Mobile applications play a major role in digital transformation of federal government agencies. Although mobile apps benefit government work in terms of convenience, efficiency and communication, privacy and security risks grow in parallel. Public-sector leaders may be unaware of the potential harm a seemingly safe mobile application could bring if left unchecked.
Recently, the Canadian coffee chain Tim Hortons was in the spotlight for secretly tracking and storing user geolocation data even while the app was closed. Representatives with Tim Hortons maintain the collected data was simply for marketing and completely unidentifiable. But investigators say the approach was akin to mass surveillance as the collected data could infer highly specific user habits.
The incident highlights the fact that thousands of mobile apps have serious privacy and security vulnerabilities. If the mobile app included vulnerabilities, threat actors could easily track specific individuals or nation states could capture classified intelligence. This type of tracking could be a serious risk to those working in classified government or military positions.
The hidden risks of seemingly secure mobile apps
While Tim Hortons fully understood how user mobile app data was collected and stored, other organizations with mobile apps put users in dangerous situations due to unknown privacy and security issues.
In 2022, mobile apps built by athletic social networking company Strava exposed Israeli military personnel location and movements. Strava dealt with a similar situation in 2018 when researchers found Strava mobile apps publicly shared the private geolocation data of U.S. personnel and military staff working in sensitive locations.
In 2021, the popular ParkMobile app used by many local governments for on-street and garage parking breached license plate and phone numbers of more than 21 million users.
In 2020, vulnerabilities within the beer rating mobile app Untappd allowed security experts to track the movements of military and intelligence personnel. The mobile app enabled them to steal sensitive photos with private government information and even revealed a secret CIA base.
In 2019 Kilswitch/APASS software used by Marines and sailors enabled threat actors and foreign adversaries to access sensitive military location data.
In the business world, mobile app vulnerabilities can lead to brand damage, customer frustration and financial penalties. In government the stakes are higher because mobile apps can jeopardize national security and endanger lives. Government leaders need to get serious about privacy and security of the mobile apps their workers use.
Shield government data by vetting mobile apps
In a bring-your-own-device world, employees often practice bring-your-own-apps (BYOA) that without proper guidelines put those employees, their agency and citizen data at risk. Government officials must consider the consequences of employees using unvetted mobile apps, especially for those working on sensitive or classified assignments.
As part of a mobile app vetting program, agencies can use commercial app vetting solutions and leverage recent additions from Apple and Google. Apple has added an App Privacy Report to Apple App Store listings that developers must submit with their apps, self-attesting to how they handle private data. And now Google Play has added a data safety section where developers disclose how they handle private data. Google has gone a step further by adding an optional independent security review badge where Android developers can receive validation by an approved third-party authorized lab.
Agencies should, at a minimum, review these privacy and safety information items for all mobile apps they use today or consider using in the future. As mobile activity continues to grow within government, officials must recognize risks will rise in parallel. Vetting mobile apps for security and privacy vulnerabilities before allowing their use safeguards sensitive data. Government leaders should also stay updated on the latest mobile breach news and leverage industry benchmarks to familiarize themselves with the evolving threat landscape.
Brian Reed is chief mobility officer at NowSecure.
How mobile app privacy risks impact the federal government
Although mobile apps benefit government work in terms of convenience, efficiency and communication, privacy and security risks grow in parallel.
Mobile applications play a major role in digital transformation of federal government agencies. Although mobile apps benefit government work in terms of convenience, efficiency and communication, privacy and security risks grow in parallel. Public-sector leaders may be unaware of the potential harm a seemingly safe mobile application could bring if left unchecked.
Recently, the Canadian coffee chain Tim Hortons was in the spotlight for secretly tracking and storing user geolocation data even while the app was closed. Representatives with Tim Hortons maintain the collected data was simply for marketing and completely unidentifiable. But investigators say the approach was akin to mass surveillance as the collected data could infer highly specific user habits.
The incident highlights the fact that thousands of mobile apps have serious privacy and security vulnerabilities. If the mobile app included vulnerabilities, threat actors could easily track specific individuals or nation states could capture classified intelligence. This type of tracking could be a serious risk to those working in classified government or military positions.
The hidden risks of seemingly secure mobile apps
While Tim Hortons fully understood how user mobile app data was collected and stored, other organizations with mobile apps put users in dangerous situations due to unknown privacy and security issues.
Join WTOP the week of Apr. 22 for an exclusive series bringing together government and industry experts to share initiatives and insights about efforts to transform the nation's energy infrastructure. | Register today!
In the business world, mobile app vulnerabilities can lead to brand damage, customer frustration and financial penalties. In government the stakes are higher because mobile apps can jeopardize national security and endanger lives. Government leaders need to get serious about privacy and security of the mobile apps their workers use.
Shield government data by vetting mobile apps
In a bring-your-own-device world, employees often practice bring-your-own-apps (BYOA) that without proper guidelines put those employees, their agency and citizen data at risk. Government officials must consider the consequences of employees using unvetted mobile apps, especially for those working on sensitive or classified assignments.
As part of a mobile app vetting program, agencies can use commercial app vetting solutions and leverage recent additions from Apple and Google. Apple has added an App Privacy Report to Apple App Store listings that developers must submit with their apps, self-attesting to how they handle private data. And now Google Play has added a data safety section where developers disclose how they handle private data. Google has gone a step further by adding an optional independent security review badge where Android developers can receive validation by an approved third-party authorized lab.
Agencies should, at a minimum, review these privacy and safety information items for all mobile apps they use today or consider using in the future. As mobile activity continues to grow within government, officials must recognize risks will rise in parallel. Vetting mobile apps for security and privacy vulnerabilities before allowing their use safeguards sensitive data. Government leaders should also stay updated on the latest mobile breach news and leverage industry benchmarks to familiarize themselves with the evolving threat landscape.
Brian Reed is chief mobility officer at NowSecure.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Customs and Border Protection creates a mobile app for mobile people
Mobile app gives soldiers, civilians digital information about bases
Mobile apps, services have changed so the government’s approach is too