How IT can spy on your smartphone

iOS and Android shield most data you care about from IT -- but users seem to care less about privacy these days

How IT can spy on your smartphone
Credit: Shutterstock/Wikimedia/Stephen Sauer

I recently applauded MobileIron for providing a tool in its mobile device management (MDM) client app that lets users see what IT is monitoring on their iOS and Android devices. User privacy is as important as corporate security, and the spy culture epitomized by the NSA, GCHQ, China, Google, Facebook, and so on has gotten way out of hand.

So what can your employer see about you on your smartphone if you let IT manage that device through an MDM tool?

iOS shields most personal data from IT

On an iPhone or iPad, Apple's iOS restricts IT's visibility, so your private data stays private.

A global survey of more than 3,500 mobile users conducted by MobileIron shows that the majority of the data that people are most concerned about shielding from IT are in fact shielded by iOS. Of the data that respondents especially wanted to keep private, in iOS IT can see only your full list of apps. If you give IT permission, it can see your location. Respondents' other sensitive areas are shielded: personal email, personal contacts, texts, voicemails, phone and Internet usage details, and data stored in apps.

As Ojas Rege, MobileIron's VP of strategy, notes, IT can't see your personal email or email attachments, personal contacts, personal calendar, texts, photos, videos, personal Web browsing activities, or voicemails. The data in your apps is also shielded from IT unless the app sends data to a corporate server, such as for a time sheet or expense report app. Note that corporate-managed cloud services like Google Apps and Office 365 give IT visibility into your apps'  usage and data.

IT can see anything in your corporate email, contacts, and calendar since it manages those servers, and it can see your Web activities conducted on its network since it can snoop that traffic.

Rege also notes that IT can see what apps you have installed (not only those deployed by IT), your battery level, your storage capacity and amount used, your phone number and its hardware ID (called an IMEI), your carrier and country, and your device's model and OS version. Plus, if you give IT permission to do so, it can track your location (iOS forces apps and websites to ask for your permission first, so they can't do it secretly).

Android shields almost as much as iOS does, but IT can change that

The default situation for Android users is slightly less private than for iOS users. The big difference involves location information access. iOS asks you when an app first requests access, and it lets you revoke the access at any time in the Settings app. Android asks when you install an app and does not let you revoke the permissions later; however, the forthcoming Android M changes that, working like iOS.

But Sean Ginevan, senior director for strategy at MobileIron, notes that the Android OS gives application developers permissions that could expose your personal data if enabled in any app you install. Thus, you can't be sure what apps might be gathering such data and sending it to IT, a legitimate vendor, or a fraudster. Fortunately, Android M's iOS-like permissions model should help uncover such access.

MDM client apps typically don't see that data, but a company that wants to monitor your text messages, Web history, and voicemails could install a (perhaps hidden) app on your Android device to pull that information from the device. (Ginevan notes that MobileIron's MDM tool does not gather Web history or voicemails, though one of its admin settings lets IT enable SMS archiving, which then gives IT access to your texts.)

For maximum privacy protection in Android, use the new Android for Work container, or similar containers such as Samsung Knox, to have all corporate apps, email, calendars, contacts, and so on run in a separate environment on your Android device. That way, you won't accidentally mix personal data into corporate systems, and any spyware your employer may have installed is restricted to the data and apps stored in that corporate container. (iOS runs all apps in their own containers, which keeps spyware limited to the device's public services that an MDM tool already has access to.)

We're getting less worried about our private information

But the MobileIron survey showed two troubling trends: Users are getting more comfortable in IT seeing personal data, and younger adults are more comfortable than older adults in having personal data visible to their employers. In other words, we're getting used to being spied on -- perhaps even resigned to it.

For example, a similar 2013 survey showed that 66 percent of adults did not want their company seeing their personal emails; the 2015 survey showed that 52 percent felt that way. There were similar drops in all categories.

Younger adults (in the survey, that meant men 35 years and younger, and both men and women with children under 18 years of age) were more accepting of personal data on their mobile devices being visible to their employers. Generally, they were less concerned by about 10 percent. In the case of personal emails, 34 percent of young adults surveyed were comfortable with IT seeing personal emails, versus 22 percent for all adults surveyed.

I guess that's what happens when you grow up with Facebook, where public exposure is the norm.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.