Beware of the app.
The digital downloads that fill smartphones and tablets might also be recording and selling your personal data, tracking your every step, and potentially sending spam to your contacts.
Sometimes, app makers load their little programs with extra functions that gather information they can sell on the side to marketers; others design the software to enter your contact list and promote their businesses.
Some apps are more invasive than others, and most alarming, certain apps can trigger an unintended consequence that might expose sensitive data and documents.
“It’s very difficult when you install an application to know exactly what it’s going to do,” said Gil Zimmermann, the chief executive of CloudLock Inc., an information technology security company in Waltham.
‘You are basically giving someone the keys to the kingdom.’
The issue is becoming a hot topic among consumers. Protests erupted this month among fans of the photo-sharing app Instagram when it said it would give advertisers more access to users’ data. Instagram later reversed course.
Zimmermann said his company discovered an unusual security lapse involving the use of an app popular with businesses. Called Podio, it is designed to allow employees to easily share documents and collaborate on projects. When employees use Podio to share work performed in Google Docs, the app automatically reduces the privacy settings on those documents, making them vulnerable to being viewed by outsiders.
Moreover, users are not explicitly notified when Podio has changed the security settings on their Google documents, Zimmermann said.
Since Google Docs is widely used in business applications, Zimmermann said, the reduced privacy setting presents a unknown security threat, especially to companies whose employees work on sensitive information.
“You are basically giving someone the keys to the kingdom,” he said.
CloudLock noticed the issue when a client, a British media organization that did not want to be named, discovered an employee using Podio had inadvertently exposed private company information to outsiders. Zimmermann said a manager at the media company confronted the employee, who denied knowing about the exposed material. What they subsequently learned was that Podio had switched settings on the Google documents from “private” to “anyone who has this link can view.”
Since then, the British company has banned certain employees with access to sensitive information from using Podio with Google Docs, Zimmermann said.
Podio officials acknowledged their app does change security settings on Google Docs but said the setting is necessary because it allows users to easily share work.
“If you make the active sharing too hard to do, people just won’t do it,” said Phillip Chambers, Podio’s chief technology officer. “We have to design software that people will use.”
Still, Chambers said, the company debated the security feature before putting it into the application and inserted into the app some notifications to users that security levels on Google Docs will change.
Chambers said Podio has not received any complaints about the security settings from any of the 200,000 organizations that use the app. The Danish company was acquired by Citrix Systems Inc., the Santa Clara, Calif., enterprise software giant, for $53 million this year.
Google Inc. wasn’t aware of the issue with Podio. The app is one of many third-party programs that can be used with Google Docs. Google spokesman Tim Drinan did point out, however, that IT administrators who manage access to Google Docs in the workplace can cut off employees’ use of third-party applications.
But Peter Eckersley, director of technology projects for the Electronic Frontier Foundation, said businesses need to be more aware of security issues as the use of apps in the workplace proliferates.
“If we want these devices to manage our most sensitive documents and our most delicate secrets,” Eckersley said, “we need to be careful about how we use them and what software we use on them.”
Michael B. Farrell
can be reached at