How many apps do you have installed on your devices? We use apps for almost everything, from communication with others to writing down our shopping lists. However, some may be a threat to your data security and personal privacy. Together with Daniel Chromek, Chief Information Security Officer at ESET, we discuss common ways people endanger their data through app services.
What type of data needs protection?
Each day, we deal with not only our own personal data but also the digital information of our employers, employees, co-workers and clients. While public data may be easily accessible to anyone who searches for it, many types of digital information need to be handled and protected carefully. These include:
Internal data – i.e., internal communication
Confidential data – i.e., ID numbers
Restricted data – i.e., federally protected data
Understanding the differences between public and sensitive data may help you avoid jeopardizing any digital information that ought to remain private. However, the state of data may also change due to personal, professional, or even political reasons, so never handle any type of digital information carelessly.
Roe v. Wade: When data sensitivity increases unexpectedly When asked for examples of people not realizing they may be sharing highly sensitive data, Chromek mentioned the situation in the U.S. after the decision on Roe v. Wade. Once abortions became potentially illegal in multiple American states, women were warned about using period tracker apps to document their menstrual cycles. Various sources have suggested that these apps can now be used against their users if accessed by law enforcement to uncover possible illegal abortions. As the Washington Post explains, “in a criminal abortion case, an IP address would be pertinent because, with the help of internet service providers, law enforcement can trace IP addresses back to individuals.” In this case, data that used to be shared without concern, like IP addresses, quickly became sensitive.
Commonly used apps and their risks
Many people skip reading the Terms and Conditions – even though it is highly recommended that you go through them before using any new app or signing up for any new service. It's particularly important if you plan to use the app to handle not only your own personal information but also work-related materials. Many apps are so commonly used we may not even think twice about their possible digital security impact. Here are some apps that may potentially jeopardize your data safety.
1) Artificial intelligence tools
Advanced machine-learning language models, such as ChatGPT, have been taking over the internet since 2022. At first glance, ChatGPT seems to be a handy instrument that can summarize complex texts, develop new business ideas, or help write a reply to an important email.
However, you should be aware that the developers could use each of your entries to upgrade ChatGPT's functionality, and it collects not only your account details and device information but any data you decide to share. This poses a serious risk and ChatGPT data breach was already confirmed. It was caused by a vulnerability in an open-source library that allowed ChatGPT users to see chat data belonging to other users.
The questionable security of OpenAI's tools has raised worried responses from various authorities. Italy, for instance, banned ChatGPT in March 2023, claiming that "the mass collection and storage of personal data for 'training' the algorithm" has no legal basis. Only a month later, however, Italy lifted the ban after OpenAI changed its data policy to allow users to prevent ChatGPT from using their entries for technology improvements.
Even the tech giant Samsung banned employees from using ChatGPT and other generative AI tools in the workplace. It made the decision after confidential data, including company source code, was leaked online by employees using ChatGPT. The company is now reviewing security measures to create a secure environment for safely using generative AI, and it is reportedly developing its own AI service for employees.
When using ChatGPT, users must remember that entering personal or sensitive information into the chat – be it their own, their employers', or their clients' – may endanger their data security. The best practice is not to share confidential data with generative AI tools to avoid leaking them online, as that can also damage a company's reputation.
2) Free translating apps
Translating apps often have to process a large amount of information to transform it into the final, translated text. “It’s not a problem to translate a specific word, but the problem grows bigger with whole paragraphs and documents. When, for instance, a lawyer enters the contents of a sensitive contract into an insecure translating app, the possible consequences are grave – GDPR data breach, revealing highly sensitive corporate information, and so on,” Chromek explains. Be aware of what type of data you enter into translating applications, and be especially careful about free apps without a license.
3) Format-changing apps
Ever needed to quickly compress a document so it would fit into an email? Or change its format, for instance, into a PDF? One of the common ways to do that is with an online converting tool or a format-changing app. “All that has been said about translating apps also applies to format-changing apps,” Chromek continues. These services must process potentially sensitive data in uploaded documents, so always remain careful only to use pre-approved apps.
4) Shared calendars
“Shared calendars often include lists of contacts. To share your schedule with someone, you need to have their email address. So, unless they are sufficiently secured, these apps may represent a GDPR issue,” Chromek notes. Additionally, some shared calendars can be confusing to their users, so they may be unsure of what data they are sharing with whom. They may not know whether their calendar is visible only to people they intend to share it with, or whether it's available for any stranger to see.
5) Note-taking apps and diaries
If you use note-taking apps just to create shopping lists, there's not as much risk as there could be with using them to store notes from your business meetings or keeping a list of passwords. For the latter, you should always use a password manager, not any other app. “Note that these apps often enable adding pictures, videos, or voice recording to your notes, which is another chance for data to get leaked,” Chromek said.
6) Public file-sharing apps
Apart from potentially accessing sensitive information, most public file-sharing apps operate in the cloud. When the cloud provider or your account gets compromised, there is a chance of a data leak. However, some file-sharing apps can be combined with transparent data encryption solutions to increase your data safety.
7) Messaging apps
Messaging apps often enable a wide range of actions – file sharing, phone calls, video calls, sending texts, voice recordings, etc. As a result, they need lots of permissions on your mobile device, including access to a camera, a microphone, or data in your storage. Additionally, some messaging apps do not encrypt the information they collect, so when they get hacked, the attackers have access to everything. Chromek adds: “There is also a difference in what kind of security these apps offer in terms of encryption. Most messengers encrypt data during a transfer through the internet (data in motion); however, some messengers offer additional security using end-to-end encryption, which means that even the messaging app provider cannot decrypt messages. Only the communicating parties can.”
8) Remote access apps
Do you need to check on your dog while you’re at work? Or turn on the heat before you arrive home? Remote access apps enable you to do so. However, they can also be misused. Remote access services may become a portal for external agents to enter your device, manage it and steal the data stored in it,” Chromek warns.
Most of the above-mentioned apps share some of the same risks. First of all, the cloud that they use for data storage may not be safe. With personal data storage, these cloud services suddenly become not only your suppliers but also GDPR data processors. There's also the risk of service failure that can lead to security breaches.
Finally, to remain functional, apps need finances. Free apps depend on funding their activity through advertisements, donations, using data for commercial purposes, or selling your data to other services. This only happens if you agree to it, so be sure to review the details about data sharing in the Terms and Conditions that many people skip reading.
Terms of Service: Didn’t Read
This website, https://tosdr.org, grades the Terms and Conditions of various apps from A to F. It may not offer a complete overview of an app’s safety, but it provides a better idea about what to expect from an app security-wise.
Always consult your IT or security specialists
To conclude, apps can be helpful in our personal and professional lives, but they all come with their own risks. Without having a background in IT, you may not be able to recognize their potential dangers fully, so we urge you to approach your IT team and/or security team with any new app that you intend to use. This includes apps you want to use for professional reasons as well as any personal services stored in the same device as your work-related files. Your IT team should help you determine whether an app is considered safe in your company. If not, they may be able to help you find a safer option.
About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit ΕSET Hellas or follow us on Facebook, Twitter and LinkedIn.