Apps that create a Virtual Private Network (VPN) on devices are becoming more prevalent and organisations should be aware of what that means in terms of data loss for iOS and Android devices. A VPN allows users to create a secure connection to another network over the Internet. Traditionally VPN’s have been used to provide access to corporate network resources behind a firewall however VPN’s are now becoming popular in the personal world as they allow users to bypass Internet censorship.
VPN’s are also starting to be used in-app to collect data for analysis/analytics, for example Facebook has recently released a ‘Protect’ function that guides users to download a VPN app called Onavo that is known to tunnel all device data to a service that collects the users contacts, meta data, DNS queries an IP addressing information.
VPN apps can access encryption, key management and certificate trust chains on a device and data in the key chain. Some VPN apps the Mobile Mentor team have scanned are also known to activate the devices camera, microphone and geo location.
Important Note:
Facebook is testing this ‘service’ in the USA. Users are not being prompted in the Australian or New Zealand market yet. Due to the size of the Facebook customer base (over 2 Billion) this ‘feature’ cannot be overlooked and may present a risk to your corporate data. If just a small percentage of Facebook mobile users take up this service Facebook has the potential to become the largest VPN provider in the world.
Mobile Mentor Recommendations
Mobile Mentor recommend organisations take steps to manage or block the use of personal VPN’s on company devices.
There are several ways to achieve this using Enterprise Mobility Management (EMM) and/or Mobile Threat Defence Solutions. Of particular note
-
The ability to prevent VPN setting modification on Android devices is possible via Android Enterprise policy
-
The ability to block manual profile installation required for VPN on iOS devices is possible for Supervised devices via a Restriction policy
Should you wish to discuss enabling these policies in your environment please reach out to your Mobile Mentor Account Manager or Service Delivery Manager.