Privacy + Security for Mobile Apps

Applications on smartphones have been known to collect and share users’ private and personal information.

Some, like TikTok, do this while also capturing user viewing preferences in order to profile them and target them with “like” content. While this can be good for the user experience, as you see what you like, it is also bad, as it could be used to influence and/or change users’ thoughts or beliefs.

Background

Smartphone applications that are free can only afford to be free because of either in-app purchases or brokering your personal information.

In other words, if the application is free, it is because you are the product that the app is selling. How they collect and share your personal data can pose significant security and privacy risks, especially if these apps are installed and being used on mobile devices that are also accessing Emily Carr’s data.

Issues with TikTok

Currently, TikTok is in the news. There have been bans against its use in the European Union, the United States, Canada, and many other countries specifically for government officials. Foundationally, TikTok is doing the same as FaceBook or any other social media app. The big difference is that the nation where the parent company of TikTok (ByteDance) is located has passed 3 laws since 2017 that enable the government of that country to force compliance from any of the companies in that country, to turn over personal information that has been collected and stored from their users.

The second difference is that TikTok tracks all keystrokes from sites opened within TikTok if the default in-app browser is used. This default browser cannot be changed, although each time before you click on a site you can force it to go to the system default browser (e.g., Safari or Chrome). If this is not changed, the site opens in the TikTok browser and everything that is typed into that browser can be recorded, to include usernames, passwords, or credit card information.

The last thing that is being called out about TikTok is the algorithm that drives the content the viewer experiences. It is extremely effective, but many believe that it also could be used by the government to influence TikTok user’s thoughts or beliefs by suggesting videos of a certain nature, political belief, or other influence.

What you should know and what you should do now

  • Review your app settings and follow the guidance below.
  • We are aware that the federal, BC provincial, and some higher education institutions have banned the use of TikTok on their work phones. Currently ECU is cautioning about the use of TikTok, especially on devices that also contain ECU data.
  • ECU encourages all to learn about the concerns of TikTok and social media apps in general. 
  • The Privacy Commissioner of Canada, along with the Provincial Privacy Commissioners from Quebec, Alberta, and British Columbia are reviewing privacy concerns around TikTok. If their findings raise the call for alarm, ECU’s position on the use of TikTok on ECU-owned devices and/or on campuses will change accordingly.

How you could be affected: risks to consider

By installing social media (and other) applications on your mobile device, you are giving these companies access to your phone’s data including photos, videos, contacts lists, location information, and potentially files and/or emails on your device.

Here are some risks that could impact you:

  • Identity Theft. Even though you may consider your social media presence to be private, social media apps are designed to be social. In as much, your posts and information are shared in order to be “social”. Attackers can use the information you share on these apps to impersonate you and/or access confidential data, such as bank account information. This is a powerful tool for those looking to commit financial fraud.
  • Privacy Concerns. Depending on choices you made while installing, and on-going security settings, personal information and communications posted on social media can be accessed, collected, and shared by the app, and in some cases unintended readers or recipients. The Terms and Conditions and Privacy Policy are long and difficult reads, but it is necessary for you to review in order to make informed decisions.
  • Data Leakage. Some apps contain spyware, resulting in leakage of your important information including banking, credit, photos, or stored passwords.
  • Information Sharing. Very valuable information about you is collected in the background, such as what you search for, what you view (and how long you view it), your likes, and many other things. These are sold (aka shared) with marketing firms or other agencies without your knowledge.
  • Unexpected impacts. One of the largest, unexpected privacy impacts is when the apps are granted access to contact books/lists. If you consent to this, then the app has access to the contact information on the phone. In other words, you just consented for everyone in your contact list to share their information you have in your contact list to the app you just installed on your device.

      What you can do to protect yourself

      There are many valid reasons to use these types of apps, but you can lower your risks by becoming aware of the potential vulnerabilities to you and the university and by learning how to mitigate those vulnerabilities by making informed choices/actions in the installation and use of social media apps.

      Five Quick Tips to consider for each app you choose to install:

      1. Review the settings.
      Here are setting choices that can be made that will “limit” the negative impact social media apps can have.

      • Disable Ad Tracking: Android and iPhones offer the ability to disable most 3rd-party tracking, making it harder for advertisers and data brokers to track and profile you. Instructions for your model of phone and this setting can be easily found on the internet.
      • Disable cookies within the app: This will limit the amount of data collected on you, but like disabling ad tracking, what is presented to you will not be personalized. To do this in TikTok, click on “Me” in the TikTop App, select “Settings” by pressing the 3 dots in the top right corner, select “Personalization and data”, then use the toggle switch to disable.
      • Disable Location Tracking: Set location tracking to the “Use by App” setting. This will allow your location to be tracked only in the applications you choose to track your location while using (for instance a map/route guiding application).

      2. Do a quick search about the app.
      Before downloading a new app, using a search engine to check if there are any known privacy and/or security concerns associated with it.

      3. Pause before granting permissions.
      Be cautious about what permissions you are giving to the app and determine what data should not be disclosed when you sign-up or install. Understanding going in that some of these choices may make the app work a little differently for you than for those that are openly sharing their data. That is ok. Your privacy and security should be more important than app functionality.

      4. Review the terms and conditions and the privacy policy.
      Read the applications privacy policy and end-user license (EUL). These are long and written in legal terms to dissuade you from reading, but they concern your privacy, and you need to be an informed consumer that only shares the minimum data and knows who it is being shared with.

      5. Consider the source.
      Download apps only from trusted sources like the Apple App Store or Google Play to limit the risk of spyware and other vulnerabilities which may lead to data loss and/or cybersecurity attacks. But be warned, just because it comes from these stores does not mean that it doesn’t have nefarious data collection and sharing practices!

      Are you using social media apps on ECU devices?

      If possible, please use a separate device for university business and personal social media applications.

      If you cannot separate the use, do not access highly sensitive data from the device that you have installed non-university social media apps on.