How mobile device management could be invading your privacy
Many companies now turn to mobile device management (MDM) to control and monitor their employees' mobile use. But a new study from data protection company Bitglass reveals that MDM itself represents a threat to privacy.
Bitglass researchers configured MDM software to route mobile data traffic through a corporate proxy and installed corporate-issued certificates on employee devices to decrypt SSL traffic. This, a common configuration in enterprise MDM deployments for inspecting traffic for malware, enabled researchers to see the contents of employees' personal email inboxes, social networking accounts and even banking information.
More of a problem is that the usernames and passwords used to log into sensitive accounts, including personal banking accounts, were transmitted through the corporate network in plain text. MDM also gave the Bitglass team visibility into users' app downloads and browsing history, which exposed sensitive search queries, including several health-related searches.
The study also finds that third-party apps are susceptible to packet sniffing. Even on iOS, where some believe app sandboxing limits employer visibility into user behavior, researchers were able to intercept personal communications sent through widely-used apps, including Gmail and Messenger.
It found that the MDM solutions tested could also keep GPS location active without the knowledge of the user, allowing employers to track locations even outside working hours.
"The invasion of privacy by MDM is a key reason that there are two billion mobile devices on the planet, but only a few million devices managed by MDM" says Nat Kausik, CEO of Bitglass. "IT leaders looking to enable BYOD must focus on a data-centric, agentless approach that respects user privacy".
The full report is available to download from the Bitglass website and there's a video summary of the findings below.