Workplace Apps Collect and Share 19 Data Points per User, Exposing Sensitive Info to Third Parties
What Happened – Research by Incogni, analyzing ten of the most‑used workplace mobile apps on Google Play, found each app averages 19 distinct data points collected, with an average of two data types shared with external parties. Gmail, Microsoft Teams, Zoom Workplace and Notion are among the top collectors, and Notion forwards eight data types to advertising partners.
Why It Matters for TPRM –
- Un‑vetted data flows increase third‑party exposure risk for any organization that permits personal or corporate‑level apps on employee devices.
- Shared data includes employee email addresses, IDs, location and workspace content that can be leveraged for profiling, phishing, or compliance violations.
- The lack of a user‑initiated deletion option in Workday highlights potential retention‑policy gaps that may conflict with GDPR and other privacy regimes.
Who Is Affected – Enterprises across all sectors that allow mobile use of Gmail, Microsoft Teams, Zoom Workplace, Slack, Notion, Outlook, Trello, Todoist, Workday, or similar SaaS productivity tools.
Recommended Actions –
- Conduct a data‑flow inventory for all sanctioned workplace apps and map outbound data categories.
- Review vendor privacy policies and data‑sharing agreements; negotiate limits on advertising‑related sharing where possible.
- Enforce mobile‑device‑management (MDM) controls to restrict app permissions (e.g., precise location, device IDs).
- Verify that vendors provide a clear, actionable data‑deletion mechanism; consider alternatives for apps lacking this capability.
Technical Notes – The study leveraged Google Play metadata (download counts, declared permissions) and vendor privacy statements. No specific CVEs were cited; the risk stems from intentional data collection and third‑party advertising integrations. Source: Help Net Security