So what exactly are the dangers of consumer (ie. free) apps? And what do Enterprise-grade apps provide that the free apps don’t? Sometimes when your end-users want to download a consumer app and start using it, it isn’t always clear what extra benefits enterprise-grade apps provide, so here we compare the two.
First a note about Encryption
Free apps have encryption and so to do enterprise apps. There is so much more to security than encryption. Encryption is (or should be) a given, it is rarely the weakest link, and therefore rarely the attack vector. The dangers in using free apps for business revolve far more around how your sensitive data is managed, where it goes and who has access to it.
Secure Numbers
Consumer apps need a GSM number to use as the ‘secure number’. This number is used to send activation codes in clear text via an SMS message. This is easy to intercept and can compromise any security before it is even activated.
Enterprise apps can use GSM numbers as the secure number too, or a randomly assigned number for the ‘secure number’. But activation is NOT via an insecure SMS, it can be via a variety of secure activation methods so it is very much harder to compromise.
Armour Mobile
We are able to utilise existing GSM numbers, or use another ‘secure number’. The process for activation and provisioning of Armour Mobile can be designed around the user’s specific requirements, using secure activation methods.
Harvesting your data
Consumer apps run on the vendor’s infrastructure only, and even if the content is protected, the metadata of each call or message is visible to the vendor. This can be cross matched with other user ID owned by the provider to build up a detailed picture of user habits, geo-location, and common friends/contacts, which can be used for profiling and targeted advertising. Or sold to third parties for a similar purpose.
Enterprise apps run on a subscription business model, so there is no need to harvest user metadata in order to make a profit. Serious cyber security vendors have no interest in selling data or advertising, their emphasis is on security and maintaining their credibility and brand value.
Armour Mobile
As well as our secure Cloud option, for fast provisioning, Armour Mobile is also available as an ‘on-premises’ option, meaning that not only is the content of the calls/messages secure, but nobody outside of the organisation has access to the metadata. This ensures complete security and privacy regarding when, where and who users are communicating with.
Sharing your Contacts
Consumer apps typically upload users’ native contacts list to their global database upon activation. This enables them to cross match friends/contacts so that the user knows who else is using the same app. While this is certainly very user friendly, it does mean that the vendor has your GSM number, and also those of all your contacts for potential marketing purposes. All of those users will also have had their details cross matched to their social media profiles, so that the vendor can start to build up really detailed knowledge of the user, their contacts, what they like, and what they look like. Yes, we are talking facial recognition here!
For more detail on this worrying scenario, read our blog Whose list are you on?
Enterprise apps do NOT need to upload the native phone directory.
Armour Mobile
With Armour Mobile you are able to import a bespoke directory of secure contacts for your users. In some cases real time integration between the app and the organisation’s internal Active Directory is possible. For certain public sector/government organisations there is also the option to link to address books of other departments that are also using Armour Mobile.
Securing your Communities
Consumer apps run on the vendor’s cloud and work in a single global group community where anyone can call anyone if you know their number. This is great for private communication between friends, but it is less than ideal for enterprise users. Furthermore, it can put users at risk of phishing scams sent from within the messaging app, which can be perpetrated by anyone who has access to a list of valid GSM numbers, whether obtained legally or from the dark web.
Even when running in the ‘cloud’ Enterprise apps can offer cryptographically segregated user groups or ‘communities’ that are ring fenced from all other user groups.
Armour Mobile
We are able to offer to the option for different communities to be white listed to enable communication between communities for collaborative working purposes. For On-premises installations, communities can be used to offer segregation between different departments or user groups, for increased security.
Third party certification
Consumer apps are rarely, if ever, subject to any independent certification of their security procedures.
Good enterprise apps are certified by Government cyber security experts or international bodies such as NATO.
Armour Mobile
Using a FIPS-140-2 validated crypto core, Armour Mobile has been awarded many other certifications including CPA (Commercial Product Assurance) from the National Cyber Security Centre (NCSC) and is included in the NATO Information Assurance catalogue.
Intelligent Support v Automation
Consumer apps typically have no human interaction during the activation process, which means no voice on the end of the phone for technical support if required.
Enterprise apps usually have an account manager assigned during the sales and trial process, with a technical support email and phone line available after the sale. This is invaluable if, for example, a board level exec, senior manager or VIP user is having issues that need resolving quickly.
Armour Mobile
We provide a range of support services that enable organisations to be up and running with Armour Mobile secure communications within hours for our Cloud solution. We are also able to provide bespoke solutions tailored to specific high security requirements, based on individual use cases.
Management of sent and received files
Some consumer apps store sent and received files on the mobile device’s SD card, unencrypted, and then don’t delete them later. Sometimes this is the case, even when the delete option has been set. The files may remain, in an unencrypted form even if the app is uninstalled.
Enterprise apps that focus on security will keep sent and received files encrypted, only exposing them in unencrypted form to be read briefly by the third party viewer that displays them. Any such files are then removed as soon as the user has finished viewing them.
Armour Mobile
All files are kept encrypted, with data encrypted at rest as well as in transit. In addition, Armour Mobile will not run on a jail-broken phone meaning that security apps performed by the app stores and native in-built security remains intact. Armour Mobile also isolates the microphone to prevent data leakage.
In Summary
When dealing with sensitive business communications of any type (voice, message, text, video, attachments) you need to be sure of exactly where your data and meta data is going, and who can see it. You also need to think about what other information that you may be giving away, for example, your contacts list, and other personal information from social media that can be used for profiling.
And one final thought – if you don’t want the world and his wife to see your corporate communications, you need to use an enterprise-grade app, like Armour Mobile, rather than a consumer app downloaded for free. In this instance, you really do get what you paid for.