Privacy & Security for Mobile Apps: Best Practices

Overview

Many of todays mobile applications, including social media platforms, gather and share users’ private and personal information. As the usage of mobile apps continues to grow, the need to adopt best practices in data security and privacy is more important than ever. Many of these apps pose significant security risks. It is important for users to be aware of and consider these risks when downloading and using apps on personal or University owned devices.

This document explains some of the risks, what to watch out for and how to reduce the risk to you and the University. 

Background

Smartphone applications can pose significant security and privacy risks because of how they collect and share data. If these apps are installed and running on devices used to access Lakehead data, these risks can extend to the University.
It is important for faculty, staff and students to be aware of the security and privacy issues and learn how to reduce the risks.

Risk Considerations

When you install software, like social media apps, on your mobile devices, you allow these companies to access your phone's data. This includes contact lists, photos, videos, and even your location information. While you may be able to deny these permissions explicitly, you might not always have that option to use the apps to their fullest potential.

Here are some risks that could impact you:

• Identity theft - Many people consider their personal social media presence to be private. However, attackers can use personal information shared on these apps to impersonate you and access confidential data, such as bank account information. This is a powerful tool for those looking to commit financial fraud.
• Privacy concerns - Depending on your privacy settings, personal information and communications posted on social media can be accessed by unintended readers or recipients.
• Data leakage - The apps you install may contain spyware, resulting in leakage of your important information, including credit card numbers, personal photos or stored passwords.
• Information sharing - Apps may collect your personal information in the background, such as where you shop, what you search or your travel patterns, and share it with marketing firms or other agencies without your knowledge.

How apps on work devices impact the University

Since most of these apps, especially those on personal devices, are not vetted by the University’s information security teams, they may contain vulnerabilities that could be exploited and result in security incidents.
• Due to the data collection and sharing policies of these apps, the University’s confidential information is at risk of exposure to unauthorized users, which may result in reputational and privacy impacts to you, your colleagues, your students and the broader University.
• These applications may be an entry point for social-engineering attacks such as phishing and ransomware, which may put the University, its community members and their data at risk.

What you can do

There are many valid reasons to use this software, but you can lower the risk by becoming aware of the potential vulnerabilities to you and the University.

Four quick tips to consider for each of your apps:

1. Do a quick search: Before downloading a new app, check if there are any known privacy and security concerns associated with it.
2. Pause before granting permission: Be cautious about what permissions you are giving to the app and determine what data should not be disclosed when you sign up.
3. Review the terms & conditions: Read the applications’ privacy policies and terms and conditions to be aware of their data-collection and sharing policies.
4. Consider the source: Download apps from trusted sources like Apple App Store or Google Play to limit the risk of spyware and other vulnerabilities which may lead to cybersecurity attacks.

If you use Social Media platforms or other mobile applications for official Lakehead University functions:

1. If you can, use the application on a dedicated device
2. Do not access important Lakehead systems or high risk data from the same device as the app(s)
3. Do not use your Lakehead credentials when signing up for the apps

References

• Use of Social Media in the Workplace - Canadian Centre for Cyber Security
• Privacy and social media in the workplace – Office of the Privacy Commissioner of Canada