Wireless Privacy, Opt-Out Settings Don't Protect Your Security Online
But even if it does, if your corporate mobile device that is used for compliance-related work is allowed to communicate with a non-secure site, even briefly, it's possible you or your organization could fail a compliance audit. In other words, you could get busted for taking a second to visit an e-commerce site if that site wants your device identifier. Chance are you thought that when you initiated a secure session, your connection was encrypted. That may not be true. "It is possible to force a channel to become non-secure," said Jonathon Carter, technical director for Arxan Technologies, which specializes in securing mobile communications. "The server that accepts the SSL connection would simply redirect the user to a non-secure form of the same site. In response to a redirect request, the user's browser (Safari in iOS, for example) would unconditionally open the non-SSL version of the site." Carter said that normally the switch to an insecure connection would last only long enough to get the identifier, but that depends on the site being programmed so that actually happens. Done wrong, and the communication will remain insecure. Carter noted that the browser would indicate a non-secure connection, but that in turn depends on the user noticing that. Worse, if an app is using such a connection, there may be no indication at all.To make matters worse, even when you're connected using a secure protocol, you might not be very secure if you're switched back after the site retrieves the identifier. Carter suggests checking any sites you plan to visit first by running them through the SSL Labs test site. But that's only part of the problem. Analyst Craig Mathias points out that almost no one realizes or even considers that it's a problem that data is being transferred or that advertising will be sent to your mobile device. "I tried it on my phone, and I was quite surprised," he said. Mathias noted that unless advertising is disabled, it eats up the bandwidth allocation that you or your company is paying for. Twitter is one of the companies making use of the unique identifiers as a way to serve advertising, he said. The problem, of course, isn't the advertising, per se, nor is it the use of the identifier. The problem is that it's not necessarily disclosed to users and that opting out is difficult or impossible. With Verizon, for example, you can opt out of the company sharing private information, but not the process of injecting the number into your data stream. Until you can control that, your company's communications are at risk and you could fail an audit even if nobody steals a thing.
Complicating the situation is the fact that almost no one knows that these identifiers are being inserted by some carriers, and almost no one knows that SSL encryption can be turned off by the remote site. Fortunately, you can at least find out if your carrier is inserting such a number into your phone's data stream by visiting a page run by Kenn White, who runs an auditing service.