How many apps do you have installed on your devices? Nowadays, we use apps for almost everything, from communication with others to writing down our shopping lists. However, some apps may represent a hidden danger to your data security (and privacy). With Daniel Chromek, Chief Information Security Officer at ESET, we discussed common ways people endanger their data through app services.
What type of data needs protection?
We daily deal with our own personal data and the digital information of our employers, employees, co-workers, and clients. While public data may be easily accessible to anyone who searches for it, many types of digital information need to be handled and protected carefully. These include:
Internal data – i.e., internal communication
Confidential data – i.e., ID numbers
Restricted data – i.e., federally protected data
Understanding the differences between public and sensitive data may help you avoid jeopardizing any digital information that ought to remain private.
However, the state of data may also change due to personal, professional, or even political reasons, so never handle any digital information carelessly.
Roe v. Wade: When data sensitivity increases unexpectedly
When asked whether he can name any example of people not realising they may be sharing highly sensitive data, Chromek mentions the situation in the U.S. after the decision on Roe v. Wade. Once abortions became potentially illegal in multiple American states, women were warned about using period tracker apps to document their menstrual cycles or sexual life.
Various sources have suggested that these apps can now be used against their users if accessed by law enforcement to uncover possible illegal abortions. As the Washington Post explains, “in a criminal abortion case, an IP address would be pertinent because, with the help of internet service providers, law enforcement can trace IP addresses back to individuals.” In this case, data that used to be shared without concern, like IP addresses, quickly became sensitive.
Commonly used apps and their risks
Many people skip reading the Terms and Conditions – even though it is highly recommended that you go through them before using any new app or signing up for any new service. It is especially true if you plan to use the app to handle not only your own personal information but also work-related materials. Many apps are so commonly used that we may not even think twice about their possible digital security impact. Let’s look at some apps that may potentially jeopardise your data safety.
1) Artificial intelligence tools
Advanced machine-learning language models, such as ChatGPT, have been taking over the internet since 2022. At first glance, ChatGPT seems to be a handy instrument that can summarise complex texts, develop new business ideas, or help write a reply to an important email.
However, you should be aware that the developers could use each of your entries to upgrade ChatGPT's functionality, and it collects not only your account details and device information but any data you decide to share. This poses a serious risk and a ChatGPT data breach has already been confirmed - caused by a vulnerability in an open-source library that allowed users to see chat data belonging to other users.
The questionable security of OpenAI's tools has raised worried responses from various authorities. Italy, for instance, banned ChatGPT in March 2023, claiming that "the mass collection and storage of personal data for 'training' the algorithm" has no legal basis. Only a month later, however, Italy lifted the ban after OpenAI changed its data policy to allow users to prevent ChatGPT from using their entries for technology improvements.
Even the tech giant, Samsung, banned employees from using ChatGPT and other generative AI tools in the workplace. It made the decision after confidential data, including company source code, was leaked online by employees using ChatGPT. The company is now reviewing security measures to create a secure environment for safely using generative AI, and it is reportedly developing its own AI service for employees.
When using ChatGPT, users must remember that entering personal or sensitive information into the chat – be it their own, their employers', or their clients' – may endanger their data security. The best practice is not to share confidential data with generative AI tools to avoid leaking them online, as that can also damage a company's reputation.
2) Free translating apps
Translating apps often have to process information to transform it into the final, translated text. “It’s not a problem to translate a specific word, but the problem grows bigger with whole paragraphs and documents. When, for instance, a lawyer enters the contents of a sensitive contract into an insecure translating app, the possible consequences are grave – GDPR data breach, revealing highly sensitive corporate information, and so on,” Chromek explains. Be aware of what type of data you enter into translating applications, and be especially careful about free apps without a license.
3) Format-changing apps
Ever needed to compress a document to fit into an e-mail quickly. Or change its format, for instance, into a PDF? One of the common ways to do that is to use an online converting tool or a format-changing app. “All that has been said about translating apps also applies to format-changing apps,” Chromek continues. These services must process potentially sensitive data in uploaded documents, so always remain careful only to use pre-approved apps.
4) Shared calendars
“Shared calendars often include lists of contacts. You need at least their e-mail address to share your schedule with someone. So, unless they are sufficiently secured, these apps may represent a GDPR issue,” Chromek notes. Additionally, some shared calendars can be somewhat confusing to their users, so they may be unsure of what data they are sharing with whom: whether they only share their calendar with the people they intended to send it to, such as their coworkers, or whether they have made their schedule visible for any stranger to see.
5) Note-taking apps and diaries
These apps mainly depend on what you want to use them for. If you use note-taking apps to create shopping lists, there is not as much danger as there could be if you employ them to write down notes from your business meetings or even to memorise your passwords (for which you should always use a password manager, not any other app). “It also needs to be noted that these apps often enable adding pictures, videos, or voice recording to your notes, which is another chance for data to get leaked,” Chromek adds.
6) Public file-sharing apps
Besides potentially accessing sensitive information, most public file-sharing apps operate in the cloud. When the cloud provider or your account gets compromised, there is a chance of a data leak. However, some file-sharing apps can be combined with transparent data encryption solutions, which can be recommended to increase your data safety.
7) Messaging apps
Messaging apps often enable many actions – file sharing, phone calls, video calls, sending texts, voice recordings, etc. As a result, they need lots of permissions on your mobile device, including access to a camera, a microphone, or data in your storage. Additionally, some messaging apps do not encrypt the information they collect, so when they get hacked, the attackers have all the collected data, including sensitive information, within reach.
Chromek further adds: “There is also a difference in what kind of security these apps offer in terms of encryption. Most messengers encrypt data during a transfer through the internet (data in motion); however, some messengers offer additional security using end-to-end encryption, which means that even the messaging app provider cannot decrypt messages; only the communicating parties can.”
8) Remote access apps
Do you need to check on your dog while you’re at work? Or do you want to start the heating before you arrive home? Remote access apps enable you to do so. However, they also work the other way around; you never know who manages whom. “Remote access services may become a portal for external agents to enter your device, manage it and steal the data stored in it,” Chromek warns.
Most of the apps mentioned above share some of the same risks. First, the cloud they use for data storage may not be safe. With personal data storage, these cloud services suddenly become your suppliers and GDPR data processors. We also need to remember that some apps use service behind them, so there is always a risk of service failure. Finally, to remain functional, apps need finances.
Free apps only have a few choices for funding their activity: through advertisements, donations, using data for commercial purposes, or selling your data to other services. This only happens if you agree to it – the possibility of data sharing has usually been mentioned in the Terms and Conditions that many people skip on reading.
Terms of Service: Didn’t Read
This website (and related browser plugin) grades the Terms and Conditions of various apps from A to F. It may not offer a complete overview of an app’s safety, but it can give its readers a better idea about what to expect from an app security-wise.
Always consult your IT or security specialists
To conclude, apps can be helpful in our everyday and professional life, but they all come with risks. Without having a background in IT, you may not be able to recognise the seriousness of their potential dangers fully, so it is always recommended that you approach your IT team and security team with any new app that you intend to use.
This includes apps you want to use for professional reasons and services you hope to employ for fun or relaxation, which will be stored in the same device as your work-related files. Your IT team should help you determine whether an app is safe for your company, or they may help you develop a safer option.