How IT can spy on your iPhone or Android smartphone

iOS and Android OS shield most data you care about from IT. Here’s what IT can see, what you can control and which mobile platform better protects your privacy.

Executive Editor, Computerworld |

Can your employer spy on your iPhone or Android phone? — Thinkstock

I recently applauded MobileIron for providing a tool in its mobile device management (MDM) client app that lets users see what IT is monitoring on their iOS and Android devices. User privacy is as important as corporate security, and the spy culture epitomized by the NSA, GCHQ, China, Google, Facebook, and so on has gotten way out of hand.

So what can your employer see about you on your smartphone if you let IT manage that device through an MDM tool?

[ Further reading: What is EMM? Enterprise Mobility Management explained ]

So what can your employer see about you on your smartphone if you let IT manage that device through an MDM tool?

What your employer can see

IT can see anything in your corporate email, contacts, and calendar since it manages those servers, and it can see your Web activities conducted on its network since it can snoop that traffic.

Rege also notes that IT can see what apps you have installed (not only those deployed by IT), your battery level, your storage capacity and amount used, your phone number and its hardware ID (called an IMEI), your carrier and country, and your device's model and OS version. Plus, if you give IT permission to do so, it can track your location (iOS forces apps and websites to ask for your permission first, so they can't do it secretly).

What you want kept private, and where mobile devices oblige

Source: MobileIron
[1] Except data sent to corporate servers from apps
[2] Apps can access this data, so IT could monitor it if desired through an app
[3] At install only in Android 4 and earlier
Device information	All adults' discomfort in IT seeing	Young adults' discomfort in IT seeing	iOS shields from IT	Android shields from IT
Personal email	78%	66%	Yes	Yes
Personal contacts	75%	63%	Yes	Yes
Texts and instant messages	74%	62%	Yes	Yes [2]
Voicemails	71%	63%	Yes	Yes [2]
Phone and Internet usage details	69%	59%	Yes	Yes
Information stored in mobile apps	71%	60%	Yes [1]	Yes [1]
List of all installed apps	67%	57%	No	No
Location	66%	57%	User decides	User decides [3]

Android shields almost as much as iOS does, but IT can change that

The default situation for Android users is slightly less private than for iOS users. The big difference involves location information access. iOS asks you when an app first requests access, and it lets you revoke the access at any time in the Settings app. Android asks when you install an app and does not let you revoke the permissions later; however, the forthcoming Android M changes that, working like iOS.

But Sean Ginevan, senior director for strategy at MobileIron, notes that the Android OS gives application developers permissions that could expose your personal data if enabled in any app you install. Thus, you can't be sure what apps might be gathering such data and sending it to IT, a legitimate vendor, or a fraudster. Fortunately, Android M's iOS-like permissions model should help uncover such access.

MDM client apps typically don't see that data, but a company that wants to monitor your text messages, Web history, and voicemails could install a (perhaps hidden) app on your Android device to pull that information from the device. (Ginevan notes that MobileIron's MDM tool does not gather Web history or voicemails, though one of its admin settings lets IT enable SMS archiving, which then gives IT access to your texts.)

For maximum privacy protection in Android, use the new Android for Work container, or similar containers such as Samsung Knox, to have all corporate apps, email, calendars, contacts, and so on run in a separate environment on your Android device. That way, you won't accidentally mix personal data into corporate systems, and any spyware your employer may have installed is restricted to the data and apps stored in that corporate container. (iOS runs all apps in their own containers, which keeps spyware limited to the device's public services that an MDM tool already has access to.)

We're getting less worried about privacy

But the MobileIron survey showed two troubling trends: Users are getting more comfortable in IT seeing personal data, and younger adults are more comfortable than older adults in having personal data visible to their employers. In other words, we're getting used to being spied on -- perhaps even resigned to it.

For example, a similar 2013 survey showed that 66 percent of adults did not want their company seeing their personal emails; the 2015 survey showed that 52 percent felt that way. There were similar drops in all categories.

Younger adults (in the survey, that meant men 35 years and younger, and both men and women with children under 18 years of age) were more accepting of personal data on their mobile devices being visible to their employers. Generally, they were less concerned by about 10 percent. In the case of personal emails, 34 percent of young adults surveyed were comfortable with IT seeing personal emails, versus 22 percent for all adults surveyed.

I guess that's what happens when you grow up with Facebook, where public exposure is the norm.

This story, "How IT can spy on your iPhone or Android smartphone" was originally published by Computerworld.

Galen Gruman is an executive editor of InfoWorld.