1

I know this was stupid, so I don't need to be told that...here goes:
I was at work and thought I was on 4G network on my Android phone but after sending a number of nude pics via a social media app and Gmail on my BYOD smartphone I realized I was logged in to the corporate WiFi network. Of course with my unique user name/password. I freaked out, logged right off and factory reset my phone. I'm obviously very worried. I was an idiot and will NEVER do this again. What is the chance that they would pick up on the fact that this type of image was being transmitted over their network--of course they have the ability to figure this out, but is it likely? I wasn't on a porn site, so hopefully no IP address to tip them off to look into my usage any deeper. I work for a large company.

The prior question that others have referenced did not deal with sending photos or ilicit material, only with streaming Netflix

qwerty
  • 19
  • 1
  • 3
  • Which social media app? – Brian Duke Oct 24 '15 at 18:26
  • Grindr, lol...yea i kbow, dobt need any chastising or the like. Im aware. Im an idiot. – qwerty Oct 24 '15 at 18:40
  • The prior question that others have referenced did not deal with sending photos or ilicit material, only with streaming Netflix – qwerty Oct 24 '15 at 22:41
  • qwerty - this question isn't really appropriate for this site. A theoretical question about network monitoring would be fine but questions about this specific incident should be redirected to Grindr's support. Also, it looks like you already have your answer. Per @Herringbone_Cat's well-researched answer, it looks like your company *can* see that you were accessing the site and roughly how much data you were uploading and downloading but not what you were sending. We can't tell how much your company actually monitors so maybe they didn't notice anything. – Neil Smithline Oct 25 '15 at 16:43
  • Dear @Neil Smithline, I dont think this post and its content should be considered as duplicate, as you can see that it mentions about security condition of Grindr, not about streaming of Netflix. Yes, I cannot deny that people can contact and ask Grindr directly. But if it was the case, then everyone will just bring his/her question to the company, but not this forum, cos you can see that there are many questions where a very particular case, or software are discussed. – 匿名柴棍 Nov 16 '15 at 05:51

1 Answers1

6

When connecting to a corporate network, wired or wireless, it's possible for their IT department to intercept your traffic and/or get details of what you're doing on the web -- but in BYOD environments, this possibility can vary greatly. Security varies widely, but there's intrusion detection systems, SSL interception (although this only works from corporate-managed devices), DNS and traffic logs that might reveal what users have been doing on the internet.

Each individual app that you install will have different security standards, depending upon the app vendor's practices. In this case, you identified Grindr in the comments as the app.

A quick web search reveals an evaluation of Grindr security: https://www.os3.nl/_media/reports/grindr.pdf in which you'll find that Grindr does in fact use SSL/TLS for its connection to the Grindr server, where all data is sent/received from (including pictures). Since your smartphone is BYOD, it likely doesn't have corporate master SSL certificates installed. In this case, your employer cannot intercept the SSL traffic. However, if your employer has installed an app to manage your phone or otherwise enforce BYOD policy, this might not be the case. Thus, based on the information you provided, it seems that your connection to Grindr and the data you sent/received is likely secure.

However, your DNS queries and the IPs of the Grindr webservers may be flagged, or website information derived from the SSL certificate exchange before communications are encrypted, so it's possible the employer may (through use of IDS or other sophisticated security apparatuses) know you had been using Grindr, but not what you had sent/received, or what your login information is etc.

So, it may be possible that the corporate network knows you're using Grindr, but likely not your naughty pictures or any other information.

Herringbone Cat
  • 4,242
  • 15
  • 19
  • If this is the case, i am okay. I dont think merely using Grindr would be viewed as so horrible, its the imafes that im very worried about. I sent similar images that day over gmail as well. Would this fall into the same category ( except more benign since it's only gmail and not grindr)? – qwerty Oct 24 '15 at 19:08
  • GMail does in fact enforce TLS as well (https) -- but the question becomes did you do so on your smartphone, and does that smartphone have any corporate management apps installed? If you did use your phone, and it doesn't have apps installed, it's probably secure and not vulnerable to corporate eavesdropping. If you used a corporate desktop, or there's some app installed on your phone for management, then it may not be secure. – Herringbone Cat Oct 24 '15 at 19:10
  • There is no corporate app on the phone. Also, not sure if it matters, but the gmail was via webmail not an email app. – qwerty Oct 24 '15 at 19:15
  • +1 @qwerty the only thing they can see if they were interested would be that you connected to those services not the actually content. In the case of Gmail they use end to end encryption regardless of the platform. – Brian Duke Oct 24 '15 at 22:49
  • Thank you guys. I am extremely relieved. Lesson learned! – qwerty Oct 24 '15 at 23:01
  • Hi Herringbone_Cat, thank you for your informative answer with evident study. However, because the study had been done in 2013, there are some points that I also want to discuss and make the issue clearer for the current security condition in Grindr, thus help @qwerty understand more comprehensively about his problem. – 匿名柴棍 Nov 16 '15 at 05:43
  • First, you wrote that: Grindr does in fact use SSL/TLS for its connection to the Grindr server, where all data is sent/received from (including pictures) --> To some extent, I agree that Grindr uses SSL/TLS to encrypt its connection, but not all. And, unfortunately, it does not include pictures, more specifically the profile picture of the user. As I search on Google and found that there is a recent study about this Grindr app. Here it’s: “Your Neighbors Are My Spies: Location and other Privacy Concerns in Dating Apps” URL:[goo.gl/k9jCy5]. – 匿名柴棍 Nov 16 '15 at 05:44
  • I have not gone completely through the paper but it seems to have shown that Grindr does not encrypt the pictures. Therefore, if @qwerty uploaded his picture, and set its as his profile picture; the company (if they want to) can definitely recover the uploaded picture from their logged packets. – 匿名柴棍 Nov 16 '15 at 05:44
  • For discussion about DNS and IP of Grindr, I agree that the information can also be exploited to trace qwerty's use of the app. However, one more possible and easier way is to find the use of the app by search the "string: Grindr" in the packets logged by the company. As you all may know that all apps nowadays come with ads. Sadly, those ads leak your private information including the apps that you are using because they do not encrypt the packet sent to the ads provider's server. It's also proved in the paper I mentioned above. It's just exact the case of qwerty, where Grindr is examined. – 匿名柴棍 Nov 16 '15 at 05:45
  • In sum, instead of making qwerty’s issue more serious, I just want to make it clearer and let qwerty know what security risk that he is really facing. so sorry for a series of comment, but I cannot add my answer as usual since this question has been marked as duplicate, although I think it's not duplicate at all. Good luck! – 匿名柴棍 Nov 16 '15 at 05:46