Digital Forensics & Incident Response Strategic Services Advanced Testing Services Managed Security Services
July 23, 2019
FaceApp: Keep Calm and Manage Permissions

“Oh no! Russians have managed to get their hands on thousands of US citizens’ data!” is the alarming headline we are seeing a lot right now on our typical feeds and social media posts. Is this grounds to sound the alarm and trigger incident response plans? Or is it just time to have a valuable discussion and reminder on privacy best practices in this day and age?

In the last week or so, an app called FaceApp has been making its rounds on social media sites and message lists. The core functionality of this app is to take a photo of yourself or whatever subject you snap a picture of and use AI to apply (very convincing) filters to make you look older, younger, happier, etc. Seems harmless, right?

The app is certainly a success, if success is measured in downloads. At the time of writing, Google Play is reading over 1.5 million downloads, and Apple’s app store is reading about 800k downloads. The concerns started once someone reported the developers are from Russia. U.S Senator Chuck Schumer said the app could pose “national security and privacy risks for millions of US citizens.”  However, FaceApp told TechCrunch it’s only keeping most images for 48 hours, and only images you select for filtering are uploaded in the first place. Geographically, data isn’t being sent to Russia either, FaceApp uses AWS and Google Cloud. The terms and service can seem alarming at first, but truth be told it’s really no more invasive than many other services and social media applications you may already use.

So, at this point I’d say there’s a very low risk of you waking up to find embarrassing photos of you and your loved ones leaked on 4chan, bank accounts drained, or to discover 3 mortgages were taken out in your name while you slept. However, this is an opportune time to talk about some best practices when using apps like this. Since Android 6.0 “Marshmallow” and for a while now on iOS, you can grant, deny and manage access to several permissions such as location, camera or microphone, among others. A strongly recommended best practice is to evaluate the risk an app could pose to your privacy and sensitive data on a permission by permission basis, considering the intended functionality of the app. FaceApp requiring temporary access to a camera to snap a picture seems to make sense, whereas the app asking for your exact location or your call logs should raise an eyebrow. Permissions management is an important way to limit your attack surface.

There is a lot of value in informing users and people of real risks software could constitute towards data protection efforts, while also trying to be true to the level of risk the threat poses and not being alarmist.

Questions about FaceApp or other risks different software could pose to yourself or your organization? Let’s talk.

About the Author
CBI | Cybersecurity Solutions
CBI Cybersecurity
CBI is a leading cybersecurity advisor to many of the world’s top tier organizations. Founded in 1991, CBI provides innovate, flexible and customizable solutions that help ensure data is secure, compliant and available. We engage in an advisory-led approach to safeguard our clients against the ever-changing threat landscape—giving them comprehensive visibility into their entire security program and helping them avoid cyber challenges before they can impact their data, business and brand. We are dedicated to the relentless pursuit of mitigating risks and elevating corporate security for a multitude of industries and companies of all sizes.
I Need To...
Safeguard my data and my brand
Envision my cybersecurity program
Digital Forensics & Incident Response
Comply with regulations
Strategic Services
Uncover what I have
Advanced Testing Services
Run my cybersecurity operations
Managed Security Services
Elevate my business
Why CBi