Skype gives away private data from Android, gives IT a teachable moment

'Proof of Concept' exploit may teach users more about security than you can

By  

Private VoIP and chat apps are good for companies with highly mobile workforces for the same reason and because they create semi-private social networks employees can use to reach each other more easily.

The same speed and flexibility that gives smartphones great potential puts them in a position to do a lot of harm, as well.

IT people don't forget that. The likelihood they'll lose their jobs if it happens tends to keep the risk high in their thoughts.

Pressure from end users, gushing praise from tech bloggers (me included) who see the potential of consumerized IT but don't have much on the line when it fails and a constant flush of new products and services from phone makers tends to trump the instinctual reservations most IT people have to letting brand new technology drink from pools of sensitive data.

This is a good warning not to let that happen.

If you need to make the point that smartphone apps can be insecure if you don't set them up correctly (if the end users are in too big a hurry), download Case's proof of concept exploit (bottom of the page) and show one of your execs how much data you can pull off a phone.

Do it with him or her in the room so they know you're not looking in their chat files. You probably already know about the chats they'd be embarrassed to make public, but there's no reason to rub their noses in it.

Don't slow down the BYOT or handheld adoption that's already going on, if you can possibly avoid it.

Instead make yourself the expert source users can turn to, by checking out the most popular apps with your systems to identify any security holes.

Patch those, publish a list of safe apps, and users will mostly stick to that list. They'll try a bunch of apps you haven't checked; most will delete those eventually and stick to the ones you've declared to be safe.

They don't want to lose their data, either, or look stupid by using a rogue app instead of a sanctioned one for the same purpose and causing a big security headache.

That would get them fired, too. And maybe, if you've done enough to establish you're trying to check and certify a wide enough variety of apps, give users enough choice and generally take advantage of the free(ish) resources out there, even if there's a big security problem, the axe will fall on someone else instead of you.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness