February of this year brought about an exciting announcement, Google’s Android For Work program. This initiative illustrates Google’s campaign to overtake the market and become the preferred choice of businesses for their mobile device needs. With 40 partners, device manufacturers and all four major cellular carriers involved, Google is set to reach their goals. The focus of the initiative is enterprise security and freedom for employees to use their personal devices for work-related applications. The idea is simple, install Android For Work and keep your personal data separate from work data. In theory this is a fantastic way to consolidate the amount of things every professional needs to lug around, but reality is a bit more concerning.
I’ve been a huge advocate of knowing what permissions you are allowing apps on your device to have, and more importantly, what the specific uses of said permissions are. The list of permissions required by this application are vague, and actually frightening if you consider what they could mean.
- Device & App History – Allows the app to view one or more of: Information about the activity on the device, which apps are running, browsing history and bookmarks. – A pretty invasive permission to request in my opinion. This makes no mention if the information gathered is differentiated between the personal and work profiles either, so employers are potentially able to view the applications you’ve installed, web pages you’ve browsed and bookmarks you’ve created on your personal profile.
- Identity – Uses one or more of accounts on the device, profile data – Another invasive permission that makes no mention of differentiation. Are employers able to gather all of my account information? Social media profiles? Personal email accounts?
- Calendar – Uses calendar information – Not one I worry too much about, but if this application accesses personal profile items should employers have access to that information? Just imagine the effects of you employers IT department knowing your menstruation cycle.
- Contacts – Uses contact information – I see this permission requested a lot, and it is one of my biggest pet peeves. What possible reason does any application outside of my phonebook and email have for requesting a list of my contacts? Gamestop’s app requested this permission to include the ability to send emails, SMS and MMS messages with or without my knowledge. Really? Why? Would you give your personal contacts list to your employer, or worse yet, Gamestop? Neither would I…
- Phone – Uses one or more of: phone, call log. Charges may apply. – Great, now your employer knows you spent an hour on the phone with grandma last night. I can see the necessity of this and even the potential benefits, but only if the work profile has its own list of call logs and can’t access the personal profiles.
- Photos/Media/Files- Uses one or more of: Files on the device such as images, videos, or audio, the devices external storage. – Another very invasive permission that I believe is entirely unnecessary. I understand the need to write to and recall from storage for work purposes, but again there’s no differentiation of the information accessed.
- Device ID & Call Information – Allows the app to determine the phone number and device IDs, whether a call is active and the remote number connected by a call. – For administrative purposes, I understand this one, mostly. I realize that work information may be sensitive and as such, the need to secure it via contact with the device is a necessary evil, especially when the device isn’t on the employer’s network. However, the final bit of the permission makes me wonder why it is necessary to know who I’ve called by determining the number I’m connected to. Is this information really necessary for employers to have access to?
- Other – Read your social stream, read sync statistics, contacts data in Google accounts, view configured accounts, Google mail – The “Other” category is a huge red flag in my mind. There is no need for this application, my employers or any other entity to have access to my social stream, contacts data or my gmail. These are clearly not work related and have no place in an app designed to be used at work. You may as well leave your device on the table with everything open for all to read with these permissions.
The description of the application itself makes me wary of the possibility of using it. The last line of the apps description in the Play Store states
“With full policy enforcement, control over app distribution, and remote wiping of all business data, IT admins can manage the Android For Work app through partner management solutions.”
I’m not arguing that if, for some reason, the need arises to remove someone’s ability to access sensitive materials, documents, or data it should be done, as far as I’m concerned in that instance it must be done. What makes me leery of the permissions granted here is the level of access this application could have. Businesses that supply devices for their employees have MDM applications, such as Spiceworks on them that grant unlimited access to all that is done on the device. What’s stopping an employer from generating and maintaining the same level of administrative authority over your personal device?
Until there is more information disclosed about exactly what content is being accessed and how these permissions operate, I’ll stick to hauling around multiple devices for my business needs. How about you?