July 23, 2019
FaceApp: Keep Calm and Manage Permissions

“Oh no! Russians have managed to get their hands on thousands of US citizens’ data!” is the alarming headline we are seeing a lot right now on our typical feeds and social media posts. Is this grounds to sound the alarm and trigger incident response plans? Or is it just time to have a valuable discussion and reminder on privacy best practices in this day and age?

In the last week or so, an app called FaceApp has been making its rounds on social media sites and message lists. The core functionality of this app is to take a photo of yourself or whatever subject you snap a picture of and use AI to apply (very convincing) filters to make you look older, younger, happier, etc. Seems harmless, right?

The app is certainly a success, if success is measured in downloads. At the time of writing, Google Play is reading over 1.5 million downloads, and Apple’s app store is reading about 800k downloads. The concerns started once someone reported the developers are from Russia. U.S Senator Chuck Schumer said the app could pose “national security and privacy risks for millions of US citizens.”  However, FaceApp told TechCrunch it’s only keeping most images for 48 hours, and only images you select for filtering are uploaded in the first place. Geographically, data isn’t being sent to Russia either, FaceApp uses AWS and Google Cloud. The terms and service can seem alarming at first, but truth be told it’s really no more invasive than many other services and social media applications you may already use.

So, at this point I’d say there’s a very low risk of you waking up to find embarrassing photos of you and your loved ones leaked on 4chan, bank accounts drained, or to discover 3 mortgages were taken out in your name while you slept. However, this is an opportune time to talk about some best practices when using apps like this. Since Android 6.0 “Marshmallow” and for a while now on iOS, you can grant, deny and manage access to several permissions such as location, camera or microphone, among others. A strongly recommended best practice is to evaluate the risk an app could pose to your privacy and sensitive data on a permission by permission basis, considering the intended functionality of the app. FaceApp requiring temporary access to a camera to snap a picture seems to make sense, whereas the app asking for your exact location or your call logs should raise an eyebrow. Permissions management is an important way to limit your attack surface.

There is a lot of value in informing users and people of real risks software could constitute towards data protection efforts, while also trying to be true to the level of risk the threat poses and not being alarmist.

Questions about FaceApp or other risks different software could pose to yourself or your organization? Let’s talk.

About the Author
I Need To...