A new study out from Bitglass, a data protection company, shows that the software that organizations use to manage ‘bring your own device’ programs could be compromising privacy. Testers at Bitglass installed a handful of popular mobile device management software applications as part of an experiment they called “MDMayhem”. Bitglass conducted the experiment to understand how MDM could be misused and to assess the true extent of access employers have to personal data and user behavior.
Bitglass researchers configured the MDM software to route mobile data traffic through a corporate proxy and installed corporate-issued certificates on employee devices to decrypt SSL traffic. This common configuration in enterprise MDM deployments for inspecting traffic for malware, enabled researchers to see the contents of employees’ personal email inboxes, social networking accounts and even banking information. Notably, the usernames and passwords used to log into sensitive accounts,including personal banking accounts, were transmitted through the corporate network in plain text. MDM also gave the Bitglass team visibility into users’ app downloads and browsing history, which exposed sensitive search queries, including several health-related searches.
“We were surprised about the extent of the data we were able to see,” Salim Hafid, product manager for Bitglass tells CivSource. “I think anyone who puts one of these programs on their devices intuits a certain level of knowledge like say GPS data, but we were able to see all of the traffic and get searches and passwords in plain text. That’s a huge privacy problem on several levels.”
Third-party apps were also susceptible to packet sniffing. Even on iOS, where some believe app sandboxing limits employer visibility into user behavior, researchers were able to intercept personal communications sent through widely-used apps, including Gmail and Messenger.
The MDM solutions tested could force GPS to remain active in the background without notifying the user, pinpointing the locations of managed devices in real time while draining battery power in the process. Location data also revealed user habits – where employees went after work, where they traveled on weekends, how frequently they visited their local supermarkets, and more.
Also surprising was that these programs gave employers the ability to use credentials to login to personal devices and wipe them while device owners would have no recourse to prevent data loss or recover data that wasn’t backed up.
Even without knowing all of the details Bitglass found, employees have been pushing back on the use of MDM programs. According to the report, 57 percent of those who participated in a recent Bitglass survey said they wouldn’t use MDM because of privacy concerns and poor app performance. “The problem for organizations when employees refuse MDM is that they will then use less secure platforms to access corporate email servers or files, which can leave companies vulnerable if sensitive information is being shared,” Hafid adds. “But on the flip side, employees have equally valid concerns about the privacy of their personal use habits, especially if it is a device they pay for.”
67 percent of employees would participate in a BYOD program if employers could not view or alter personal data and applications, according to Bitglass’ most recent BYOD report.