How mobile app privacy risks impact the federal government

Mobile applications play a major role in digital transformation of federal government agencies. Although mobile apps benefit government work in terms of convenience, efficiency and communication, privacy and security risks grow in parallel. Public-sector leaders may be unaware of the potential harm a seemingly safe mobile application could bring if left unchecked.

Recently, the Canadian coffee chain Tim Hortons was in the spotlight for secretly tracking and storing user geolocation data even while the app...

READ MORE

Mobile applications play a major role in digital transformation of federal government agencies. Although mobile apps benefit government work in terms of convenience, efficiency and communication, privacy and security risks grow in parallel. Public-sector leaders may be unaware of the potential harm a seemingly safe mobile application could bring if left unchecked.

Recently, the Canadian coffee chain Tim Hortons was in the spotlight for secretly tracking and storing user geolocation data even while the app was closed. Representatives with Tim Hortons maintain the collected data was simply for marketing and completely unidentifiable. But investigators say the approach was akin to mass surveillance as the collected data could infer highly specific user habits.

The incident highlights the fact that thousands of mobile apps have serious privacy and security vulnerabilities. If the mobile app included vulnerabilities, threat actors could easily track specific individuals or nation states could capture classified intelligence. This type of tracking could be a serious risk to those working in classified government or military positions.

The hidden risks of seemingly secure mobile apps

While Tim Hortons fully understood how user mobile app data was collected and stored, other organizations with mobile apps put users in dangerous situations due to unknown privacy and security issues.

  • In 2021, the popular ParkMobile app used by many local governments for on-street and garage parking breached license plate and phone numbers of more than 21 million users.
  • In 2019 Kilswitch/APASS software used by Marines and sailors enabled threat actors and foreign adversaries to access sensitive military location data.

In the business world, mobile app vulnerabilities can lead to brand damage, customer frustration and financial penalties. In government the stakes are higher because mobile apps can jeopardize national security and endanger lives. Government leaders need to get serious about privacy and security of the mobile apps their workers use.

Shield government data by vetting mobile apps

In a bring-your-own-device world, employees often practice bring-your-own-apps (BYOA) that without proper guidelines put those employees, their agency and citizen data at risk. Government officials must consider the consequences of employees using unvetted mobile apps, especially for those working on sensitive or classified assignments.

As part of a mobile app vetting program, agencies can use commercial app vetting solutions and leverage recent additions from Apple and Google. Apple has added an App Privacy Report to Apple App Store listings that developers must submit with their apps, self-attesting to how they handle private data. And now Google Play has added a data safety section where developers disclose how they handle private data. Google has gone a step further by adding an optional independent security review badge where Android developers can receive validation by an approved third-party authorized lab.

Agencies should, at a minimum, review these privacy and safety information items for all mobile apps they use today or consider using in the future. As mobile activity continues to grow within government, officials must recognize risks will rise in parallel. Vetting mobile apps for security and privacy vulnerabilities before allowing their use safeguards sensitive data. Government leaders should also stay updated on the latest mobile breach news and leverage industry benchmarks to familiarize themselves with the evolving threat landscape.

Brian Reed is chief mobility officer at NowSecure.

 

Related Stories