0

I have a Samsung S8+ and when I'm in the office, I often will log in to the internal WiFi to listen to the Pandora app or play the Netflix app in the background. We actually have 2 Wi-Fi connections we can log in to - one is for guests and the other is for the employees, which takes our login and password to connect. I use the internal access, as do many others, because the guest access doesn't allow streaming but the internal does.

Since I am logging into the network, is my employer able to see everything else going on in my phone? I ask, only because I have a lot of apps on my phone that while I am not on them, they always seem to be "on" anyway, like Facebook, Chase mobile app, Yahoo mail app, the internet app, etc. I don't want my employer to think I'm on these apps all day, when all I truly have running is Pandora or Netflix.

Also, if those apps are running in the background, can my employer look into them? For example, can they get into my Yahoo mail and start reading emails, or see what I have posted on Facebook or any websites I visit? If I post on a forum, like this one, that I hate peaches (just an example), can they see word for word what I wrote?  Also, if I do access these apps, its only during lunch.

Lastly, there is no software from my employer downloaded on my phone. They wanted us all to do that in order to reimburse us for business calls we make in the field, but i said no way - a $20 stipend per month wasn't worth it to me.

Thank you for any help you can give me.

DaffyGoob74
  • 1
  • 1
  • 1
  • 2

3 Answers3

1

First, let's talk about HTTP vs HTTPS.

HTTP vs HTTPS

Say you visit cutefluffyanimals.com/hairless-mole-rats and post about your unholy fascination with the critters. This web request breaks into (simplified, please correct in comments if simplified too much or wrong):

host: cutefluffyanimals.com
resource: /hairless-mole-rats
POST content: "They're just so pretty..."

If you visit http://... then the above will pass over your employer's routers in plaintext and in theory they can see all of it in their logs. But if you visit https://... then the host: remains in plaintext (because routers across the internet need to know where to send it to, like the address on the outside of an envelope), but the rest is encrypted from your phone all the way to the cutefluffyanimals.com server.

So for stuff sent over HTTPS, they (could) see the sites you visit, but not which pages, or what you did on those pages.

What does this mean?

Let's deal with the easy one first:

can [my employer] get into my Yahoo mail and start reading emails, or see what I have posted on Facebook or any websites I visit? If I post on a forum ... can they see word for word what I wrote?

No, no, maybe, and probably not.

If you are careful to always use https://... then you're generally safe. They will not be able to sniff your Yahoo password, or see what you did on facebook. But they will be able to see that you visited mail.yahoo.com, facebook.com, streaming,netflix.com and how often / how much traffic you had there.

Similarly, your background apps are probably chattering away (ie "phoning home"), so your device is probably opening connections to chase.com, etc. If they apps are programmed properly, then they will be phoning home over https, so in which case your employer probably does have enough information to profile which apps you have installed on your device, but can't see the content. If the app is badly written then they can see the content too. Sadly you really have no control over this.

Lastly, there is no software from my employer downloaded on my phone. They wanted us all to do that in order to reimburse us for business calls we make in the field, but i said no way - a $20 stipend per month wasn't worth it to me.

Yup, good. I personally did the same. My company wanted me to install a webmail app as a Mobile Device Manager (MDM) - ie root access- in order to access corporate email on my BYOD device and I said "cool, looks like I'll only be answering emails during business hours then".

The dangerous thing is if they install a https certificate onto your device, then they have the ability to intercept and inspect https traffic and everything I said above is shot out the window.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Okay, thanks. Now I'm worried they'll see all the stuff I posted to a mom's forum I belong too, even though I don't access the site at work - the webpage is usually open within the internet app I use, which never is truly "closed". I don't want them thinking I'm getting into heated debates with other moms about kneeling NFL players on company time, lol. – DaffyGoob74 Sep 26 '17 at 01:30
  • I have same question. My company used to be using guest wifi to connect any personal device. I use my laptop which is fine. Now the company changes the wifi policy, they want use login in the wifi with the Windows Credential. I don't know any difference? – Hello Mar 01 '20 at 14:45
1

Since I am logging into the network, is my employer able to see everything else going on in my phone?

They can see which domain / IP address you are browsing. The bandwidth you consume. They can guess which service you use by knowing the destination port. They are not, or should not be able to intercept your traffic if it's encrypted.

For example, can they get into my Yahoo mail and start reading emails

yahoo

See the Secure https ? It means that reading your traffic is something that cannot be easily done. Keep in mind that if the traffic is encrypted you should be safe.

Lastly, there is no software from my employer downloaded on my phone. They wanted us all to do that in order to reimburse us for business calls > we make in the field, but I said no way - a $20 stipend per month wasn't > worth it to me.

Good thing that you refused. The following is an opinion based statement but try to keep away from your employer homebrewed applications on your personal devices. (it can let them break into your privacy)

Baptiste
  • 1,643
  • 10
  • 20
0

While the other answers are fairly detailed, I will offer a fairly simplified answer.

Mobile devices wouldn't be where they are currently if it wasn't for "always available data". This means many applications are designed to work when you step outside, take a ride on the bus, or are casually sitting at home. Many make requests for data even if they are not actively open.

To most users, this doesn't make any difference. WiFi is WiFi, mobile data is kind of the same thing just "outside". As mentioned before, as many applications are designed to work with "data always on", they request data in the background. This background data can be profiled to determine:

  • What applications are being used on the device.
  • At what time the requests were made.
  • How many requests were made.
  • To what website/server the requests were made to.
  • (Potentially) What data was sent and received.

Truth be told, it can have impacts on your privacy which data connection you opt to use.

Due to design decisions made by Google and Apple, it is not clear how your data is handled in the background. It is fair to assume that best practices are followed in application designs (such as the Yahoo mail app you describe), and ultimately the OS as well (Android/iOS).

It would be fair to assume in this day and age that enterprises have the ability to perform man-in-the-middle "attacks" to view encrypted data. Below is a screenshot of Microsoft's TMG:

Microsoft's TMG

EDIT: While I do make it sound somewhat scary, I should point out it is best to consult company policy (especially the "Acceptable Usage Policy") to determine what activities are recorded, and which ones are not.

dark_st3alth
  • 3,052
  • 8
  • 23