Guidelines on privacy and security for mobile apps

Overview

Many smartphone applications, including social media platforms, gather and share users’ private and personal information. Because of this, many of these apps pose significant security risks. It is important to be aware of and consider these risks when downloading and using apps, especially on University of Toronto-issued devices.

The guidelines below explain some of the risks, what to watch out for and how to reduce the risk to you and the University.

Background

Smartphone applications can pose significant security and privacy risks because of how they collect and share data. If these apps are installed and running on devices used to access U of T data, these risks can extend to the University.

It is important for staff, faculty, librarians and students to be aware of the security and privacy issues and how to reduce the risks.

Risk considerations

By installing software such social media apps on your mobile devices, you give these companies permission to access your phone’s data including photos, videos, contact lists and location information. Sometimes you can explicitly deny these permissions, but in order to use these apps to their fullest, you may not be given that option.

Here are some risks that could impact you:

  • Identity theft. Many people consider their personal social media presence to be private. However, attackers can use personal information shared on these apps to impersonate you and access confidential data, such as bank account information. This is a powerful tool for those looking to commit financial fraud.
  • Privacy concerns. Depending on your privacy settings, personal information and communications posted on social media can be accessed by unintended readers or recipients.
  • Data leakage. The apps you install may contain spyware, resulting in leakage of your important information, including credit card numbers, personal photos or stored passwords.
  • Information sharing. Apps may collect your personal information in the background, such as where you shop, what you search or your travel patterns, and share it with marketing firms or other agencies without your knowledge.
A person using a mobile phone.

How apps on work devices impact the University

Since most of these apps, especially those on personal devices, are not vetted by the University’s information security teams, they may contain vulnerabilities that could be exploited and result in security incidents.

  • Due to the data collection and sharing policies of these apps, the University’s confidential information is at risk of exposure to unauthorized users, which may result in reputational and privacy impacts to you, your colleagues, your students and the broader University.
  • These applications may be an entry point for social-engineering attacks such as phishing and ransomware, which may put the University, its community members and their data at risk.
Staff using a computer

What you can do

There are many valid reasons to use this software, but you can lower the risk by becoming aware of the potential vulnerabilities to you and the University.

Four quick tips to consider for each of your apps:

  1. Do a quick search: Before downloading a new app, check if there are any known privacy and security concerns associated with it.
  2. Pause before granting permission: Be cautious about what permissions you are giving to the app and determine what data should not be disclosed when you sign up.
  3. Review the terms & conditions: Read the applications’ privacy policies and terms and conditions to be aware of their data-collection and sharing policies.
  4. Consider the source: Download apps from trusted sources like Apple App Store or Google Play to limit the risk of spyware and other vulnerabilities which may lead to cybersecurity attacks.

If you are concerned about the security and privacy of any application(s), then:

  1. Do not access any high-risk personal information (such as banking details, credit cards, etc.) from the same device as the app(s).
  2. Do not access high-risk University data (level 3 or 4) from the same device as the app(s).

If you use these applications for official U of T functions:

  1. If you can, use the application on a dedicated device.
  2. Do not access high risk (level 3 or 4) data from the same device as the app(s).
  3. Use strong passwords and set up multi-factor authentication (MFA) for your U of T accounts.