share their calendar with the people they intended to send it to, such as their coworkers, or whether they have made their schedule visible for any stranger to see.
5) Note-taking apps and diaries
With these apps, it mostly depends on what you want to use them for. If you use note-taking apps just to create shopping lists there is not as much danger as there could be if you employ them to write down notes from your business meetings, or even to memorize your passwords (for which you should always use a password manager, not any other app). “It also needs to be noted that these apps often enable adding pictures, videos, or voice recording to your notes, which is another chance for data to get leaked,” Chromek adds.
6) Public file-sharing apps
Apart from potentially accessing sensitive information, most public file-sharing apps operate in the cloud. When the cloud provider or your account gets compromised, there is a chance of a data leak. However, some file-sharing apps can be combined with transparent data encryption solutions, which can be recommended to increase your data safety.
7) Messaging apps
Messaging apps often enable a wide range of actions – file sharing, phone calls, video calls, sending texts, voice recordings, etc. As a result, they need lots of permissions on your mobile device, including access to a camera, a microphone, or data in your storage. Additionally, some messaging apps do not encrypt the information they collect, so when they get hacked, the attackers have all the collected data, including sensitive information, within reach.
Chromek further adds: “There is also a difference in what kind of security these apps offer in terms of encryption. Most messengers encrypt data during a transfer through the internet (data in motion); however, some messengers offer additional security using end-to-end encryption, which means that even the messaging app provider cannot decrypt messages, only the communicating parties can.”
8) Remote access apps
Do you need to check on your dog while you’re at work? Or you want to start the heating before you arrive home? Remote access apps enable you to do so. However, they also work the other way around and you never know who is managing who. “Remote access services may become a portal for external agents to enter your device, manage it and steal the data stored in it,” Chromek warns.
Most of the above-mentioned apps share some of the same risks. First of all, the cloud that they use for data storage may not be safe. With personal data storage, these cloud services suddenly become not only your suppliers but also GDPR data processors. We also need to remember that some apps use service behind them, so there is always a risk of service failure. Finally, in order to remain functional, apps need finances.
Free apps only have a few choices of funding their activity: through advertisements, donations, using data for commercial purposes, or selling your data to other services. This only happens if you agree to it – the possibility of data sharing has usually been mentioned in the Terms and Conditions that many people skip on reading.
Terms of Service: Didn’t Read
This website (and related browser plugin) grades the Terms and Conditions of various apps from A to F. It may not offer a complete overview of an app’s safety, but it can give its readers a better idea about what to expect from an app security-wise.
Always consult your IT or security specialists
To conclude, apps can be helpful in our everyday as well as professional life, but they all come with their own risks. Without having a background in IT, you may not be able to fully recognize the seriousness of their potential dangers, so it is always recommended that you approach your IT team and/or security team with any new app that you intend to use.
This includes apps that you want to use for professional reasons, but also services that you hope to employ just for fun or relaxation but that will be stored in the same device as your work-related files. Your IT team should help you determine whether an app is considered safe in your company, or they may help you come up with a safer option.