Corporate data is a valuable asset that is worth millions if compromised. Yet, many companies still rely on consumer apps for corporate communication, cloud storage and collaboration.
Consider your employees’ messaging apps. What are they using? According to 2015 statistics, the most widespread instant messaging apps worldwide are WhatsApp with 800+ million of users, Facebook Messenger with 700 mln, QQ Mobile with 603 million, WeChat with 600 mln, Skype with 300 million. Then, Google Hangouts, Viber, Line and BBM follow suit. Their user base is not exclusive, meaning many of the users that use WhatsApp are also using some other messenger, like Snapchat, and 7 in 10 Snapchat users definitely use one of the mainstream chat apps like WhatsApp, Facebook Messenger, Skype and others.
And yet, the mainstream chat apps have been compromised more than once – through their affiliation with the government surveillance programs, and through their inspection by the privacy watchdogs. One such investigation was conducted by the Electronic Frontier Foundation in collaboration with Julia Angwin of ProPublica and Joseph Bonneau of the Princeton Center for Information Technology Policy. They dubbed it a Campaign for Secure and Usable Crypto that started in late 2014, continued throughout 2015 and is ongoing. They are studying the mainstream instant messaging apps and publish the results in an easily understandable score card table.
The mainstream apps have been analyzed according to the same seven criteria. They are as follows:
Is the communication encrypted in transit?
The communications should be encrypted at rest and in transit. Nearly all chat apps have reluctantly adopted the feature, mostly to adhere to the new fashion, but do they hold the keys? Hence, the second criterion.
Does the chat app developer (provider) hold the encryption keys?
Hushmail, WhatsApp, BBM, SnapChat, Skype, Google Hangouts (chat off the record), Facebook chat, Yahoo Messenger, AIM, Viber, Telegram, QQ, and Kik developers do hold the keys to your encryption.
Can a user verify his correspondent’s identity?
The third criterion does not imply you are supposed to provide your identity credentials when signing up for a service. It is about the ways you as a user can ensure the person on the other end of the line is the one you think they are, instead of entrusting your communications to a possible impostor. It implies an app would have either a built-in interface for the users to view the hash of their correspondent’s public keys to verify them either manually or out-of-band. Or, alternatively, a key exchange protocol like the Socialist Millionaire’s Protocol, or any other solution that answers the need. The same mainstream apps have failed to adhere – WhatsApp, Snapchat, Hangouts, Skype, iMessage, Facebook chat, Yahoo Messenger, Viber, Telegram, AIM, and others.
Are your communications secure if your keys get stolen?
What happens to your chat history if your password is stolen or lost is another painful item on the list. Ideally, if your communications need to be secure, you should be using self-destructing messages and emails in order to have nothing that would remain in the cloud, or locally on your device, or on your recipient’s device.
Again, neither of the most popular messengers provides the “forward secrecy” that would ensure the keys can’t be reconstructed, and when a user chooses to delete the messages, they cannot be restored. Once again, WhatsApp, Snapchat, Skype, Google Hangouts, Facebook chat, Yahoo Messenger, Viber, Telegram and a bunch of others gets a red flag from the EFF researchers.
Can independent researchers review the code?
iMessage, Skype, Snapchat, WhatsApp, BBM, Facetime, Hushmail, QQ, Threema, Wickr, AIM and Yahoo Messenger get a red check mark.
How well is the crypto design documented?
This point requires the developers to have the clear and detailed documentation of the cryptography they used in their apps for the security researchers to analyze. The algorithms, key generation, storage and exchange, a statement on the properties and protections the app aims to provide and such. Most importantly, this criterion requires the statement to include a clear description of a scenario in which their implemented protocol is not secure. Last verse, same as first – Skype, WhatsApp, Snapchat, BBM, Hushmail, Kik, QQ, Viber, Yahoo Messenger, Facebook Chat, Google Hangouts do not offer the corresponding documentation.
Has the app undergone an independent security audit?
EFF requires an independent security audit to be performed within the 12 months prior of their evaluation and to cover the design and the implementation of the app. The auditor must be independent of the tool’s development team. Skype, Hushmail, Ebuddy, BBM, Yahoo Messenger, AIM, Viber, Kik and some other noteworthy apps like PGP have not undergone an audit in a while.
So, what is the main takeaway from the research? The study launched in 2014, and by the end of 2015 little has changed for the mainstream apps, which brings us to the logical conclusion. Consumer apps aren’t fit for handling corporate communication that’s often sensitive and confidential.
A robust communication platform for chat, emails, calls, collaboration and file storage that’s encrypted with a strong 256-bit AES encryption and RSA 2048-bit key cryptography with FortKnoxster is the way to go!
Join FortKnoxster and start protecting your online privacy.
Please also join our Telegram group and visit our Facebook page and Twitter page for more inspiration.