Teleworking and the security risks of freemium messaging apps

Adam Such, President and Chief Operating Officer, Communication Security Group

Adam Such, President and Chief Operating Officer, Communication Security Group

Teleworking and the security risks of freemium messaging apps

COVID-19 is leading an ever-increasing proportion of the workforce to telecommute from home, and many of those employees are being pushed towards using freemium messaging apps for work related communications. With articles such as “A guide to use WhatsApp while working from home” in The Economic Times, and limited enterprise approved and managed alternatives, it’s doubtful this will change in the short-term. However, this trend should raise red flags for CTOs and IT departments around the world.

As a follow up to my recent article highlighting the unsuitability of freemium messaging apps for the enterprise, I will break down the issues with freemium consumer apps into three principle categories:

1. Security

Because freemium messaging apps are offered to any and all users there is always the question of who can acquire, access and employ encrypted messaging as an anonymous user. Andersen Cheng, the chief executive of cryptography company Post Quantum, reports he pulled his own messaging app when he discovered it appeared on an Islamic State recommended apps list. Just today the tragic story broke about a South Korean sexual abuse/blackmail ring operated on the Telegram messaging app.

While bad actors continue to be able to access and use a platform anonymously, you can be assured the law enforcement and intelligence communities will consider breaking that app a priority – hence an exchange using such apps can be compared to having a public conversation in terms of the privacy they offer.

Although many freemium messaging apps claim to offer a high level of protection with end-to-end encryption, not all encryption is created equal and they rarely provide trusted-source certification and assurance. As cybersecurity journalist Zak Doffman explains in Forbes, “When attackers are looking for new vulnerabilities, a ubiquitous app—like WhatsApp or Facebook—provides a likely access point onto most phones if an exploit can be found.”

Just within the last six months, evidence of this is not hard to find, with prominent headlines such as Wired’s “How Hackers Broke WhatsApp With Just a Phone Call”. WhatsApp themselves are currently suing Israeli surveillance contractor NSO Group, alleging they are responsible for attacks on 1,400 WhatsApp users, including diplomats and activists.

Other vulnerabilities have included a flaw that could allow hackers to alter and manipulate messages, giving them "immense power to create and spread misinformation from what appear to be trusted sources". According to cybersecurity company Check Point, there are even “app killing” messages that can take a user offline and make it difficult for them to recover data.

2. Data gathering and sharing

Compelling though these numerous flaws and vulnerabilities may be, focusing on them can mean missing the big picture. When the app is free, the user is the product.

“We’re not asking the right question [when we talk about encryption],” says Andersen Cheng. “In the intelligence world sometimes metadata is more important.” As I’ve mentioned in previous articles, a great example of this issue can be found in WhatsApp’s own data gathering, sharing and privacy policies. These policies clearly identify the scope of data they access, how they use it, with whom they share it, and who, ultimately has control over it.

Without even being hacked, up for grabs are your phone number, profile name and photo, online status and status message, last seen status, e-mail, device data, operating system information, browser information, IP address, location data, information from third party services that are integrated with WhatsApp, who is messaging you, calling you and which groups you belong to. In some cases, group chats have even been visible via Google and other search engines.

Such issues are of course not limited to WhatsApp; Telegram has recently generated headlines such as “Why Telegram isn’t as secure as you think” and has been accused of exposing crucial metadata, with researchers at MIT claiming that hackers could pinpoint down to the second when a user goes on and offline.

Anyone using WhatsApp or other freemium products gives their consent for this data collection when you sign up. The most obvious risk element is from bad actors, as personal, account, location and device information can be used to build a profile of an individual or a group. But perhaps a more significant question is how much you trust companies like Google and Facebook with your business’ sensitive information? Earlier this month the Office of the Australian Information Commissioner started legal proceedings about Facebook’s relationship with political research firm Cambridge Analytica, alleging Facebook had seriously and repeatedly contravened privacy law by exposing users’ data. 

Angelene Falk, Australia’s information and privacy commissioner stated “We claim these actions left the personal data of around 311,127 Australian Facebook users to be sold and used for purposes including political profiling, well outside user’s expectations.” 

3. Control

Consumer messaging apps represent a shadow IT network within the enterprise, taking control out of management’s hands. Such freemium apps offer no oversight, central control, auditing or archiving in line with regulatory needs, and cannot integrate with existing IT infrastructure. For these reasons, leading analysts state that the total cost of purchasing and implementing an enterprise-grade solution is not as high as having to make a consumer solution work in specific enterprise scenarios.”

The conclusion for any enterprise then must be to ensure their team is enabled with, and their organization protected by an enterprise ready solution that is up to the task. Cellcrypt offers the highest level of end-to-end, certified encryption for voice, messaging, conference calling and attachments. It also integrates with existing IT infrastructure, with mobile and desktop clients and offers optional add-ons ranging from regulatory compliance auditing to private stacks that provide full management control and secure gateways for PBX extensions.

We are also proud to be supporting businesses affected by the coronavirus, with unparalleled discounts on licenses and full enterprise solutions. Businesses needing to transition to telework will be able to employ Cellcrypt rapidly to lessen the strain, costs, and vulnerabilities during this emergency. Cellcrypt is enterprise ready, providing secure end-to-end encryption across existing hardware and we only provide to verified commercial and government enterprises to ensure the tool is only put in the right hands. Please visit our specially set up page for more information,  to learn more about how Cellcrypt is contributing our military-grade business solutions during this public health crisis.