September 18, 2012, 2:00 PM — When CIOs worry about the Bring Your Own Device (BYOD) trend, one of the things that most concerns them is their lack of control over mobile apps. Rogue apps packing malware are a major concern, but many malware-free apps pose risks too.
Even in curated marketplaces, mobile apps can be ridiculously intrusive. Earlier this year, Apple, Facebook, Yelp and several other firms were sued for privacy-infringing apps that, among other things, pillaged users' address books.
At the time, many security experts warned that this was the tip of the iceberg, and a recent study by Appthority, a provider of mobile security solutions, found that free apps are particularly risky because it was discovered they have the ability to access sensitive info.
That's bad enough, but what if the app uploads a sales representatives' contact list and the developer then sells it to a competitor? That's a new type of data leakage that most organizations aren't ready for.
We Won't Let Workers Anywhere Near the AppStore
Despite the risks, Illinois-based Riverside Medical Center believed they had no choice when it came to BYOD. Trying to simply prohibit end-user devices would be counterproductive. "For a hospital like ours, BYOD is a marketing issue as much as it is a security one," said Erik J. Devine, Riverside MC's CISO. "If doctors can't use their tablets or smartphones at this hospital, they'll start checking their patients into other ones."
In order to take part in the BYOD program, end users must agree that Riverside MC has the right to remotely wipe the device if any problems arise. That could mean wiping a user's photos or personal emails, but that's the risk users must take if the enterprise is going to cope with BYOD risks.
For corporate-owned devices, of course, risks are easier to manage. "If we decide to purchase an iPad for someone, when it's a pure work tool, you can't even get to the AppStore," Devine said. Good luck telling that to someone shelling out $150/month on an expensive data plan.