The old adage ‘You get what you pay for’ has never been more true when it comes to cyber security, and messaging apps. We are reminded once again, by the latest Appthority Pulse Report that chat apps are amongst the most popular and yet most risky and blacklisted apps in the Enterprise.
The report, which was published a week or so ago, looks at the most common iOS and Android apps in use within enterprises, and the apps most commonly blacklisted by enterprises.
The report states that WhatsApp Messenger and Facebook Messenger are the top two most risky apps found in the enterprise for both iOS and Android devices.
Risky Apps Proliferate by Stealth
The issue for many enterprises is that these apps can appear by stealth. It all starts off innocently enough, people use these free, social media messaging apps for organising their personal lives. Then it slips into use with people from work, and the temptation is to use the same apps for business as you do in other aspects of your life because it is so easy. Before you know it meetings are being arranged and sensitive data being shared on an app owned by a multi-national social media company that could very well be sharing (or selling) your metadata, for profit.
And as a quick reminder as to why these apps are so risky to the enterprise…
Susceptible to the SS7 hack
While WhatsApp uses the respected Signal protocol for its encryption, it is susceptible (like similar applications) to attacks, using flaws in SS7 that allow an attacker to mimic a victim’s device. WhatsApp depends on the integrity of your mobile phone number to identify you, but this can be faked at the SS7 level because of vulnerabilities in that system (many of which have been known about for years – giving the criminals plenty of time to hone their skills!). Hackers can take on a victim’s WhatsApp identity and send and receive messages to other users. Of course, a hacker with access to the SS7 system can also transparently control normal voice and SMS services to and from a mobile, intercepting calls, reading SMS messages, and tracking the phone’s location.
Makes you think again about how you arrange meetings with an important client, maybe for contract negotiations. Some of our clients have been victims to industrial espionage and lost contracts worth hundreds and thousands (and more!), and now only use secure methods, such as Armour Mobile. for communicating sensitive client information.
Insecure Authentication
Apart from eavesdroppers listening in to your potentially sensitive conversations, where they may gain commercially valuable information, one of the biggest dangers is the interception of two-step verification codes. This vulnerability is equally true for any app that uses this form of authentication including Telegram, Viber and many other apps.
For those that are likely to be targeted due to the work that they do (government, military/defence, handling commercially sensitive information like intellectual property, company secrets, financial transactions, sales deals, etc.), this is a relatively easy hack, and one that you wouldn’t know about until it was too late.
GDPR – So what?
We might have GDPR, but that only covers Europe, and there are plenty out there that want your data for nefarious reasons, and won’t be worried about legislation. Even when a service claims that it has no access to your encrypted data, it still has access to ‘metadata’, such as the date and time of calls and messages, the mobile phone numbers of the recipients or senders of each call or message, and (depending on the application), other information such as your location, native contact lists and the like – all of which a security-minded user might prefer not to have collected by a large social media company.
You get what you pay for
With any free app you don’t really know who has access to your information. And you certainly don’t know who will have access to it in the future as organisations are acquired and personal data becomes a lucrative asset to be traded.
If you would prefer that your sensitive corporate conversations remain private you should take positive steps to ensure that they stay that way. That means using security applications that you control, so that you know exactly where your data is being held and who has access to it.
AND you need to educate your staff so that they are not using insecure apps ‘under the radar’.
Take the plunge and ban risky consumer apps
The Appthority report states that the top blacklisted apps within enterprise are WhatsApp Messenger and Facebook Messenger, followed closely by Wickr Me and Tinder! Only last month the FT reported that car industry supplier Continental had banned WhatsApp and other social media apps due to concerns about privacy. So don’t be shy, you won’t be alone in banning these apps in your organisation. Your sales guys may even thank you for it, particularly if you are able to provide them with something equally engaging and easy to use – such as Armour Mobile!
Contact us today and try it out for yourself.