image not found image not found
image not found
image not found

Free Messenger App Security Flaws: Improve security & privacy with strong authentication

05 Nov 2020 | Enrique Pena & Michael Caro

The number of global data breaches has skyrocketed in the past few years, leading to an uptick in identity theft, account takeovers, and the leaking of business secrets. In many of these cases, the method of attack has been through the vulnerabilities exposed in popular consumer-grade messenger apps. Why? Because your IT team cannot securely manage them, especially who you are communicating about your business with. When users are not managed, anybody with a phone number can be added to a WhatsApp group chat. Let’s discuss why user administration and strong identity authentication is critical to your business.

When choosing a messaging service, organisations need to make sure that these business-critical tools are granted only to authenticated users, users who are trusted and verified to really be who they say they are. Popular and ubiquitous messenger apps such as WhatsApp do not offer user authentication and do not provide a user management mechanism. An organisation that uses an app such as WhatsApp cannot manage who participates in a chat session and cannot control what is discussed and shared.

How do you verify the identity of a user?

The core question, even with end-to-end encrypted messaging, is how do I know a person is who they say they are? Accessing a digital service does not necessarily mean that the subject’s real-life identity is known. The premise of security and privacy by most popular messenger apps go out of the window if the wrong people can access the service or the device running it, gain access to chat groups and be privy to your business secrets.

Strong authentication is crucial to verify the identity of a user. It needs to be intrinsically strong enough to ensure the security of the communications you are looking to protect. Strong authentication consists of policies, standards, software and sometimes even hardware that manage the creation, distribution, revocation and administration of access to the service. These are features that are not available in consumer-grade messaging applications.

The heart of a secure and private messenger app is a trusted entity or mechanism that ensures the trustworthiness of its users and enables people to have trusted digital identities. The messenger app service needs to provide a mechanism that verifies the identity of users and allows the granting of secure access to the messenger app for individuals who are properly vetted. The security industry has a vital role in satisfying this need.

Who really has access to your company secrets?

From an IT perspective, an organisational communications system based on WhatsApp groups is a nightmare to manage. The IT team can never have an overall picture of which groups actually exist and who their founders and members are. When a group founder leaves the company, it is not possible to transfer ownership of a group to another individual because the group is always owned by the person who founded it. There isn’t even a mechanism to have the founder of the group removed; they can only resign themselves from the group.

In a WhatsApp chat group, there may be members who should not be there. A wrong person can have accidentally been added to a team chat group. A person who no longer needs to have access may continue accessing the chat group, or a person who has changed jobs may be overlooked and not removed from the chat group.

Another serious limitation with messenger apps like WhatsApp (which is owned by Facebook), is that they cannot be integrated with your organisation’s enterprise user management system. Its access control is based solely on the manual work of independent group administrators. User rights management is based on phone numbers and not on strong authentication, and there is no way to restrict the addition of users. Your organisation does not have knowledge of which groups are on your staff members’ phones nor what is being discussed in them. Only the group administrator can add a person to the group they manage. Anybody with your phone number and the phone numbers of your colleagues can establish a legitimately-named, but fake, chat group, collect content and phish your staff’s names and business details.

Whose cloud are your communications stored in?

The risk encountered when using consumer-grade messaging apps is the spread of information and documents to channels the organisation has no control over. As an example, versions of product designs and other confidential documents can be distributed in chat groups that your business has no knowledge of. The mere fact that your organisation’s files are uploaded to iCloud, Facebook or Google Cloud is also problematic. In addition, users routinely store important documents and pictures on their own phone or computer that are likely to remain on these devices until the user acquires a new device.

The popularity of WhatsApp with friends, family and hobby groups is probably one of the reasons why so many organisations have work-related WhatsApp groups. In many organisations, the use of WhatsApp may already have some history, and it may not be easy to transition to a secure and private solution. Restricting the use of WhatsApp may also prove to be difficult because there may be good reasons for its use (even if only on a separate work phone). Businesses must replace consumer-grade messaging applications with secure and private alternatives, and should be used in all business-related groups. In small organisations, consumer-grade messengers and manually granting chat group access may be manageable. In organisations with hundreds or thousands of people, allowing business-critical communications and teamwork on WhatsApp is a seriously flawed approach. It puts an organisation at significant risk of security breaches and data theft.

Strong identity protects access to critical resources

Digital14 has developed secure and private digital workspace tools for collaboration among staff members inside and outside of an organisation, including the ability to send and receive emails, instant messages, video conferencing, coordinating tasks and the sharing of files – all of which third parties cannot intercept.

Truly secure and private communications require a secure-by-design approach that is enforced by its architecture. Digital14's KATIM® portfolio of apps provide robust solutions with 'true' security, manageability, and privacy, in a transparent manner, while preserving a great user experience. With KATIM®, IT admins can breathe easier, knowing that they have a security strategy in place that protects the company's messaging platform and users alike, reducing complexity, ensuring access and boosting the flexibility of mobile workers.

People are accustomed to authenticating themselves in their personal lives. Providers of online services like banking, gaming, social media, and email have all adopted mobile-based tools to authenticate their users when accessing their systems. KATIM® is meant to be part of an organisation's comprehensive strategy to improve security with more robust authentication methods.

KATIM® offers the highest level of user authentication with a strong Private Key Infrastructure-based (PKI) user identity model and Hardware Security Modules-based (HSM) certificates. With KATIM®, no one (not even Digital 14) will have access to any of your organisation’s communications. Contact us at Digital14 for a demo. Let us validate your secure communications assumptions and make the necessary enhancements to ensure that trust can be maintained before it is broken.

We Are Digital14

Connect with us

© Digital14. All rights reserved.