Is FaceApp just the next in a long line of risky apps? Guido Marchetti Explains
What is FaceApp?
FaceApp is a clever app that uses peoples’ photos to artificially age them. It has proven to be a continued source of great enjoyment as it trends on most social media channels this week. Like most apps, FaceApp has extensive terms and conditions no one reads.
If a stranger asked you to give them a clear photo of your face, along with your phone number, access to your contacts, files stored on your phone and the passcode to come back in whenever they wanted what would you say? No, right?
Unfortunately, this is not new, as most apps request this level of access and users blindly click accept. The worrying addition that Faceapp brings is the collection of an AI-enhanced photo of yourself to add to the data.
In the past some groups have been successful in breaching biometric and FaceID systems using stored photos, as covered by Wireless in this article. Although facial recognition systems like Apple’s FaceID have come a long way in the past 3 years, older and less robust systems could still be accessed this way with the sort of data users are willingly giving FaceApp.
If you use #FaceApp you are giving them a license to use your photos, your name, your username, and your likeness for any purpose including commercial purposes (like on a billboard or internet ad) — see their Terms: https://t.co/e0sTgzowoN pic.twitter.com/XzYxRdXZ9q
— Elizabeth Potts Weinstein (@ElizabethPW) July 17, 2019
What Should Users & IT Teams Be Aware Of?
If you use Face App you are giving them a license to use your photos, your name, your username, and your likeness for any purpose according to the terms and conditions.
Often these apps can also get access to data within other apps also installed on the device. Always check the access rights of an app you install.
Businesses need to know when an app is installed that can gain access to “user” data. This is one of the many reasons companies employing a BYOD policy should be investing in an MDM solution, not to restrict access to features, but to provide oversight to IT as to the risk level of each endpoint entering your network.
What data does it leak?
Reports are highlighting although unconfirmed, which is what is causing the noise, that you sign over the rights to your media files, gallery, your user name in all formats, media formats, and channels known or later developed. The latter part of this sentence is concerning, a change to the app could mean it can now start to collect video files, audio files, etc that you haven’t even created yet. Of course, the user has accepted these terms so to come back at that stage is difficult.
1. No #faceapp terms arent different from other social apps.
2. Yes now they own irrevocable rights to your likeness.
3. Yes a Russian company now has a db of AI enhanced photos & your personal details.
4. Yes they likely hoovered up other metadata.
5. No you cant have it back.
— Marc Rogers (@marcwrogers) July 17, 2019
Picture yourself sitting on your holidays in a part of the world you usually do not frequent, and across from the restaurant you see a picture of your face being used in an ad. This effectively is what you are signing away to your image via this app.
Users need to be educated on the dangers of just installing apps, particularly if business data can be accessed on the device. We all need to accept that some elements of data collection we cannot control, others we can, and we need to stop and think.
Businesses need to realise that end users just click and install, so what’s the business risk? Much like WhatsApp if any of these apps are rogue or compromised, they can start to collect all data on the phone, therefore we need to take precautions, the same way we do with our PC/laptops.
What Protections are Available for Businesses?
Having an MDM platform and an MTD platform can help hugely in protecting your end-users and your data. Companies with corporate-managed devices can use their MDM platform to create a policy that will blacklist the application and prevent it from being installed.
If your company has a BYOD a scenario and end-users want to use the apps, you can use your MTD service to monitor the app for suspicious behavior and flag to the end-user they should remove the app.
A notification can be sent to the IT team also, and they can then choose to act in relation to the threat, for example, they could remove all business apps form the phone until the user removes the app or simply quarantine the device if certain red flags are raised.
The Moral of the story is a simple one, we are likely to see more and more of these scares in the shadow of Cambridge Analytica and Whatsapp scandal. La Liga in Spain is being fined for using their app to listen in to crowds at bars to identity if the pub was licensed to show the games. They claim they didn’t understand the technology which is hard to prove considering they used the output to address illegal match televising.
The lines are blurred as to what & who can be trusted in terms of development and what is acceptable for us to say OK to in terms of our privacy, in the La Liga case there fine is imposed due to the fact they didn’t make it clear enough to end-users. As for FaceApp they can use your image once uploaded any way they please, which is slightly unsettling for me.
Businesses take heed, if you’re not managing devices and applications on these devices, I would suggest you start to think about it seriously before you have to report a possible data leak, and just an FYI if you have business apps on unmanaged devices today, it is already happening.
To learn more about the basics of securing your mobile estate, you can download our whitepaper ‘9 Things a Company Should Know About Mobile Security’ here and also take our security quiz to assess your organisation’s current level of device security.