30 November 2014

Corporate smartphone monitoring

First, let me get you up-to-speed on some terminology:
  • Bring Your Own Device (BYOD) : It's a policy in a company or institution which allows people to bring personally owned mobile devices (phone/laptop/tablet) and to use it to access company/institute applications/information.
  • Corporate Owned Personally Enabled (COPE): It's a policy which companies use to give employees mobile devices (phone/laptop/tablet) and can monitor and control the employee's activity to a large extent. Employees are also allowed to use the device for their personal use.
  • SIM: It's basically just an IC embedded in a plastic card (which you call SIM card) and it stores data used to identify and authenticate those who subscribe to mobile telephony (that's why it's called Subscriber Identification Module).
  • IT: The department of brilliant & hard-working people in companies/institutions, who setup and monitor the electronic and software infrastructure while at the same time, quickly identifying and fixing hardware and software problems that are reported.

Smartphone monitoring

Long back (and even today), even the garbage a person threw out of their house was examined by detectives who wanted to find out personal details of someone they were investigating (don't believe it? Have a look at what you throw into the garbage everyday).
Then came GMail and Facebook which have their algorithms for monitoring and analyzing your pictures and data and finding out intimate details about you.
But even these technologies are no match for what your smart-phone can reveal about you. Even Blackberry phone technologies have been cracked by the government.


People are worried about BYOD because they think the company can monitor them. But an article on CIO says that not everything can be monitored. An employer will have much more important things to do (such as running their business), than monitoring personal information of their employees. It's like how Dan Brown's Digital Fortress mentioned that women needn't be worried that the NSA is going to spy on their emails and discover their secret recipe for preparing fruit jam.
However, certain surveys as mentioned in CIO, say that employees would be more comfortable if the employer clearly specified what they can and cannot monitor, and why they need to view that information. Some want it in writing, that their employer won't look at personal information.

BYOD is said to have resulted in data breaches in cases where an employee loses a phone and someone else accesses company information stored in the phone or if the employee leaves and company data is still in the phone.

Intellectual Property loss, litigations from employees about their private data and reimbursements are some of the hidden costs that an organization might incur because of a BYOD policy.

A survey also says that 44% of job seekers are more positive about an organization if it supports their mobile device.

It's a more secure and flexible alternative to BYOD, because it's a nightmare for a usually under-staffed IT department to monitor, keep track of and protect the mobile devices of employees (it's easier to impose company-wide policies). It also allows them to specify a limited set of permitted devices, which makes management easier.
The device being company-owned, the company can impose any restriction on which apps are allowed and can wipe data from a phone.

EMM solutions for COPE introduces the concept of "containerization" which enables organizations to create a separate partition which keeps corporate data isolated from personal data on mobile devices. This way, a data-wipe can be focussed on only erasing corporate information.

An organization should have a catalogue of allowed devices and app's, since allowing just about any device into the company network can be catastrophic.

Spy softwares

With softwares like MobileSpy (compatible with Android, iOS and Blackberry) on the other hand, a lot more can be monitored:
  • Screen: Viewing the actual phone's screen with a 90 second update rate.
  • Location: Locate the phone's position with GPS (the use of this feature takes up a good amount of battery, so it's almost never used, except for example, in cases where a company needs to monitor its truck-driver locations).
  • SIM info: Retrieve latest SIM information if the device is stolen or lost.
  • Wipe data & lock device: Can be done just by sending an SMS to the phone.
  • Text and messenger message logging: Every message is logged, even if deleted from the phone.
  • Social networking logs: Activity from Facebook and WhatsApp can be logged.
  • Youtube videos: Log which videos are watched.
  • Apps installed: Lets you see which apps are installed.
  • Web activity: All website URL's are logged.
  • App blocking: Access to certain apps can be blocked.
  • Photo log: All photos taken by the phone are logged and viewable.
  • Phone call info: Incoming and outgoing numbers are logged with duration and timestamp.
  • Email: All incoming and outgoing emails are saved.
  • Alerts: The person monitoring the device will be alerted when prohibited actions happen.
  • Contacts: Every existing and new contact is logged and saved.
  • Calendar events: Every event, date, time and location is saved.
  • Keylogger: MobileSpy is said to have it.
Another software called MobiStealth spy (for Android, iOS, Blackberry and Nokia) software provides:
  • Location monitoring
  • Blackberry messenger log
  • Text message and email log
  • Contact details
  • Call details
The software is said to be completely un-detectable, so children or employees cannot tamper with it.

Remotely controlling the phone

The person monitoring your phone won't be able to remotely activate the phone's microphone or camera. They won't be able to remotely switch-on your phone either, so nothing to be concerned about on this front. Your phone getting hacked or having a virus in it is a totally different situation though, where the hacker can control your phone. An employer obviously won't do such things, but an organization's IT department has to be on its toes when it comes to security updates and anti-viruses for the employee's phones.


If you're concerned about privacy, the better and simpler option is to use the company smartphone only when you're working, and use a dual-SIM personal phone when you're not working. The dual-SIM feature will help you take work-related calls too, by transferring your company SIM to your personal phone temporarily.
Be aware though, that even though your company isn't able to track your personal information because you're not using the company phone, there are plenty of other companies that monitor your personal phone to collect details about you. If you don't want them to track you, turn off WiFi on your phone.

No comments: