MDM Invades Privacy
MDM Invades Privacy
Capable of exposing browsing activity, login credentials and user locations.
Join the DZone community and get the full member experience.Join For Free
Commonly Used BYOD Management Tools Can Inspect Data Traffic from Third-Party Messaging Apps, Violate Employee Privacy
Bitglass released the results of its “MDMayhem” experiment. Bitglass tracked the personal mobile devices of several willing employee volunteers with mobile device management (MDM) software to understand how MDM could be misused and to assess the true extent of access employers have to personal data and user behavior.
Bitglass researchers configured the MDM software to route mobile data traffic through a corporate proxy and installed corporate-issued certificates on employee devices to decrypt SSL traffic. This, a common configuration in enterprise MDM deployments for inspecting traffic for malware, enabled researchers to see the contents of employees’ personal email inboxes, social networking accounts and even banking information. Notably, the usernames and passwords used to log into sensitive accounts, including personal banking accounts, were transmitted through the corporate network in plain text. MDM also gave the Bitglass team visibility into users’ app downloads and browsing history, which exposed sensitive search queries, including several health-related searches.
Third-party apps were also susceptible to packet sniffing. Even on iOS, where some believe app sandboxing limits employer visibility into user behavior, researchers were able to intercept personal communications sent through widely-used apps, including Gmail and Messenger.
The MDM solutions tested could force GPS to remain active in the background without notifying the user, pinpointing the locations of managed devices in real time while draining battery power in the process. Location data also revealed user habits – where employees went after work, where they traveled on weekends, how frequently they visited their local supermarkets, and more.
"The invasion of privacy by MDM is a key reason that there are two billion mobile devices on the planet, but only a few million devices managed by MDM" said Nat Kausik, CEO, Bitglass. “IT leaders looking to enable BYOD must focus on a data-centric, agentless approach that respects user privacy.”
67 percent of employees would participate in a BYOD program if employers could not view or alter personal data and applications, according to Bitglass’ most recent BYOD report. Without a security solution that respects user privacy, employees will simply work around IT. To protect data on unmanaged devices, organizations are now adopting agentless, data-centric solutions that provide employees more flexibility without the privacy implications of MDM.
To download the full results of the experiment, visit: bitglass.com/mdmayhem
Opinions expressed by DZone contributors are their own.