Personally identifiable information (PII) within corporations is worth millions. This data is even more valuable to malicious actors. I’ve noticed that a majority of corporations rely on consumer apps for communication, cloud storage, and collaboration. Have you ever considered the messaging apps that people in corporations use? According to some statistics in 2017, the biggest instant messaging apps in the world are WhatsApp and Facebook with 1 billion users, QQ Mobile and WeChat with 800 million users, and Skype with 300 million users. Hangouts, Viber, Line, and BBM follow. Lots of users are on multiple platforms as well. In fact, 7 in 10 Snapchat users definitely use another mainstream chat app.
Mainstream applications have been compromised more than once—some through affiliation with government surveillance programs and others through the inspection of privacy watchdogs.
One investigation was conducted by the Electronic Frontier Foundation in collaboration with Julia Angwin of ProPublica and Joseph Bonneau of the Princeton Center for Information Technology Policy. They dubbed it a “Campaign for Secure and Usable Crypto”, a project which started in late 2014 and has continued every year. The EFF, Angwin, and Bonneau are studying mainstream instant messaging apps and publish their results in an easy to understand scorecard table.
The applications have been analyzed according to the same seven criteria. They are as follows:
- Is the message encrypted in transit?
- Does the developers hold the encryption keys?
- Can a user verify identities?
- If your key is stolen, is your chat messages still secure?
- Can people research and view the source code?
- How well is the encryption method documented?
- Has the application gone through a security audit?
What can we take away from all of this research? Obviously, we can see that many of these mainstream messaging apps are unsecure. Additionally, we can see how the study hasn’t made these apps much more secure. This proves that such apps aren’t fit for handling corporate communications, which is often very sensitive.
Corporations need a robust communication platform for chat, emails, calls, collaboration and file storage that’s encrypted with strong AES-256 with ChaCha20 at minimum and RSA 4096-bit key cryptography. This ensures that messages are sent through secure channels, free from malicious third parties.