in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Smartphone Security: Facebook App - Yes, They Can Use Your Smartphone Camera (But They Won't)

Whenever I mention that AlertBoot Mobile Security, an MDM for protecting smartphones, allows one to disable their camera (and keep it that way), some people say something along the lines of "hey, that's great for companies infringing on my darn tootin' rights to do whatever the heck I want with my own smartphone that I'm allowed to use at work, but why would I personally want that?"

I never could answer this question.  What is the value of this feature for the smartphone owner?  Thankfully, Facebook is making the case for me on this one.

Facebook Spokesperson Essentially Says: "Trust Us"

In what I can only describe as one of the most horrific (but also naively refreshing?) statements I have read in a while, businessinsider.com had this to report (my emphasis):
While it is technically possible for the Facebook app to record video and audio without your knowing, the spokesperson said Facebook won't do that.
I realize that I haven't even covered the details of the story, but doesn't the above kind of make the hairs on your neck stand up, and tells you all that you need to know, regardless of the story?

I know it does to me.

It's Google's Fault

Eli Langer over at storify.com has a story on how people are "complaining about Android applications" for Facebook and Google Search.  Namely, that these apps can use a smartphone's "microphones and camera at any point without any confirmation."

I wouldn't have believed it if it weren't for a screenshot that shows the legal language.  You can find it by visiting the story, but it reads:
Record Audio: Allows the app to record audio with the microphone.  This permission allows the app to record audio at any time without your confirmation.

Take Pictures and Videos: Allows the app to take pictures with the camera. This permission allows the app to use the camera at any time without your confirmation.
Now, a screenshot in the age of Photoshop means nothing.  But, consider this: (1) multiple people are tweeting about it, (2) neither Mr. Langer nor businessinsider.com are not known for pulling April Fool's day pranks in mid-May (as far as I know, that is), and (3) there is the admission by a Facebook spokesperson, which we already saw above.  In fact, the full quote in the businessinsider.com article is the following:
A spokesperson for Facebook explains this [the legal language above] as follows: the language in this disclaimer comes from Google and wasn't written up by Facebook, it's simply how Android handles camera access. While it is technically possible for the Facebook app to record video and audio without your knowing, the spokesperson said Facebook won't do that.
I'm on the fence whether the full passage makes the spokesperson's statement more or less creepy.  One the one hand, the "openness" and "transparency" are appreciated (even if most people wouldn't read the legalese).  On the other hand, a living, breathing person telling me that I should ignore the implications.... well, let's just say that I'm pulling out of storage my X-Files t-shirt just for this occasion.

The Solution?

AlertBoot is one of the many companies that have a BYOD solution.  It's an MDM (mobile device management) service that allows one to control and manage smartphones and tablets from the cloud, and it includes features like remote data wipe, password policies, and Wi-Fi provisioning (and more, of course).

It also includes the ability to disable cameras on mobile devices.  Many companies do not allow cameras in the workplace for myriad reasons, and this is how it works in AlertBoot:
  1. A policy is created in the online management console.  For simplicity's sake, it'll be for disabling the camera.
  2. Apply it.
The policy is updated for devices, and that's that.  This works as long as the device is not jailbroken (of which the administrator will be notified).

If a regular/official/authorized version of the device's OS is in place, the Facebook app will not be able to access the camera, period (in the event of a conflict between the app settings, "use camera," and the AlertBoot MDM settings "camera disabled," the latter comes out on top, as should be the case).

Of course, the "real" solution is for Google and/or Facebook to change their policies and not allow this to happen.  I mean, the app can technically access your mic and camera but "it won't happen?"  Why build it, then?  And why ask for permission to use it without your being aware of it?

Related Articles and Sites:
http://www.businessinsider.com/facebook-android-app-camera-security-2013-5
http://storify.com/EliLanger/android-apps-accessing-your-microphone-and-camera
 
<Previous Next>

BYOD Security: Complying With Australian Privacy Principle 11

UK BYOD Security: 82% Of Biz Unaware Of Existing Data Protection Expenditures

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.