Should you be concerned about the security of FaceApp?

FaceApp, the AI-powered picture-editing program, is trending in social media. We’ve all seen the pictures of celebrities using FaceApp to make themselves look older or younger.

However, security experts are concerned about the possibility that the app could access more than pictures. Many users don’t realize that the app, owned by an overseas company, doesn’t process the pictures on your phone. Instead it uploads your photos to its own server and manipulates it there.

Personal data is considered the new “Oil.”

User discretion is advised. When you allow any app to accurately map your face, this data can be collected and sold to generate revenue. This data can be used for facial recognition and tracking through unsecured cameras or targeted marketing at stores and the possibilities are endless.

In their privacy policy, Faceapp actually says that they “may use information” they receive to “provide personalized content & information to you and others, which could include online ads or other forms of marketing.” So it’s safe to assume that they are collecting data.

Concerns about FaceApp’s Terms of Use & Permissions 

When you accept the FaceApp’s terms of use it gives their developers the right to use your selfies, name, likeness, voice or, persona for commercial purposes. It also has a statement covering privacy laws of EU & US and states that they may transfer information to other countries & jurisdictions.

Using the app also grants the program permissions, to access in-app purchases, photo & media files, device storage and your camera. These features have been considered suspicious and excessive for a simple photo editing app. Security advisers are also worried about the possibility of the app to take any image from your library or, randomly turn on your camera & take pictures/videos or, access data on your device storage.

Also, under “Other” permissions, using the app, grants additional permissions for receiving data from the internet which could be a malware payload, viewing network connections and giving full network access and prevent the device from sleeping.

Behavior tracking concerns

Another feature that is causing concern is found in their privacy agreement that says “A device identifier may deliver information to us or to a third
party partner about how you browse and use the Service and may help us or
others provide reports or personalized content and ads.”

The device identifier on your smart phone is the easiest way to identify you and allows them to track certain user behavior.

FaceApp responds to privacy concerns

In a statement first reported by Techcrunch, Faceapp says, “We might store an uploaded photo in the cloud. The main reason for that is performance and traffic: we want to make sure that the user doesn’t upload the photo repeatedly for every edit operation. Most images are deleted from our servers within 48 hours from the upload date.”

They go on to say, “We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using “Settings->Support->Report a bug” with the word “privacy” in the subject line. We are working on the better UI for that.”

The Security Advisers at Accorian recommend that users exercise caution while using this application. 

If you are concerned about the app having access to your data, you can change the permission settings on your smart phone or you can just delete it.

Feel free to contact Accorian if you have any questions about this application. 

How can your company prevent a data breach through a third-party vendor?

Companies of all sizes are doing a good job beefing up their cybersecurity and that’s great. But… many are forgetting an often overlooked target – their third party service providers.

Any company that uses a third-party CRM software or an outside a server with access to sensitive or confidential data, could be risking a data-leak. Investigating the security of your third party provider is extremely important.

In February 2018, security researchers reported that a Walmart third-party vendor Limogés Jewelry exposed confidential data, emails and passwords for over 1.3 million customers. That data also included records for retailers such as Amazon, Overstock, Sears, Kmart and Target.

Most companies are not prepared for this type of breach and have a tough time understanding their third-party vendor risk because:

  1. They don’t have the staff to review all their third-party vendors.
  2. They may not know who all their third-party vendors are.

Surprisingly, the move to SAAS (Software as a Service) tools/platforms has, in some ways, reduced the security posture of some companies. SAAS tools allow third party providers to host applications on the internet so they are readily available for customers. Since it’s “easy” as using a credit card to buy a new SAAS tool, the number of third-party vendors has increased.  For example, if different departments in a company aren’t getting what they need from the internal technology team, they could purchase a third-party solution and send their data to the vendor. 

However, before you know it, the company’s data has been sent to multiple vendors who have very different security postures, or they may not be as secure. 

In 2018, Ticketmaster had a security breach when the third-party support chat tool they were using was hacked and attacker exploited its vulnerabilities. 

So how can your company prevent a data breach through a third-party vendor? 

  1. Educate and train your staff about your company’s vendor evaluation process.
  2. Review the security measures of the vendors and understand the data and the amount of access they will have. 
  3. Ensure Compliance – If your company must meet a compliance standard e.g. GDPR, HIPAA, PCI then verify that your vendor also has the same compliance and certifications in place. All companies will claim to be secure but if they are certified it means they went the extra step and invested in their security. If possible, look for companies that are SOC-2, HITRUST certified.
  4. Keep a record of all third-party vendors and review them often.

Remember you are only as strong as your weakest link and not knowing about the link doesn’t really work as a security strategy.

Think about your own company, what’s your CRM solution? Who is your vendor for billing and payroll? Does your email provider have strong privacy policy and security measures in place?

At Accorian, we have helped companies of all sizes answer those questions by providing them with a security roadmap that successfully managed the risk of their third party vendors.

We can provide the same services to your company, so contact us today and let’s get started.

    Ready to Start?

      Download Case study

        Download Guide

        Human Resources Director

        Posted On: 09 May, 2022

        Drop your CVs to

          Interested Position

          First Name

          Last Name


          Total Experience

          Mobile Number

          Upload Resume