On March 31, 2026, the FBI's Internet Crime Complaint Center (IC3) issued Public Service Announcement I-033126-PSA warning about the data security risks of foreign-developed mobile applications, with a specific focus on apps developed by Chinese companies operating under China's national security laws.
This isn't a hypothetical threat or a policy debate. It's a formal warning from the FBI that some of the most popular apps on your employees' phones may be actively harvesting data from their entire device — including your corporate contacts, emails, and files.
What the FBI Found
The core of the warning is straightforward: certain foreign-developed apps request permissions far beyond what their functionality requires, then use that access to collect data from across the device — not just within the app itself.
Excessive Permission Harvesting
Apps request broad access to device data that has nothing to do with their core function. Default permissions allow developers to harvest complete contact lists — names, email addresses, phone numbers, and physical addresses — from the entire device.
If an employee has your company directory synced to their phone, every client contact, every vendor, every internal team member's information is potentially accessible.
Persistent Data Collection and Storage
The FBI warns that collected data persists across the entire device and is stored on servers located in China indefinitely. This isn't temporary caching — it's permanent exfiltration of your business data to servers governed by Chinese national security laws.
Malware and Backdoor Risk
The FBI specifically warns that malicious code could be embedded in these apps, enabling data collection beyond what the user authorized. Backdoors can be installed silently, turning a personal device into a persistent surveillance tool.
Why This Matters More for Businesses
The FBI's warning is aimed at all U.S. consumers, but the implications for businesses are far more severe. Here's why:
- BYOD is everywhere. Most small and mid-size businesses allow employees to use personal phones for work email, Teams, and file access. That personal phone with a foreign app now has access to your Microsoft 365 data.
- Contact sync is the silent leak. When an employee syncs their work email to a personal device, the Outlook contact list — including every client and vendor — becomes available to any app with contact permissions.
- Compliance exposure. If you're in healthcare (HIPAA), legal (attorney-client privilege), financial services (GLBA/FTC Safeguards), or handle government contracts (CMMC), data exfiltration to foreign servers is a compliance violation that could trigger enforcement actions.
- No visibility. Without mobile device management (MDM), you have zero visibility into what apps are on employee devices accessing your data.
What You Should Do Right Now
The FBI recommends individuals disable unnecessary data sharing and read terms of service. That's good advice for consumers. For businesses, you need a stronger response:
1. Deploy Mobile Device Management (Intune)
Microsoft Intune lets you enforce app protection policies on any device accessing your M365 data — personal or corporate. You can block data sharing between managed apps (Outlook, Teams) and unmanaged apps, require encryption, and remotely wipe corporate data if a device is compromised.
2. Create an App Protection Policy
Even without full device enrollment, Intune's App Protection Policies (MAM without enrollment) can prevent corporate data from being copied, shared, or backed up to unauthorized locations. This is the minimum viable protection for BYOD environments.
3. Block Third-Party App Stores
The FBI specifically warns about elevated malware risk from third-party app stores. On managed devices, enforce that apps can only be installed from the Apple App Store or Google Play Store.
4. Review Conditional Access Policies
Use Conditional Access in Entra ID to require device compliance before granting access to corporate resources. Non-compliant devices — including those with known risky apps — can be blocked from accessing email, SharePoint, and Teams.
5. Educate Your Team
Share the FBI's announcement with your staff. Most employees don't realize that a casual app download can expose corporate data. Make the risk concrete: "That free app you downloaded last week can read every contact in your work email."
The Bigger Picture
This FBI warning is part of a broader pattern. Foreign-developed apps operating under authoritarian data access laws represent a persistent, systemic risk to U.S. businesses. This isn't going to be resolved by a single policy change or app ban — it requires ongoing vigilance, proper device management, and security controls that protect corporate data regardless of what's installed on a personal device.
The good news: the tools to protect yourself already exist in your Microsoft 365 subscription. Intune, Conditional Access, App Protection Policies, and Compliance Policies are included in Microsoft 365 Business Premium and E3/E5 licenses. Most businesses already own these tools — they just haven't turned them on.
"The FBI warns that all individuals downloading and using foreign-developed mobile applications in the United States are at risk." — FBI IC3, PSA I-033126-PSA, March 31, 2026
If you're not sure whether your Microsoft 365 environment is protected against mobile data leaks, we can tell you in 15 minutes.
Is your business data leaking through employee phones?
Our free 84-point Microsoft 365 security assessment checks your Intune policies, Conditional Access rules, and device compliance settings. Find out where you're exposed.
Schedule Free Assessment →